Knowledgebase Article
Understanding SPF, DKIM and DMARC (Email Authentication)
Why Email Authentication Matters
Without proper authentication, it is relatively easy for someone to send email that appears to come from your domain without actually being sent by you, a technique commonly used in phishing and spam. SPF, DKIM, and DMARC are three related standards that work together to prevent this and improve the likelihood your legitimate email reaches the inbox rather than the spam folder.
If you have not yet read DNS Management: A/CNAME/MX/TXT Records Explained, it covers the TXT record type these standards are built on.
What SPF Does
SPF, short for Sender Policy Framework, is a DNS record listing which mail servers are authorized to send email on behalf of your domain. When a receiving mail server gets a message claiming to be from your domain, it checks the SPF record to confirm the sending server is actually on the authorized list. If it is not, the message is more likely to be flagged as spam or rejected outright.
What DKIM Does
DKIM, short for DomainKeys Identified Mail, adds a digital signature to outgoing email, generated using a private key that only your mail server has access to. Receiving servers can verify this signature against a public key published in your DNS records, confirming the message genuinely originated from your domain and was not altered in transit.
What DMARC Does
DMARC, short for Domain based Message Authentication Reporting and Conformance, builds on top of SPF and DKIM by telling receiving mail servers what to do when a message fails either check, such as rejecting it outright, marking it as spam, or simply monitoring and reporting without taking action. DMARC also provides reporting, giving you visibility into who is sending email using your domain, including any unauthorized attempts.
How These Three Work Together
SPF and DKIM each provide a different method of verifying legitimacy, and DMARC ties them together with an enforcement policy, telling receiving servers how strictly to act on failures. Having all three properly configured significantly improves both your email deliverability and your protection against domain impersonation.
Setting These Up
Each of these standards is implemented as a specific TXT record added to your domain's DNS settings. See Managing DNS Zones in cPanel/Plesk for where to add these records within your control panel. The exact record values are typically provided by your email hosting provider and should be entered precisely as given, since even small errors can cause authentication to fail.
Verifying Your Setup
After adding these records, several free online tools allow you to check whether SPF, DKIM, and DMARC are correctly configured and passing for your domain. It is worth verifying this after initial setup and periodically afterward, particularly if you add a new email sending service that also needs to be authorized.
If You Are Having Deliverability Issues
If your legitimate email is landing in recipients' spam folders, missing or misconfigured authentication records are one of the most common underlying causes. See Troubleshooting Email Delivery and Spam Issues for a broader look at diagnosing delivery problems.