End-to-end deployment tutorial for UK businesses: from zero to full authentication in one place. Combines the three core protocols into a coherent setup with the specific DNS records, testing commands and UK-specific considerations you need.
p=none[email protected].List every service that sends email claiming to be from your domain:
Missing senders = authentication failures later. Be thorough.
Construct SPF record incorporating all senders. For a UK SME using SmartXHosting email + Mailchimp:
firm.co.uk. IN TXT "v=spf1 include:_spf.smartxhosting.uk include:servers.mcsv.net ~all"Use ~all (softfail) initially. Change to -all (hard fail) after DMARC rollout proves all senders authenticate.
Publish via your DNS provider's interface. Verify:
dig TXT firm.co.uk | grep v=spf1Check lookup count with MXToolbox SPF tool — under 10 is essential.
For SmartXHosting, Microsoft 365, Google Workspace: enable DKIM in the admin console. Platform generates key; publishes DNS record instructions. Publish the records in your DNS.
Verify DKIM with test message to external account; inspect headers for dkim=pass header.d=firm.co.uk.
For each sender in your inventory:
dkim=pass header.d=firm.co.uk (not the provider's domain).Repeat for every third-party sender. Any not completing alignment shows in DMARC reports as failing.
p=noneInitial monitoring-only record:
_dmarc.firm.co.uk. IN TXT "v=DMARC1; p=none; rua=mailto:[email protected]; fo=1"Tags:
p=none: no enforcement yet; collect data.rua=: aggregate reports delivery.fo=1: request forensic reports (rarely sent but declaration of intent).Verify with:
dig TXT _dmarc.firm.co.ukWithin 24-48 hours aggregate reports arrive from major receivers (Google, Microsoft, Yahoo). Connect to your DMARC processing tool.
Look for:
Wait 2 weeks minimum before progressing. Fix any discovered gaps first.
Once clean reports:
Week 3-4: p=quarantine; pct=25
_dmarc.firm.co.uk. IN TXT "v=DMARC1; p=quarantine; pct=25; rua=mailto:..."Week 5-6: pct=50, then pct=100.
Week 7-8: p=reject; pct=25, then ramp.
Week 10+: p=reject; pct=100. Steady state.
Also add subdomain policy:
_dmarc.firm.co.uk. IN TXT "v=DMARC1; p=reject; sp=reject; pct=100; adkim=s; aspf=s; rua=mailto:..."Optional tighten alignment (adkim=s; aspf=s) for maximum protection.
Also tighten SPF: change ~all to -all.
Send test messages from each sender. Inspect Authentication-Results at recipient. All three must show:
spf=pass [email protected]
dkim=pass header.d=firm.co.uk
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=firm.co.ukIf all three pass for every sender → deployment complete.
Continue monitoring DMARC reports weekly. Any new issue → investigate promptly.
v=spf1 include:_spf.smartxhosting.uk include:servers.mcsv.net -allDKIM: platform's automatic + Mailchimp custom-domain via 2 CNAMEs. DMARC at p=reject.
v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net include:sendgrid.net include:_spf.salesforce.com -allDKIM: Microsoft 365 auto + custom-domain for each SaaS. DMARC at p=reject. Lookup count around 8.
v=spf1 include:_spf.google.com -allDKIM: Google's automatic with published CNAME. DMARC at p=reject.
Full NCSC-compliant stack: SPF + DKIM + DMARC p=reject + MTA-STS enforce + DANE (if DNSSEC enabled) + DNSSEC + TLS-RPT + BIMI (if registered trademark). NCSC Mail Check verifies.
Each brand domain independently configured. Separate DMARC records, separate reporting, separate rollout timelines. Shared infrastructure (same Microsoft 365 tenant) simplifies DKIM setup.
Q: How long before DMARC reports arrive after publishing?
A: 24-48 hours from major receivers (Google, Microsoft). Smaller receivers take a week or more.
Q: What if my SPF exceeds 10 lookups?
A: Flatten some includes to explicit ip4: ranges, or consolidate senders. See SPF Flattening.
Q: Do I need DKIM for every sender or just my main one?
A: Every sender that sends mail claiming to be from your domain. Including CRM, marketing, transactional, etc.
Q: Can I skip straight from p=none to p=reject?
A: Technically yes. Organisationally risky. Miss one sender and you block their mail. Use p=quarantine as intermediate safety net.
Q: What is the difference between p=reject and p=reject; pct=100?
A: Functionally identical. pct=100 is the default when omitted. Explicit is clearer.
Q: How often should I add new senders to authentication?
A: Every time your business adopts a new SaaS sending mail. Before the service goes live, ideally.
Q: Does this full stack work for a UK sole trader?
A: Yes, and simpler — fewer senders means easier SPF, easier DKIM. Can complete in 1-2 weeks.