Is DNS setup “one and done”?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You set up your SPF, DKIM, and DMARC records, everything checked out, and you moved on. That's the right instinct. But DNS authentication isn't a one-time task. It's more like a smoke detector: set it up properly, then check it regularly, because things drift.
Here's what actually changes over time and why it matters.
SPF records go stale. Every time you add a new sending tool (a CRM, a transactional provider, a third-party form service), you need to add its sending domain or IP range to your SPF record. If you don't, those emails fail authentication. And if you've been flattening your SPF to stay under the 10-lookup limit, any change from a provider's end can silently break it again.
DKIM keys should rotate. Most senders never rotate their DKIM keys, which is a security gap. If a key is ever exposed or a provider is compromised, an attacker could forge signed email that looks legitimate. Rotating every 6 to 12 months is the safe habit. Your ESP or DNS host usually handles this, but you need to confirm the new key is published before the old one is removed.
DMARC policy needs to move forward. Starting at p=none is correct. Staying there forever is not. p=none only monitors. It doesn't protect your domain from spoofing. The goal is to reach p=quarantine or p=reject once you've confirmed all your legitimate sending sources are authenticated. If you've never checked your DMARC reports, you may be stuck at none with no idea what's happening.
Service migrations break MX records. Moving to a new email host? Your MX records need to point to the new provider before you flip anything else. Get this wrong and incoming mail disappears during the transition.
A simple maintenance rhythm that works for most senders:
- Immediately when you add or remove any sending service, update your SPF record and verify it parses cleanly.
- Every 6 months, check your DKIM key is still active and consider rotating it if your provider supports it.
- Every 3 months, review your DMARC reports and look for anything unexpected. If you've been clean for a quarter, consider tightening your policy.
- Before any infrastructure change (new ESP, new server, new domain), run a full authentication check so you know your baseline before you touch anything.
But the good news: none of this is complicated once you're in the habit. You can check your SPF record right now with our free SPF checker, or use the DMARC parser to see what your reports are actually telling you. If your records look like they haven't been touched since 2019, that's worth fixing today.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.