DKIM SPF & DMARC DNS Records
Published January 14, 2025
The usage of DKIM, SPF and DMARC DNS records is critical for smooth business email operations and to ensure that every email sent is actually from you and that it gets delivered to the recipient. Email Authentication is vital to block phishing, business email compromise, ransomware and spam.
To get started, here's an explanation of what each of these unique DNS records are.
DKIM (DomainKeys Identified Mail)
DKIM is an email authentication method that uses a unique digital signature created on the email server to communicate with the receiver of an email to let them know that your email message was actually sent from you, the authorized domain holder, and it is not a spoofed, or fake, email sent from a hacker pretending to be you.
SPF (Sender Policy Framework)
SPF is a TXT DNS Record that is unique your email accounts and server it is hosted on. The record is created to authorize only the listed IP addresses to send any form of email using your email account name.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
DMARC is the 3rd component to proper email authentication. The DMARC record tells mail servers what to do with an email message when it does not pass the DKIM and SPF Record check and also allows you to receive reports to help you identify possible authentication issues and malicious activity for messages sent from your domain.
Important Notes About DKIM, SPF and DMARC
- SPF, DKIM, and DMARC are applied per domain. If you manage more than one domain, you must enable SPF, DKIM, and DMARC separately for each domain.
- If you don't set up SPF and DKIM before enabling DMARC, messages sent from your domain will probably have delivery issues.
- Allow 48 hours after setting up SPF and DKIM before setting up DMARC.
How to create your DKIM Record and activate it
In order to create your DKIM Record, you need to know where your email is hosted. Is it in your cPanel or DirectAdmin hosting account or through Microsoft 365, Google Workspace or somewhere else?
Once you know this answer, you can start the process of making sure the DKIM Record is created. While it's hard to list the process for every email provider, we are going to show how to create this using DirectAdmin, cPanel, Microsoft 365 and Google Workspace.
Create a DKIM Record using DirectAdmin
In order to create your DKIM Record using DirectAdmin, you will need to be able to login to your DirectAdmin account. If you do not know your login information, you will need to reach out to your web hosting provider to help you gain access.
Once you are logged in to your DirectAdmin account, go to Email Manager -> Email Accounts
. On this page, you will see a button at the top that says Enable DKIM
if it does not already exist. If the button says Disable DKIM
it means the record has already been added for your domain and you can move on to making sure you have an SPF and DMARC record created.
Create a DKIM Record using cPanel
In order to create your DKIM Record using cPanel, you will need to be able to login to your cPanel account. If you do not know your login information, you will need to reach out to your web hosting provider to help you gain access.
Once you are logged into your cPanel account, either use the search bar or locate Email -> Email Deliverability
on the page and click on that icon.
If you have multiple domains within your cPanel account, you'll need to click manage for the domain you are working with to view the details.
The Email Deliverability page will show you two of the three email authentication records (DKIM and SPF) and whether they are Valid (currently setup) or not.
If you are using the nameservers provided for that server (check with your web hosting provider if you are unsure), you can click the button that says install the suggested record. You can also look up your nameservers by visiting either whatsmydns.net or dnschecker.org in your web browser and entering your domain on that website.
If you are using nameservers that are not the ones provided by your web hosting company, you will need to copy / paste the records from the cPanel Email Deliverability page to the website where you manage your DNS records.
Once they are entered, allow up to 48 hours to complete DNS propagation.
This process is shown in more detail by visiting our link about cPanel Email Deliverability
Create a DKIM Record using Microsoft 365
In order to create your DKIM Records (there are 2 of them), you will need to be able to login to admin.microsoft.com
using your web browser.
Once you are logged in to the Microsoft 365 Admin Center go to Setup -> Domains
Go to the Connect Domains
page and select I'll manage my own DNS Records
.
Choose Next and the next page will list all of the available DNS Records. Check the boxes for the services you want to use, making sure to check the box for DKIM Records.
On the Add DNS Records page, you'll find the 2 DKIM records. Copy each of them and update them through your Domain Registrar or wherever you mange your DNS Records.
Once you have added the required DNS Records, go back to the Microsoft 365 Admin Center and click Verify. As soon as everything is verified, you'll see the end of setup page.
For more information about Microsoft 365 DKIM Setup, visit the Microsoft Website to read the Microsoft 365 DKIM Setup Documentation
Create a DKIM Record using Google Workspace
In order to create a DKIM Record for your Google Workspace account, you will need to be able to login to admin.google.com
using your web browser.
Once you are logged in go to Apps -> Google Workspace -> Gmail
and click the button to generate a DKIM Record.
If you have multiple domains created in your Google Workspace account, select the domain from the dropdown link to choose the domain that you want to enable DKIM authentication for.
The unique DKIM record will be displayed. You will need to login to where you manage your DNS records and you will add that new DKIM record. It can take up to 48 hours to fully propagate.
You will need to periodically check this same page (Apps -> Google Workspace -> Gmail) and click Authenticate until Google recognizes the new DKIM Record.
Once that is completed, you are done and DKIM is being used to validate the origin of emails sent from your domain.
For more information about Google Workspace DKIM Setup, visit the Google Workspace Website to read the Google Workspace DKIM Setup Documentation
How to locate your SPF Record and activate it
An example of an SPF Record looks like this:
"v=spf1 a mx ip4:162.211.84.243 ip4:170.249.239.26 ip4:170.249.239.206 ~all"
There are 3 main components to every SPF Record
v=spf1 a mx
- This designates the TXT Record as an SPF Record specifically
ip4:211.136.121.57
- Each listed IP address in your SPF Record means that an email message is authorized to be sent from your email domain.
For Example, if your SPF Record includes ip4:170.249.239.26 but it does not include ip4:197.204.255.93 and a hacker attempts to send an email that looks like it is from you from the IP address, 197.204.255.93 then the email will not be delivered to the intended email recipient(s).
all
- All is a required tag. It should be placed at the end of the SPF record. Depending on the qualifiers used (~, +, -, ?), this mechanism indicates how the recipient should treat emails from non-authorized sources.
Qualifier
Action receiving server takes with a match
Should you use ~ or -
- When an SPF record includes ~all (soft fail qualifier), receiving servers typically accept messages from senders that aren't in your SPF record, but mark them as suspicious.
- When an SPF record includes -all (fail qualifier), receiving servers may reject messages from senders that aren't in your SPF record. If your SPF record isn’t set up correctly, the fail qualifier might cause more messages from your domain to be sent to spam.
cPanel and DirectAdmin SPF Record
Both cPanel and DirectAdmin create an SPF Record for you when you the account is created on the server.
Google Workspace SPF Record
If you are only using Google Workspace to send emails (some use additional providers such as Constant Contact, Mailchimp, etc) then your SPF Record will look like this:
v=spf1 include:_spf.google.com ~all
Microsoft 365 SPF Record
If you are only using Microsoft 365 to send emails (some use additional providers such as Constant Contact, Mailchimp, etc) then your SPF Record will look like this:
v=spf1 include:spf.protection.outlook.com -all
How to create your DMARC Record and activate it
An example of a DMARC policy record looks like this (replace example.com with your domain)
v=DMARC1; p=reject; rua=mailto:postmaster@example.com, mailto:dmarc@example.com; pct=100; adkim=s; aspf=s
The v and p tags must be listed first. Other tags can be listed in any order.