SPF and DKIM set up on Proofpoint Essentials

To set up SPF and DKIM on Proofpoint Essentials, please follow the below steps:


 SPF is one of the authentication mechanisms used by DMARC. SPF checks should already be enabled by default in your Proofpoint instance.

To check this, navigate to Email Protection > Email Authentication > SPF > General, and ensure that:

  1. Enable is set to on
  2. Restrict processing to selected policy routes… is checked
  3. Only the default_inbound policy route is in the Require Any Of list

Then click Save Changes.

Publishing a SPF record

Most domains already have a SPF record published in their DNS. You can use the MX Toolbox SPF Record Tool to check this.

If you don’t have a SPF record published in your domain’s DNS, add the following basic SPF record as a TXT record at the root of your domain’s DNS zone:

“v=spf1 mx ~all”

 This will explicitly allow email that comes directly from the gateways listed in your domain’s MX records. Additional record modifications to the SPF are required if you send email from sources other than these gateways.


If you use Proofpoint as your outbound email gateway, you can configure DKIM signing by completing the following steps:

Navigate to Email Protection > Email Authentication > DKIM Signing > Keys.

For each email domain:

1. Click Generate Key
2. In the Domain field, enter the base domain name, such as example.org, even if your
email addresses are john.smith@hq.example.org
3. Enter an arbitrary string in the selector field. Something simple such as s1 will do.
Note: The DKIM selector is visible in all signed email headers.
4. Leave the Scope set to Any
5. Click Add Entry
6. After the DKIM Key table row populates (which can take a few minutes), click on the
Show button in the DNS Text Record field
7. Publish the displayed record in the public DNS zone for your domain