Search Our Database

How to Set Up SPF, DKIM, and DMARC Records for Email Authentication

Last updated on |
under
Account Settings, SmarterMail, Email
|
by

Introduction

Email authentication is essential for ensuring secure and trustworthy communication. It protects domains from spoofing, phishing, and spam by allowing receiving mail servers to verify that messages are genuinely from the stated sender. Three key technologies are used in modern email authentication frameworks: SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance).

SPF helps verify that a mail server is authorized to send email on behalf of a domain. DKIM adds a digital signature to each email message, enabling the receiving server to validate its authenticity and integrity. DMARC builds on SPF and DKIM by adding policy enforcement and reporting capabilities. When configured correctly, these mechanisms reduce the likelihood of email spoofing and improve email deliverability.

This guide is intended for domain administrators, system administrators, and hosting resellers who want to implement email authentication on domains hosted through DNS platforms, web hosting control panels like DirectAdmin or cPanel, or external DNS providers. Proper configuration is critical to prevent legitimate messages from being marked as spam and to protect the domain’s reputation.

Misconfigured or missing SPF, DKIM, or DMARC records can cause email delivery failures and expose the domain to abuse. This article explains how to set up each of these records using DNS, provides example values, and outlines the process for testing and verifying correct implementation.

 

Prerequisites

  • Access to your domain’s DNS management panel (DirectAdmin, cPanel, Cloudflare, etc.).
  • Your domain must have email services enabled and properly configured.
  • Knowledge of the mail servers or third-party services (like Google Workspace, Microsoft 365, Mailchimp, etc.) sending mail on behalf of the domain.
  • DKIM requires support from your mail server to generate and publish DKIM keys.

 

Step-by-step Guide

Step 1: Set Up SPF Record

SPF allows domain owners to define which IP addresses or servers are permitted to send emails on their behalf.

  1. Go to your domain’s DNS manager.

  2. Add a new TXT record with the following values:

    • Name/Host@or your domain name.

    • Type: TXT

    • Value (example):

v=spf1 a mx ip4:192.0.2.10 include:mail.example.com ~all
🖊️ Tip: Use -all for strict rejection or ~all for soft fail, depending on your policy preferences.

 

 

Step 2: Set Up DKIM Record

DKIM ensures the message has not been altered and verifies the sender’s domain.

  1. Enable DKIM in your mail server (in DirectAdmin, this is under “E-Mail Manager > DKIM Setup”).

  2. The system will generate a public DKIM key and a corresponding TXT DNS record.

  3. Copy the DKIM DNS record and publish it in your DNS panel:

    • Name/Host: default._domainkey.yourdomain.com

    • Type: TXT

    • Value: (a long string starting with v=DKIM1; k=rsa; p=.. )

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4...
🖊️ Tip: Some DNS platforms may require you to omit the domain portion when entering the hostname (e.g., just default._domainkey).

 

 

Step 3: Set Up DMARC Record

DMARC enforces the authentication results of SPF and DKIM and can provide reporting insights.

  1. Add a new TXT record in your DNS panel with:

    • Name/Host: _dmarc

    • Type: TXT

    • Value (example):

  2. Modify the policy (p=) as needed:

    • none: Monitor only.

    • quarantine: Move suspicious emails to spam.

    • reject: Block failed emails.

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-failures@yourdomain.com; fo=1
⚠️ Important Note: Use the p=none policy when first implementing DMARC to monitor without affecting email delivery.

 

Step 4: Verify Your DNS Records

After setting the records:

Example dig command:

dig txt _dmarc.yourdomain.com

Check for correct propagation and syntax. It may take up to 24 hours for DNS changes to take effect.

 

Conclusion

Setting up SPF, DKIM, and DMARC records is crucial for securing outbound email and protecting domains from spoofing and spam. By following this guide, administrators can enforce sender authentication policies, improve inbox delivery rates, and gain insight into unauthorized email activity. Always monitor DMARC reports and adjust policies over time to maintain balance between security and deliverability.

Should you have any inquiries about the guidelines, please feel free to open a ticket through your portal account or contact us at support@ipserverone.com. We’ll be happy to assist you further.

Related Article

Related Posts