how to setup spf dkim and dmarc

Let us Understand How to setup spf dkim and dmarc

Defend and protect your company’s emails against Spoofing (identity theft) and Phishing (obtaining personal information for scams) through SPF, DKIM, and DMARC records to detect Spam and validate the authentic identity of emails.

Your email could be in danger! I do not want to be alarmist, but the victims of Spoofing (impersonation) and phishing (scams and personal information theft) are increasingly common. Fortunately, there is something that can be done! How to setup SPF DKIM and DMARC records, with which you can keep your email safe and get rid of spam and online pirates. These protocols tell you if an email you receive is real or a hoax.

Surely you haven’t heard much about these records, have you? As most! How to setup SPF DKIM and DMARC records are essential if you want to keep your business safe and avoid headaches.

Understanding and applying these records requires assimilating some technicalities, so you may be interested in having our Website maintenance and Email services, as this is how you leave these technical and crucial tasks in the hands of professionals; We can take care of protecting your email and making your website more secure and reliable for your potential clients, in a short time and with optimal results!

how to setup spf dkim and dmarc

The challenge: protecting the reputation of your domain name

Faced with the danger of phishing attacks,

  • The SPF (Sender Policy Framework) to verify the address of the sender of each Email.
  • The DKIM (DomainKeys Identified Mail) to verify the authenticity of e-mails with digital signatures.

As the domain name holder, you have a vested interest in ensuring that no fraudsters can send fraudulent e-mail or spam on your behalf. Indeed, your domain name may end up on blacklists , which would result in your emails being bounced or treated as spam by many email servers.

Example: Martin Dupont is the owner of the domain. His email address is Imagine that a fraudster uses the address to send spam: if he is detected, the domain name will be added to the blacklists and emails from com will be blocked by the recipient mail servers.

Example: Martin Dupont is the owner of the domain. His email address is Imagine that a fraudster uses the address to send spam: if he is detected, the domain name will be added to the blacklists and emails from com will be blocked by the recipient mail servers.

What is DNS?

The DNS (Domain Name System) is the server that contains the ” identity card ” of a domain and which allows information to be directed to the right place. Visible by all, the DNS data will provide information on the responsible addresses, those to contact in the event of a problem, the servers where the sender’s sites are hosted, and the standards to which this domain meets … By customizing the domain for sending messages. emailing, the sender is, therefore, able to have his own authentication information.

Two data, always contained in an email, identify the sender:

  • IP address : This is an address assigned to any device connected to a network. Different formats are currently used: IPV4, a standard that is already old and whose sustainability is not guaranteed because the number of possible addresses has now been reached, and IPV6, defined more recently which allows such a large number of addresses that it becomes impossible to use it in filtering.
  • The domain : Here the format is completely open and allows an infinite number of possibilities.

These two elements can be “spoofed”, in other words imitated or spoofed. We must therefore ensure their authenticity.

What are email Authentication standards?

The authentication protocols available to MSPs are based on the DNS and are of the “TXT” type, but often remain obscure by their syntax. Among these different tools, we find:

  1. SPF
  2. DKIM
  3. DMARC

What is the SPF record?

The SPF record (Sender Policy Framework) or Sender Policy Framework is a protocol that consists of creating a list of authorized servers from which emails are sent from a specific Web domain.

how to setup spf dkim and dmarc

This type of record is added only by the owners or administrators of the Web page, so no stranger could alter it.

When an email is sent from an email, with the email address of the sender of the shipment, this address is associated with a domain Web, therefore a configuration DNS, Domain Name System, or System Domain Name web of the domain itself. And it is within this DNS configuration where the SPF record is added with the IP addresses of the servers authorized to send emails under this Web domain.

Then, the receiving server, where the recipient’s email address is located, analyzes the incoming mail, as well as the IP address from which it was sent, and verifies that this IP is included in the list of authorized IP addresses, within the SPF record. of the Web domain. If so, the incoming email is authorized and reaches the recipient without any problem.

As you can, the SPF record is like a kind of invitation to enter a party in your recipient’s inbox; If you don’t have it, or the recipient server, as a good security guard of the party, does not verify that it was sent from an authorized IP address, you cannot enter!

By having the SPF record you will be able to pass all the filters and reach the recipients safely but, most importantly, you will prevent your business from being linked to malware, Phishing, Spam, and other types of scams that hackers and their emails tend to adopt. bad intentions.

What is the DKIM registry?

The DKIM registry, DomainKeys Identified Mail or Identified Email Domain Keys, is a protocol that adds greater security to emails to prevent forgery.

how to setup spf dkim and dmarc

The DKIM registry has two encryption keys for emails from email addresses under a Web domain:

  • The first key is absolutely private, which means that it is reserved for the owner or administrator of the Web domain, and creates an encrypted signature that is included in every email that is sent.
  • The second key is public and serves for the receiving server, where the email address of the recipient of the shipment is located, to verify if the incoming email was sent from a trusted email address and that it has access to the private key of the domain’s DKIM registry. Web.

What is DMARC?

The owner of the domain name informs all potential mail recipients (or their mail servers) that he signs his mails by DKIM and/or authenticates them by SPF. In doing so, it instructs them to check all mail coming from its domain and to take certain measures in case of suspicion (failure of the verification). This request takes the form of an entry in the domain box and in the mail header.

The server that receives the email checks whether the email can be authenticated using at least one of two methods, DKIM or SPF. Otherwise, this mail is considered “suspicious”. It could be a fake, sent by someone who fraudulently uses the sender’s address for their own purposes.

The domain name holder may recommend that recipients take one of the following actions :

  1. Reject suspicious mail,
  2. Quarantine suspicious mail
  3. Accept suspicious mail and report its status to the domain name holder.

The action recommended by the holder is contained in what is called the DMARC record (see below).

DMARC also involves reporting. Receiving e-mail servers should periodically send the sending domain a report of suspicious e-mails (that is, those that could not be authenticated through DKIM or SPF). Corresponding email addresses are also listed in the DMARC record.


Receiving mail servers is not required to take DMARC inion into account. If you do not receive messages notifying you of failed authentication by DKIM, it does not necessarily mean that all is well.

How to implement SPF, DKIM, and DMARC records?

Now that you know what email authentication consists of and why you need to implement it, it is time to explain how to implement these three registers in your Web domain configuration.

First interest in authenticating: protecting yourself as an advertiser. The latter can no longer let anyone use his brand (ie his domain), and expose himself to the risk of phishing, data leaks (spear-fishing), or risks related to reputation (in particular with regard to affiliates, partners…). By authenticating his shipments, the sender also reassures his customers and can maintain his reputation as his system evolves.

How to Implement SPF record

To implement the SPF record you have to add a TXT record to the DNS zone of your Web domain and, to start the configuration, you need to know the host (which in most cases is “@” but varies according to each domain) and the TXT Value (SPF code) according to how you want it to behave.

Therefore, when creating the SPF record you will have two columns; one, where the host goes, and the other, with the name TXT Value, where you are going to modify the text so that your email will work correctly with the SPF record.

To give you an example, in the case of working with Google Apps, the value of the SPF record would be:

v = spf1include: ~ all

In that code above, it would allow you to send emails authorized by your Web domain from Google applications, such as Gmail.

If you also need to add other authorized IP authorizations, which will surely be the case, it will be enough to include them in this same text.

For example, if you also send emails from an external platform that uses your domain name, as we do in brel, via SMTP protocol (in our case being ‘’), the TXT code of the SPF record would be:

v = spf1include: include: ~ all

And so on with all the authorizations you have to grant.

In addition, you can add additional authorized IP addresses, adding them directly to this same TXT code. For example, suppose that, in addition to all that has been mentioned, you work with a commercial management application, from where automatic emails are sent on behalf of your company, and that it has the IP address with number In that case TXT code would become:

v = spf1ip4: include: include: ~ all

This is the simplest form of implementation, and the most common, but in total it can be done through the application of eight different mechanisms, which, more than indicating what actions the receiving server will follow, when evaluating whether the mail is validated according to the registry. SPF or not, they have to do with the matches of authorized IP addresses.

If you analyze the example that I have done to show you how the text configured for the SPF record would look, you will notice that I include, almost at the end, the symbol “~”. Well, this symbol indicates that the SPF record is configured for ‘ Softail ‘, which means that if the server cannot verify that the mail was sent from an authorized server, which in this case would be Google, the server itself the specified external IP address will give the mail a ‘ Softail ‘ treatment; that is, it will be delivered to the recipient anyway, but it will not be fully trusted by the incoming server, so it will probably go to the junk mail (Spam) tray.

What is DKIM registration?

As I said before, the DKIM registry almost always works with two keys, one encrypted or private, and the other public, although some cloud services may do it differently.

As the standard is that both keys are used, I show you how to add a CNAME entry, within the DNS zone of your Web domain,
to activate your DKIM key within your Web domain:

CNAME {public key}

As you can see in the example, I create a CNAME record for the subdomain “ k1._domainkey. “From my Web domain”

“and, as the value of the CNAME record, I add the public key of my DKIM record.

And what is that public key? Well, as with the private key, you must request it from your Web and Email service provider.

It is a service that the vast majority of Web and Email server providers offer for free and, you can even activate yourself from your control panel (for example cPanel).

And the DKIM records you will add all the “k” you need to authorize the servers you want; in this case, I put “k1”, where “k1” indicates a first registration or authorization.

For the next one, in the event that a second verification server is necessary (which is unlikely), you will do the same, but by entering “k2”, and so on.

How to DMARC registration?

The DMARC record is another TXT-type record, and it is the last step in shielding your email from hackers who could haunt your business on the Internet. This is an instructive protocol, which specifies how to handle SPF and DKIM records, and the value of the TXT record with which you should configure your DMARC record would be something like: v = DMARC1; p = none; rua = mailto: postmaster @ example. com; adkim = r; aspf = r; pct = 100; sp = none

The XML reports generated by DMARC, which I have already told you about above, will be sent to the address you configure in ” rua = “. In it,
you will be able to find all the information about the emails that have been sent under your domain, and you will know if they passed the security protocols or not,
and what they failed in case they did not. It is very useful data that will help you decipher all the impersonation and scam attempts that may have been made on your behalf or that of your company.

Now How to setup SPF DKIM and DMARC records in cPanel

cPanel is a great control panel to configure some aspects of your Web domain and configuration of your Email accounts, and the best thing is that it is very easy to use.

Set SPF records in it, DKIM and DMARC is a cinch! I explain what you should do:

How to set up SPF records?

For SPF:

  • In the email module, select “Email Authentication”
  • Within that page, in the SPF section, click on “Activate”.

How to set up DKIM records?


  • In the email module, select “Email Authentication”
  • Within that page, in the DKIM section, click on “Activate”.

How to set up DMARC records?


  • In the web domains module, select “Advanced DNS Zone Editor” or “Advanced DNS zone editor”.
  • Within that page, select “Add record”, select the option “TXT” and, as I explained above, insert a text similar to the following: IN TXT 14400 «v = DMARC1; p = none; rua = mailto:


SPF, DKIM, and DMARC records protect your company from any attempt to fraud your customers!

We are all tired of spam and emails that try to deceive us, right? In fact, although we believe that this type of deception is very far from us or our company because
we are not Amazon or Paypal, it is not like that, we are all targets of these types of attacks!

But the most worrying thing is when the situation becomes dramatic and it is you who sends the emails to your clients, the days go by and you do not receive a response.

In that case, it is possible that your clients are never receiving your emails, or they remain in the
Spam folder because they do not have your how to setup SPF, DKIM, and DMARC records activated.

Perhaps, you have worked on a fabulous email marketing campaign, but you are not receiving
the expected performance because this is not enough for your subscribers to see your emails.

How to setup SPF, DKIM, and DMARC records could be very helpful so that
your emails stay in the inbox and not hidden in the spam tray.

But also, as a company, you must be extremely concerned that your subscribers and
client portfolio are safe, and you will not guarantee this until you get to work with these protocols.

Remember that by Law (LGPD and RGPD) you are bound under the threat of strong economic sanctions!

I challenge you to start protecting your business emails today, gain visibility in your Email campaigns and comply with the Law. Do you accept the challenge?

I would love to hear your opinion, so I invite you to send us your useful comments, as well as I, hope you share this post with your friends on
social networks and help them save themselves from the Spoofing and Phishing attacks that abound on the internet. Below So that is how to setup spf dkim and dmarc
I will leave you a form, which you can fill in to contact us, and you will hear from us very soon!

Leave a comment

echo "";