Email Authentication in Enhance: SPF, DKIM & DMARC
Set up SPF, DKIM, and DMARC for domains managed through the Enhance control panel. Covers where to find email settings, how DNS zones work in Enhance, and how to verify each record.
Enhance handles email authentication differently from cPanel. There is no single “Email Deliverability” screen that does everything for you. SPF is automatic, DKIM is toggled per-domain in the website settings, and DMARC is a DNS record you add yourself.
Prerequisites
- A domain hosted on a GoZen Host server running the Enhance control panel
- The Email role installed and assigned to your website (your hosting provider handles this; if email isn’t working at all, contact GoZen support)
- The DNS role active on your server, or external DNS where you manage records
- Access to the Enhance panel as a website owner or admin
How DNS zones work in Enhance
Before touching email records, it helps to understand how Enhance structures DNS.
Enhance uses PowerDNS under the hood. Every domain added to a website automatically gets a DNS zone with default records: A, AAAA (if available), MX, NS, and SOA. All DNS role instances serve all zones across the cluster. There is no per-server zone assignment.
You manage DNS records through the website dashboard:
- Open Websites in the left sidebar
- Select your website
- Click Domains in the top navigation
- Select the domain you want to manage
The DNS records list appears under the domain. This is where you add TXT records for SPF, DKIM, and DMARC.
If your DNS is hosted externally (at your registrar, Cloudflare, etc.), you add these records there instead. Enhance still generates the DKIM key for you. You just need to copy it to your external DNS.
SPF (Sender Policy Framework)
What Enhance does automatically
Enhance adds an SPF record to every domain’s DNS zone when the Email role is active. The record typically looks like:
v=spf1 a mx ~all
This tells receiving mail servers: “Accept email from the IP addresses in this domain’s A record and MX record. Soft-fail everything else.”
For most setups, this default is enough. You don’t need to change it unless you send email through additional services.
When you need to edit SPF
Edit the SPF record if you also send email through:
- Google Workspace: add
include:_spf.google.com - Microsoft 365: add
include:spf.protection.outlook.com - Mailchimp: add
include:servers.mcsv.net - A smart host configured in Enhance (Settings > Service > Email): add the smart host provider’s SPF include
How to edit SPF in Enhance
- Go to Websites > select your website > Domains > select your domain
- Find the existing TXT record that starts with
v=spf1 - Click Edit (kebab menu > Edit)
- Modify the value to include your additional senders:
v=spf1 a mx include:_spf.google.com ~all
- Click Save
Rules to remember:
- One SPF record per domain. Never add a second TXT record starting with
v=spf1. Merge everything into one. - SPF has a 10 DNS lookup limit. Each
include:counts as one. If you exceed this, SPF breaks silently. - Use
~all(soft fail) while testing. Switch to-all(hard fail) once you’ve confirmed all legitimate senders are listed.
DKIM (DomainKeys Identified Mail)
How DKIM works in Enhance
Enhance generates the DKIM key pair (private + public) for you. The private key lives on the mail server. You just need to toggle DKIM on and, if your DNS is external, publish the public key.
The mail server uses Postfix for SMTP and handles DKIM signing automatically once enabled.
Enabling DKIM
- Open Websites in the left sidebar
- Select the website you want to configure
- Click Domains in the top navigation
- Select the specific domain
- Scroll down to Email authentication
- Toggle DKIM to On
What happens next depends on where your DNS is hosted:
| DNS hosted on | What happens |
|---|---|
| Enhance (built-in DNS) | The DKIM TXT record is added to your zone automatically. Wait for validation. It should pass within minutes. |
| External DNS (registrar, Cloudflare, etc.) | Enhance shows you the DKIM record details (selector, value). Copy these and add a TXT record at your external DNS provider. |
The DKIM DNS record
The record Enhance generates looks like:
Type: TXT
Host: enhance._domainkey
Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA... (public key)
The selector in Enhance is enhance. This is different from cPanel, which uses default. If you’re migrating from cPanel to Enhance, the old DKIM record with default._domainkey won’t work. Enhance creates a new key under enhance._domainkey.
If DNS is external
When you toggle DKIM on and your DNS points elsewhere, Enhance displays instructions on screen. Copy the record exactly as shown. Common mistakes:
- Don’t add the full domain to the host field if your DNS provider auto-appends it. If your provider shows the host as
enhance._domainkey.yourdomain.com, enter onlyenhance._domainkey. - The public key value is long. Copy the entire string. Don’t truncate it.
- Set the TTL to 3600 (1 hour) or your provider’s default.
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
Enhance doesn’t add DMARC automatically
Unlike SPF, Enhance does not create a DMARC record for you. You need to add it yourself. Without DMARC, receiving servers have no instructions for what to do when SPF or DKIM fails.
Since February 2024, Gmail and Yahoo require DMARC for bulk senders. Even if you don’t send in bulk, a DMARC record prevents spoofing and helps your domain reputation.
Adding DMARC in Enhance
- Go to Websites > select your website > Domains > select your domain
- Click Add Record (the + button)
- Create a TXT record:
Type: TXT
Name: _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
TTL: 3600
- Click Save
Replace dmarc-reports@yourdomain.com with a real mailbox where you want to receive reports. This can be any address you control.
DMARC policies: start soft, then tighten
| Policy | Effect | When to use |
|---|---|---|
p=none | Monitor only. Emails deliver normally, but you get reports. | Start here. Run it for 2-4 weeks. |
p=quarantine | Failed emails go to spam. | After reviewing reports and confirming legitimate mail passes. |
p=reject | Failed emails are blocked outright. | Full protection. Use only when you’re confident. |
Don’t skip straight to p=reject. If you have a newsletter service or CRM that sends on your behalf and you forgot to add it to SPF, those emails will be silently dropped.
Understanding DMARC reports
The rua= tag tells receiving servers where to send aggregate reports. These are XML files that show:
- Which IP addresses sent email claiming to be your domain
- Whether each message passed or failed SPF and DKIM
- How many messages were sent from each source
Raw XML is hard to read. Use a free parser:
- Postmark’s DMARC tool: free weekly digests
- DMARC Analyzer: visual dashboard
- EasyDMARC: monitoring with alerts
DNS zone templates (admin only)
If you manage multiple customer websites and want authentication records added automatically to every new domain, use Enhance’s DNS zone templating:
- Open Settings in the left sidebar
- Select Platform and scroll to DNS zone templating
- Click Add record
- Add your template records (e.g., a DMARC TXT record)
- Click Save
You can use $$origin$$ in the record value as a placeholder for the customer’s domain. This is useful for DMARC reporting addresses that include the domain name.
Template changes only apply to new websites and domains. Existing ones are not affected.
Smart hosts and email authentication
If you’re sending outbound email through a smart host (Settings > Service > Email, or per-server under Servers > Manage > … > Email Settings), update your authentication records to match the relay provider.
Each smart host provider (Postmark, Amazon SES, Mailgun, etc.) has its own SPF includes and DKIM requirements. Check their documentation and:
- Add their SPF
include:to your existing SPF record - Add any DKIM CNAME or TXT records they require
- Confirm your DMARC alignment still passes (the “From” domain must match what SPF or DKIM validates)
Verification checklist
After setting up all three records, verify them:
| Check | Tool |
|---|---|
| SPF record syntax | MXToolbox SPF Check |
| DKIM record | MXToolbox DKIM Lookup (use enhance as the selector) |
| DMARC record | MXToolbox DMARC Lookup |
| Full email test | Send a test email to mail-tester.com |
| GoZen Host DNS Tools | tools.gozenhost.com |
Quick header check
Send an email to a Gmail address, open it, and click Show original. Look for:
SPF: PASS
DKIM: PASS
DMARC: PASS
All three should show PASS. If any show FAIL or NEUTRAL, check the record that failed using the tools above.
Troubleshooting
| Problem | Cause | Fix |
|---|---|---|
| SPF fails but the record looks correct | Multiple SPF records on the domain | Merge them into one. You can only have one v=spf1 record. |
| DKIM fails after enabling in Enhance | DNS is external and the record wasn’t added | Copy the DKIM record from Enhance > Domains > Email authentication and add it to your external DNS. |
| DKIM fails with “signature mismatch” | Migrated from cPanel without updating the selector | The Enhance selector is enhance, not default. Add the new record and remove the old one. |
DMARC shows none policy but emails still hit spam | DMARC p=none doesn’t prevent spam placement | Check SPF and DKIM individually. DMARC only reports. It doesn’t fix underlying failures. |
| DMARC reports not arriving | Incorrect rua= address or mailbox doesn’t exist | Verify the email in rua=mailto:... is a working mailbox. Some providers filter DMARC reports as spam. |
| “Too many DNS lookups” error | SPF record exceeds 10 lookup limit | Remove unnecessary include: statements or use SPF flattening. |
Related Articles
Last updated 23 Apr 2026, 09:41 +0300.