SPF and DKIM records provide your email recipients with confidence that your emails come from you (and not some imposter). Use the information included here to set up your DNS resource records for your email. The instructions included here are Dyn Email Delivery and Managed DNS focused. If you use a different system, please check with your provider for information specific to your particular situation.





Purpose of SPF and DKIM Records


DKIM and SPF records are used in combination with email sending services to provide confirmation to the email recipients that the emails originated with your company and/or mail server. Both of these DNS resource record types require specific information in order to work properly.


Why use the TXT record type instead of the SPF record type?


When SPF records were originally introduced in 2003, support for the new DNS RR type was not widely deployed in DNS servers and provisioning systems. As a result, developers of SPF found it easier and more practical to use the TXT resource record type for SPF records. (RFC 7208 section 3.1)

Since that time, the Internet Engineering Task Force (IETF)  has discontinued the use of the SPF record and requires that all SPF resource record data be placed into a TXT record type. You may see SPF record types available in your managed DNS provider’s user interface, however, they are NOT the recommended setup for the Sender Policy Framework records.

Add your SPF resource record information into a TXT resource record type.


Formatting SPF(TXT) and DKIM Records


SPF (in the form of a TXT record type), DKIM, and TXT record types are formatted in your DNS configuration according to the setup rules for your DNS provider. If Dyn is your Managed DNS provider, you can find the information for entering resource record information in our Zone Records help page.



How do I know my entries in the SPF and DKIM records are valid?


SPF and DKIM record content is created within Dyn’s Email Delivery product. Follow the instructions found in the DKIM Records for Approved Senders page to generate the correct content for the DNS records and to copy that content into DNS records in your managed DNS account.

If you still have questions, there are several DKIM validators that are freely available for you to use. http://dkimcore.org/tools/keycheck.html is an example of one of these DKIM validators.

Note: Dyn does not specifically endorse any of the online DKIM validators.



How do I handle a DKIM or SPF record that is too long?


Double quotes are used when your TXT record has more than the 255-octet maximum character-string length. This often happens for DKIM and SPF records. If you need more than the maximum size, break the strings down into multiple character strings and enclose each section in double quotes. Each string within quotes is treated as its own packet. If a published record contains multiple strings, then the record MUST be treated as if those strings are concatenated together without adding spaces. (RFC 7208 section 3.3

Below is an example of a TXT record for DKIM with a character string longer than the 255-octet maximum (note the use of double quotes). When splitting the TXT record, make sure that all intended spaces are within the quotation marks. When the separate strings are concatenated, there are no spaces between the strings.

"v=DKIM1\; k=rsa\; p=MIIBIjANB"

This example will be treated as if it is one response containing the entire DKIM response as shown here:

"v=DKIM1\; k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArHsdDxL+4Gs44BV0TZ8hY2NZ0/qYkqXC1rFHj1WayMXnliHYXZtGdmtpDRJWDC1+/6M8D68