Setting Up SPF, DKIM, and DMARC

8 views DNS & Domains

Email Authentication Records Explained

SPF, DKIM, and DMARC are DNS-based email authentication mechanisms that help prevent email spoofing, phishing, and spam. Properly configuring these records significantly improves your email deliverability and protects your domain's reputation.

SPF (Sender Policy Framework)

SPF defines which mail servers are authorized to send email on behalf of your domain. It is implemented as a TXT record on your domain.

Setting up SPF in DirectAdmin:

  1. Go to DNS Management for your domain.
  2. Add a TXT record with the name set to your domain (or leave blank for root).
  3. Enter the SPF value. A typical record for server-hosted email: 
    v=spf1 a mx ip4:YOUR_SERVER_IP ~all

Common SPF examples:

  • Server only: v=spf1 a mx ~all
  • Google Workspace: v=spf1 include:_spf.google.com ~all
  • Microsoft 365: v=spf1 include:spf.protection.outlook.com ~all
  • Combined (server + Google): v=spf1 a mx include:_spf.google.com ~all
Note: Use ~all (soft fail) during testing and switch to -all (hard fail) once confirmed working. You should have only one SPF record per domain.

DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to your outgoing emails, allowing recipients to verify the message was not tampered with in transit.

Enabling DKIM in DirectAdmin:

  1. DirectAdmin servers with Exim or OpenDKIM configured will often generate DKIM keys automatically.
  2. Navigate to E-mail Manager → DKIM Keys or check DNS Management for existing DKIM records.
  3. If a DKIM TXT record exists, it will look something like: 
    x._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqh..."
  4. If no DKIM record exists, contact your hosting provider to enable DKIM signing for your domain.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC tells receiving mail servers what to do with emails that fail SPF and DKIM checks. It also enables reporting so you can monitor authentication results.

Adding a DMARC record:

  1. In DNS Management, add a TXT record.
  2. Set the name to _dmarc (this creates _dmarc.example.com).
  3. Enter the DMARC policy value: 
    v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-reports@example.com; pct=100

DMARC policy options:

  • p=none – Monitor only, no action taken (start here).
  • p=quarantine – Suspicious emails are sent to spam.
  • p=reject – Failing emails are rejected entirely.
Recommendation: Start with p=none to collect reports without affecting email delivery. After analyzing reports and confirming SPF and DKIM are working correctly, gradually move to p=quarantine and then p=reject.
Back - DNS & Domains
Need More Help?

Can't find what you're looking for? Our support team is ready to help.

Contact Support
Hi there! How can we help?
Chat with us