ThouShaltNotClickAll admin guides →

Best Practices Guide

Set up SPF, DKIM, and DMARC for your school's email

These three DNS records prevent scammers from spoofing your school's email address and protect your domain's reputation across the internet. Setup takes about 15 minutes per record and is free. This guide walks you through it.

Don't want to do this yourself?

Email authentication setup can be tricky if you're not used to DNS records. We can configure SPF, DKIM, and DMARC for your school for a one-time fee. Includes verification and a 30-day monitoring period.

Email us about setup help →

Why this matters

When a scammer wants to phish your staff, the most effective trick is to make the email look like it came from your principal, your IT department, or your diocese. Without proper email authentication, they can spoof your domain freely — recipients see principal@yourschool.org in the From line and assume it's real.

With SPF, DKIM, and DMARC set up correctly, those spoofed emails get rejected or marked as spam by the recipient's mail server before the user ever sees them. You're not just protecting your own staff — you're protecting other organizations that might receive forged email claiming to be from you.

The three records, in plain language

SPF (Sender Policy Framework)

A list of mail servers authorized to send email on behalf of your domain. When another server receives an email claiming to be from you, it checks SPF to see whether the sending server is on the list. If not — likely a forgery.

What it looks like: a TXT record on your root domain starting with v=spf1

DKIM (DomainKeys Identified Mail)

A cryptographic signature attached to every outgoing email by your mail server. Recipients verify the signature against a public key published in your DNS. If the signature is missing or doesn't match — likely a forgery, or the email was tampered with in transit.

What it looks like: a TXT record at selector._domainkey.yourschool.org

DMARC (Domain-based Message Authentication, Reporting & Conformance)

Tells receiving mail servers what to do with mail that fails SPF or DKIM checks. With p=reject, forged emails get bounced; with p=quarantine, they go to spam. Without DMARC, receiving servers have to guess — and they often guess wrong.

What it looks like: a TXT record at _dmarc.yourschool.org

Step-by-step setup

The exact steps depend on your mail provider (Google Workspace, Microsoft 365, etc.) and your DNS provider (GoDaddy, Cloudflare, your registrar's portal, etc.). Here's the general flow:

  1. Identify your mail provider's SPF include. Google Workspace uses _spf.google.com, Microsoft 365 uses spf.protection.outlook.com. Look up your provider's documentation.
  2. Add the SPF record to your domain's DNS as a TXT record on the root: v=spf1 include:_spf.google.com -all (substitute your provider's include).
  3. Generate DKIM keys in your mail provider's admin panel. They give you a public key and a TXT record name; you add that record to DNS. Then turn on DKIM signing.
  4. Start with DMARC monitoring mode. Add a TXT record at _dmarc.yourschool.org with value v=DMARC1; p=none; rua=mailto:dmarc-reports@yourschool.org. This logs failures without rejecting anything.
  5. Wait 1-2 weeks and review the reports. Confirm legitimate mail is passing. Investigate any unexpected failures.
  6. Strengthen DMARC to quarantine, then reject. Change p=none to p=quarantine, monitor for another week, then to p=reject. This is the protection ramp-up.

How to check what you have today

Free tools that show your current setup:

Common mistakes

Still feeling stuck?

Email authentication is one of the highest-ROI security setups a school can do, and it's a one-and-done task. If you'd rather have us handle it, we offer setup-and-verification as a paid service.

Get help with setup