Email authentication (SPF, DKIM, DMARC)¶
If your email sometimes lands in spam, or you want to prevent anyone from spoofing your domain, this is the fix.
Email authentication is three DNS-based controls that work together:
- SPF: which servers are allowed to send mail for your domain
- DKIM: cryptographic signature added to outgoing mail
- DMARC: policy that tells receivers what to do when SPF/DKIM fail
Regional Mail Infrastructure
GOZEN HOST email infrastructure operates from USA and European data centers with high-reputation IP ranges, ensuring your business emails reach the inbox.
Before you start¶
Know where your DNS is hosted¶
You must add these records where your DNS zone is managed:
- If your nameservers point to GOZEN HOST, you will edit DNS in your control panel.
- If your domain uses external nameservers (registrar or third-party DNS), you must edit DNS there.
If you are unsure, start here: - Point your domain to GOZEN HOST
Always use GOZEN HOST values when provided
Exact record values can vary depending on your email service and cluster. If your Welcome Email or Client Area provides specific SPF/DKIM values, use those.
SPF (Sender Policy Framework)¶
SPF is a TXT record on your domain that lists allowed senders.
The rule that breaks SPF most often¶
You must have one SPF record only.
Bad: - two or three SPF TXT records on the same hostname
Good: - one SPF record that includes all senders you use (GOZEN HOST, Google Workspace, ticketing system, etc.)
Example SPF record (template)¶
This is a common shape, but use GOZEN HOST values when provided:
What it means:
- include: authorizes a sender platform
- -all tells receivers to reject anything else
Start with ~all if you’re not sure
If you are still migrating or you send mail from multiple places, start with ~all (softfail) and tighten to -all later.
DKIM (DomainKeys Identified Mail)¶
DKIM is a TXT record tied to a selector. It proves the mail was signed by an authorized server.
How DKIM is usually published¶
You will see one or more records like:
- Hostname:
selector._domainkey.yourdomain.com - Type: TXT
- Value: long key string
Enable DKIM in your email platform/control panel if available, then publish the DNS record it provides.
Do not edit the DKIM key
Copy it exactly. Even one missing character breaks verification.
DMARC (Domain-based Message Authentication)¶
DMARC is a TXT record at:
- Hostname:
_dmarc.yourdomain.com - Type: TXT
DMARC is both security and deliverability. It also provides reporting.
Safe rollout strategy (recommended)¶
- Monitor
-
p=noneto collect data without blocking mail - Enforce gently
-
p=quarantineto send failing mail to spam - Enforce hard
-
p=rejectto block spoofing and most unauthenticated mail
Recommended starter DMARC record (monitoring)¶
Notes:
- rua is where aggregate reports go (use an inbox you control)
- adkim=s and aspf=s enable strict alignment (stronger protection)
- pct=100 means apply policy to 100% of mail
Don’t jump straight to p=reject
If you send mail from multiple systems (CRM, marketing, helpdesk), you can block legitimate mail. Start with monitoring.
Quick verification (how to confirm it works)¶
1) Send a test to Gmail¶
Send an email to a Gmail address you control.
In Gmail: - open the message - click “More” (⋮) - choose “Show original” You should see SPF/DKIM/DMARC as PASS (or at least aligned).
2) Common PASS/FAIL meanings¶
- SPF FAIL: wrong sender, wrong SPF, or multiple SPF records
- DKIM FAIL: DKIM record missing/wrong, or sending service not signing
- DMARC FAIL: SPF/DKIM not aligned with your “From” domain
Common DNS mistakes (fast fixes)¶
Multiple SPF records¶
Fix: - keep one, merge all includes into a single SPF record
DKIM added at the wrong hostname¶
Fix:
- DKIM must be at selector._domainkey exactly as provided
DMARC record added to root instead of _dmarc¶
Fix:
- hostname must be _dmarc
Using external services without adding them to SPF¶
Fix: - add the service include, or send through GOZEN HOST SMTP consistently
Summary¶
- SPF controls who can send for your domain
- DKIM signs your mail to prove authenticity
- DMARC enforces policy and prevents spoofing
- Roll out DMARC safely: none → quarantine → reject