Email Deliverability: SPF, DKIM, and DMARC
Email Deliverability: SPF, DKIM, and DMARC
If emails sent from your hosting account end up in spam folders or are rejected entirely, you likely need to configure SPF, DKIM, and DMARC records. These DNS-based authentication mechanisms verify that emails are legitimately sent from your domain.
What Is SPF?
SPF (Sender Policy Framework) is a DNS TXT record that specifies which mail servers are authorized to send emails on behalf of your domain.
Example SPF record:
v=spf1 +a +mx +ip4:YOUR_SERVER_IP include:_spf.google.com ~all
How to set up SPF:
- Log into your DNS management (domain registrar or cPanel > Zone Editor).
- Create or edit a TXT record for your domain (
@):- Name/Host:
@(or your domain name) - Type: TXT
- Value:
v=spf1 +a +mx ~all(basic; adjust based on your mail setup)
- Name/Host:
- Save the record.
Common SPF includes:
- Hosting mail server:
v=spf1 +a +mx ~all - Google Workspace:
v=spf1 include:_spf.google.com ~all - Microsoft 365:
v=spf1 include:spf.protection.outlook.com ~all
What Is DKIM?
DKIM (DomainKeys Identified Mail) adds a digital signature to outgoing emails, allowing the receiving server to verify the email wasn’t altered in transit.
How to set up DKIM:
- In cPanel, go to Email > Email Deliverability (or Authentication).
- Find your domain and click Manage or Repair.
- cPanel will display the DKIM record that needs to be added to your DNS.
- If DNS is managed in cPanel, it may be added automatically. If managed elsewhere, add the provided TXT record to your domain’s DNS.
The DKIM record typically looks like:
- Name:
default._domainkey(or similar selector) - Type: TXT
- Value:
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...(long public key)
What Is DMARC?
DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receiving mail servers what to do when SPF or DKIM checks fail. It also provides reporting on email authentication results.
How to set up DMARC:
- Add a TXT record to your DNS:
- Name/Host:
_dmarc - Type: TXT
- Value:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
- Name/Host:
DMARC policy options:
| Policy | Behavior |
|---|---|
p=none | Monitor only — no action taken on failures (start here) |
p=quarantine | Send failing emails to spam folder |
p=reject | Reject failing emails entirely |
Recommended approach: Start with p=none to monitor, then gradually tighten to quarantine and finally reject once you’re confident your legitimate emails pass authentication.
Checking Your Email Authentication
In cPanel:
- Go to Email > Email Deliverability.
- Review the status of SPF and DKIM for each domain.
- Click Repair to have cPanel auto-fix issues.
Online tools:
- MXToolbox.com — Check SPF, DKIM, DMARC, and blacklist status
- mail-tester.com — Send a test email and get a deliverability score
- Google Admin Toolbox — Check DNS records
Troubleshooting Email Deliverability
- Emails going to spam: Ensure SPF, DKIM, and DMARC are all configured correctly.
- SPF failures: Make sure your SPF record includes all servers that send email for your domain.
- Only one SPF record allowed: Merge multiple SPF entries into a single record using
include:statements. - DKIM not signing: Verify DKIM is enabled in cPanel and the DNS record matches.
- Check blacklists: Use MXToolbox to check if your server IP is on any email blacklists.
For email deliverability help, contact 10Corp support.