Instructions to Fix DNS Records for Blocked Emails (SPF, DKIM, DMARC Issues)

If your email is being blocked due to incorrect SPF, DKIM, or DMARC records, follow the steps below to resolve the issue.

Step 1: Verify Your DNS Records 

Before making any changes, check your current DNS records using an online tool such as: 

• MXToolBox 

• Google Admin Toolbox 

Look for errors in your SPF, DKIM, and DMARC records.

Step 2: Fix the SPF Record 

The Sender Policy Framework (SPF) record authorizes mail servers that can send emails on behalf of your domain.

How to Update SPF Record 

1. Log in to your domain registrar or DNS hosting provider (e.g., GoDaddy, Cloudflare, Namecheap). 
2. Locate the TXT record for SPF in your DNS settings.
3. Ensure the record follows this format:
4. v=spf1 include:<your-email-provider> ~all
   
   • Replace <your-email-provider> with the correct email provider (e.g., include:_spf.google.com for Google Workspace). 
   • The ~all allows emails that fail SPF to be marked as “soft fail” rather than being rejected outright. 
5. Save the changes and allow time for DNS propagation (can take up to 48 hours). 
6. Test SPF using MXToolBox SPF Lookup. 

Step 3: Fix the DKIM Record 

The DomainKeys Identified Mail (DKIM) record digitally signs your emails to verify authenticity.

How to Update DKIM Record 

1. Generate a DKIM key from your email provider’s settings (e.g., Google Workspace, Microsoft 365).
2. Go to your domain’s DNS settings and add a new TXT record.
3. Use the following format:
4. Name: default._domainkey.yourdomain.com
5. Type: TXT
6. Value: (Your email provider’s DKIM key)
7. Save the record and wait for DNS propagation.
8. Test DKIM using MXToolBox DKIM Lookup.

Step 4: Fix the DMARC Record 

DMARC (Domain-based Message Authentication, Reporting & Conformance) helps prevent email spoofing and phishing.

How to Update DMARC Record 

1. Go to your domain’s DNS settings and add a new TXT record.
2. Use the following format: 
3. Name: _dmarc.yourdomain.com   
4. Type: TXT  
5. Value: v=DMARC1; p=quarantine; rua=mailto:your-email@example.com; pct=100 
   • p=none (monitors emails but does not take action) 
   • p=quarantine (sends suspicious emails to spam) 
   • p=reject (blocks emails that fail authentication) 
6. Save the record and allow DNS propagation. 
7. Test DMARC using MXToolBox DMARC Lookup. 

Step 5: Verify and Monitor Email Deliverability 

• Check DNS propagation using Google Admin Toolbox. 

• Monitor email deliverability with a DMARC report tool like DMARCIAN or Postmark. 

If issues persist, contact your email provider or ICS at help@icsla.us 

Final Notes 

• Always test DNS changes before making them live. 

• Use a subdomain for email if you want to test without affecting your main domain.

• Keep your DNS records updated to comply with email security policies.

After making these changes, your email should be properly authenticated and no longer blocked. 

Questions? 

International Computing Services, Inc. 
help@icsla.us
310.558.4864