Email Authentication: SPF, DKIM & DMARC
Set up SPF, DKIM, and DMARC records for your domain to prevent spoofing, improve deliverability, and keep your emails out of spam folders.
If your emails are landing in spam or recipients aren’t getting them at all, the problem is usually missing or broken email authentication records. SPF, DKIM, and DMARC are three DNS records that prove to receiving mail servers that your emails are legitimate.
Why This Matters
Without proper authentication:
- Emails from your domain can land in spam folders
- Anyone can spoof your domain and send emails pretending to be you
- Large providers like Gmail, Outlook, and Yahoo may reject your emails outright (Google and Yahoo enforce strict DMARC policies since February 2024)
Setting up all three records is no longer optional – it’s a requirement for reliable email delivery.
SPF (Sender Policy Framework)
SPF tells receiving mail servers which IP addresses and mail servers are allowed to send email on behalf of your domain.
How It Works
You add a TXT record to your domain’s DNS that lists your authorized mail servers. When someone receives an email from your domain, their server checks this record. If the sending server isn’t on the list, the email fails SPF.
Setting Up SPF
Add a TXT record to your domain’s DNS zone:
Type: TXT
Host: @
Value: v=spf1 include:_spf.gozenhost.com ~all
If you also send email through other services (like Google Workspace or Mailchimp), include them too:
v=spf1 include:_spf.gozenhost.com include:_spf.google.com include:servers.mcsv.net ~all
Important rules:
- You can only have one SPF record per domain. If you need multiple providers, combine them into a single record using multiple
include:statements. - The
~allat the end means “soft fail” for unauthorized senders (recommended). Use-allfor a strict “hard fail” once you’re confident everything is set up correctly. - SPF has a 10 DNS lookup limit. Each
include:counts as one lookup. If you hit this limit, your SPF record will break.
Testing SPF
Send a test email to a Gmail address and click “Show original” in Gmail. Look for:
SPF: PASS
DKIM (DomainKeys Identified Mail)
DKIM adds a digital signature to every outgoing email. The receiving server verifies this signature against a public key stored in your DNS. If the signature matches, it proves the email wasn’t tampered with in transit.
How It Works
Your mail server signs each outgoing email with a private key. The corresponding public key is published as a DNS record. Receiving servers use the public key to verify the signature.
Setting Up DKIM
DKIM setup depends on your mail server. On GoZen Host shared hosting with cPanel:
- Log in to cPanel
- Go to Email Deliverability (under the Email section)
- Find your domain and click Manage
- If DKIM is not installed, click Install the suggested record
- cPanel will automatically add the DKIM DNS record
For VPS or dedicated servers, DKIM is typically configured through your mail server software (Exim, Postfix) or control panel (Enhance, Plesk).
The DNS Record
A DKIM record looks like this:
Type: TXT
Host: default._domainkey
Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA... (public key)
The default part is the selector – it varies depending on your hosting provider.
Testing DKIM
In the same Gmail “Show original” view, check for:
DKIM: PASS
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
DMARC ties SPF and DKIM together and tells receiving servers what to do when an email fails authentication checks. It also lets you receive reports about emails sent using your domain.
How It Works
DMARC checks whether the “From” domain in an email aligns with the domain that passed SPF or DKIM. If neither aligns, DMARC fails, and the receiving server follows your DMARC policy.
Setting Up DMARC
Add a TXT record to your DNS:
Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
DMARC Policies
| Policy | What It Does | When to Use |
|---|---|---|
p=none | Monitor only – emails are delivered normally, but you receive reports | Start here to understand your email traffic |
p=quarantine | Failed emails go to the spam folder | After you’ve confirmed legitimate emails pass |
p=reject | Failed emails are blocked entirely | Full protection, once you’re confident nothing legitimate will fail |
Recommended approach: Start with p=none for 2-4 weeks, review the reports, then move to p=quarantine, and finally p=reject.
Understanding DMARC Reports
Reports are sent to the email address in the rua= field. They’re XML files that show:
- Which IP addresses sent email using your domain
- Whether those emails passed or failed SPF/DKIM
- How many emails were sent
Use a free tool like DMARC Analyzer or Postmark’s DMARC tool to make the XML reports readable.
Verification Checklist
After setting up all three records, verify them:
| Check | Tool |
|---|---|
| SPF record syntax | MXToolbox SPF Check |
| DKIM record | MXToolbox DKIM Lookup |
| DMARC record | MXToolbox DMARC Lookup |
| Full email test | Send a test email to mail-tester.com |
| GoZen Host DNS Tools | tools.gozenhost.com |
A perfect setup looks like this in email headers:
SPF: PASS
DKIM: PASS
DMARC: PASS
Common Mistakes
- Multiple SPF records. You can only have one. Combine all providers into a single record.
- Missing DKIM. SPF alone is not enough. Gmail and Yahoo now require DKIM for bulk senders.
- Jumping straight to
p=reject. Start withp=noneand monitor before enforcing. - Forgetting subdomains. If you send email from
shop.yourdomain.com, set up SPF/DKIM/DMARC for that subdomain too.
Related Articles
- Email Authentication in Enhance: SPF, DKIM & DMARC – if you’re on the Enhance control panel instead of cPanel
- Setting Up Professional Email
- Email Account Management in cPanel
- Fixing Email Delivery Problems
Last updated 23 Apr 2026, 09:41 +0300.