DNS records are confusing. You need them for your domain to work properly, but nobody explains what they are or how to set them up. This guide walks through every record you need, in priority order. Follow it from top to bottom and you'll end up with a fully secure domain.
These three records stop your emails landing in spam and prevent anyone from impersonating your domain. Start here.
Think of SPF like a guest list for your domain's email. It tells every other email server on the internet which mail servers are allowed to send email from your address. If a server isn't on the list, the receiving server knows something is off.
Why it matters: Without an SPF record, anyone can send an email pretending to be you@yourdomain.com. Gmail and Outlook use it to decide whether to deliver your mail, send it to spam, or block it entirely.
How to set it up: Log in to your email provider (Google Workspace, Microsoft 365, Mailchimp, or wherever you send email from) and go to their DNS setup page. They'll give you a value to copy. Then log in to your domain registrar, the company you bought your domain from, and create a new TXT record. Set the name to @ (or leave it blank), and paste in the value. It will look something like:
v=spf1 include:_spf.example.com -allThe -all at the end is important — it tells mail servers to reject any email that doesn't come from an approved server. Make sure your record lists every service you send email from before using -all, or legitimate emails could get blocked.
Important: You can only have one SPF record per domain. If you send email from more than one provider (like both Google Workspace and Mailchimp), you need to combine them into a single record. Your email providers can help you do this. SuiteFound can do it automatically.
DKIM adds a hidden digital stamp to every email your domain sends. When the email arrives, the receiving server checks the stamp to confirm the email came from you and wasn't changed along the way.
Why it matters: Without DKIM, it's much easier for someone to fake or tamper with your emails. Gmail and Outlook treat it as a trust signal. A missing DKIM stamp means more (or all) of your emails end up in spam.
How to set it up: Go to your email provider's DKIM or security settings page. Your provider makes a DKIM key for you and gives you two things:
google or selector1Log in to your domain registrar and create a new TXT record. Set the name to selector._domainkey.yourdomain.com — replacing selector with the selector name your provider gave you. Paste the long string as the value. SuiteFound sets this up at registration or onboarding.
DMARC is the rulebook that ties SPF and DKIM together. It tells other mail servers what to do when an email claims to be from your domain but fails the SPF or DKIM checks: let it through, send it to spam, or block it completely. It also sends you regular reports so you can see if anyone is trying to impersonate your domain.
Why it matters: SPF and DKIM on their own don't tell mail servers what to do when something fails. DMARC closes that gap. Without it, spoofed emails from your domain can still get delivered even with SPF and DKIM in place.
How to set it up: Log in to your domain registrar and create a new TXT record. Set the name to _dmarc.yourdomain.com and the value to:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.comReplace the email address with one you actually check. Start with p=none — this means "just watch and report, don't block anything yet." After a few weeks of reviewing reports and confirming your legitimate emails are passing, change p=none to p=quarantine (sends suspicious emails to spam). Eventually move to p=reject to block them outright. SuiteFound starts new domains with secure settings, and upgrades others with the click of a button from our Domain Health Dashboard.
These records add a second layer of protection that most domains skip — and attackers know it.
When someone types your website address into a browser, their computer asks the internet "where does this domain live?" DNSSEC puts a lock on that answer so no one can intercept the question and send back a fake address.
Why it matters: Without DNSSEC, an attacker can quietly redirect your visitors or your email to a fake server — an attack called DNS hijacking. DNSSEC makes that nearly impossible.
How to set it up: Log in to your domain registrar and look for a DNSSEC setting — it's usually a button or toggle labeled "Enable DNSSEC." Click it. Your registrar takes care of everything else automatically. There's nothing to copy from another provider — just turn it on. SuiteFound configures DNSSEC automatically for all managed domains. You don't need to turn anything on with us.
MTA-STS tells other mail servers that they must use an encrypted connection when delivering email to your domain, and to refuse delivery if they can't.
Why it matters: Without it, email traveling between servers can be sent without encryption — meaning it could be read or tampered with along the way.
How to set it up: Two steps:
_mta-sts.yourdomain.com and the value: v=STSv1; id=20260427001. The id is just a date — update it any time you change the policy.https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. Ask your web host to add this file for you, or use their file manager if they provide one. The file should contain:
version: STSv1
mode: testing
mx: mail.yourdomain.com
max_age: 604800mail.yourdomain.com with your actual mail server address — your email provider can tell you this. Once everything looks good, change mode: testing to mode: enforce.
Yet another thing SuiteFound handles automatically. We create the record, the file, and even host it for you.
TLS-RPT asks other mail servers to send you a daily report any time they had trouble making a secure connection when delivering email to your domain.
Why it matters: It's the feedback loop for MTA-STS. Without it, you'd never know if your encryption settings were causing delivery problems.
How to set it up: Log in to your domain registrar and create a TXT record with the name _smtp._tls.yourdomain.com and the value:
v=TLSRPTv1; rua=mailto:tls-reports@yourdomain.comReplace the email address with one you check regularly. Or use SuiteFound, where it's integrated into our Domain Health Dashboard.
A CAA record is like a policy for your website's padlock (your HTTPS certificate). It tells the internet which companies are allowed to issue an HTTPS certificate for your domain.
Why it matters: Without a CAA record, any of the hundreds of certificate companies in the world can issue one for your domain. A fraudulent certificate could be used to set up a fake version of your site that looks completely real in a browser. A CAA record limits this to just the companies you choose.
How to set it up: Log in to your domain registrar and look for a CAA record type. The name is your root domain (@ or yourdomain.com). Add one record for each certificate provider you use:
0 issue "letsencrypt.org"Replace letsencrypt.org with your certificate provider (e.g. digicert.com, sectigo.com). If you use wildcard certificates, add a second record:
0 issuewild "letsencrypt.org"Not sure who issues your certificate? Your web host can tell you. Using us? We already know, and make it easy to update if you're also using DigiCert.
This last one puts your logo in Gmail and Outlook inboxes — but it requires some paperwork first.
BIMI displays your brand logo next to your emails in supported apps like Gmail, Apple Mail, and Yahoo Mail. Instead of a generic initial or placeholder icon, your recipients see your actual logo.
Why it matters: Emails with a verified logo see higher open rates. It also tells mail providers that your domain has been through a serious verification process, which can help your emails reach the inbox instead of spam.
Before you start, you'll need:
p=quarantine or p=reject (see above)How to set it up: Once you have your certificate, the issuer gives you a certificate URL. Log in to your domain registrar and create a TXT record with the name default._bimi.yourdomain.com and the value:
v=BIMI1; l=https://yourdomain.com/logo.svg; a=https://your-certificate-url.pemReplace the logo URL with where your logo file is hosted, and the certificate URL with the one your provider gave you.
Every single must-have and should-have record above, automatically. If something is wrong we'll either fix it automatically or give you all the information and a button to verify and make the change. And if you ever want BIMI records we can handle that too!
Want to see which of these records your domain already has — and which are missing? Run a free check. We'll scan your domain and email you a full report.
Domain health check coming soon.