DKIM SPF & DMARC DNS Records

Published January 14, 2025

The usage of DKIM, SPF and DMARC DNS records is critical for smooth business email operations and to ensure that every email sent is actually from you and that it gets delivered to the recipient. Email Authentication is vital to block phishing, business email compromise, ransomware and spam.

To get started, here's an explanation of what each of these unique DNS records are.

DKIM (DomainKeys Identified Mail)

DKIM is an email authentication method that uses a unique digital signature created on the email server to communicate with the receiver of an email to let them know that your email message was actually sent from you, the authorized domain holder, and it is not a spoofed, or fake, email sent from a hacker pretending to be you.

SPF (Sender Policy Framework)

SPF is a TXT DNS Record that is unique your email accounts and server it is hosted on. The record is created to authorize only the listed IP addresses to send any form of email using your email account name.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

DMARC is the 3rd component to proper email authentication. The DMARC record tells mail servers what to do with an email message when it does not pass the DKIM and SPF Record check and also allows you to receive reports to help you identify possible authentication issues and malicious activity for messages sent from your domain.

Important Notes About DKIM, SPF and DMARC
How to create your DKIM Record and activate it

In order to create your DKIM Record, you need to know where your email is hosted. Is it in your cPanel or DirectAdmin hosting account or through Microsoft 365, Google Workspace or somewhere else?

Once you know this answer, you can start the process of making sure the DKIM Record is created. While it's hard to list the process for every email provider, we are going to show how to create this using DirectAdmin, cPanel, Microsoft 365 and Google Workspace.

Create a DKIM Record using DirectAdmin

In order to create your DKIM Record using DirectAdmin, you will need to be able to login to your DirectAdmin account. If you do not know your login information, you will need to reach out to your web hosting provider to help you gain access.

Once you are logged in to your DirectAdmin account, go to Email Manager -> Email Accounts. On this page, you will see a button at the top that says Enable DKIM if it does not already exist. If the button says Disable DKIM it means the record has already been added for your domain and you can move on to making sure you have an SPF and DMARC record created.


Create a DKIM Record using cPanel

In order to create your DKIM Record using cPanel, you will need to be able to login to your cPanel account. If you do not know your login information, you will need to reach out to your web hosting provider to help you gain access.

Once you are logged into your cPanel account, either use the search bar or locate Email -> Email Deliverability on the page and click on that icon.

If you have multiple domains within your cPanel account, you'll need to click manage for the domain you are working with to view the details.

The Email Deliverability page will show you two of the three email authentication records (DKIM and SPF) and whether they are Valid (currently setup) or not.

If you are using the nameservers provided for that server (check with your web hosting provider if you are unsure), you can click the button that says install the suggested record. You can also look up your nameservers by visiting either whatsmydns.net or dnschecker.org in your web browser and entering your domain on that website.

If you are using nameservers that are not the ones provided by your web hosting company, you will need to copy / paste the records from the cPanel Email Deliverability page to the website where you manage your DNS records.

Once they are entered, allow up to 48 hours to complete DNS propagation.

This process is shown in more detail by visiting our link about cPanel Email Deliverability


Create a DKIM Record using Microsoft 365

In order to create your DKIM Records (there are 2 of them), you will need to be able to login to admin.microsoft.com using your web browser.

Once you are logged in to the Microsoft 365 Admin Center go to Setup -> Domains

Go to the Connect Domains page and select I'll manage my own DNS Records.

Choose Next and the next page will list all of the available DNS Records. Check the boxes for the services you want to use, making sure to check the box for DKIM Records.

On the Add DNS Records page, you'll find the 2 DKIM records. Copy each of them and update them through your Domain Registrar or wherever you mange your DNS Records.

Once you have added the required DNS Records, go back to the Microsoft 365 Admin Center and click Verify. As soon as everything is verified, you'll see the end of setup page.

For more information about Microsoft 365 DKIM Setup, visit the Microsoft Website to read the Microsoft 365 DKIM Setup Documentation


Create a DKIM Record using Google Workspace

In order to create a DKIM Record for your Google Workspace account, you will need to be able to login to admin.google.com using your web browser.

Once you are logged in go to Apps -> Google Workspace -> Gmail and click the button to generate a DKIM Record.

If you have multiple domains created in your Google Workspace account, select the domain from the dropdown link to choose the domain that you want to enable DKIM authentication for.

The unique DKIM record will be displayed. You will need to login to where you manage your DNS records and you will add that new DKIM record. It can take up to 48 hours to fully propagate.

You will need to periodically check this same page (Apps -> Google Workspace -> Gmail) and click Authenticate until Google recognizes the new DKIM Record.

Once that is completed, you are done and DKIM is being used to validate the origin of emails sent from your domain.

For more information about Google Workspace DKIM Setup, visit the Google Workspace Website to read the Google Workspace DKIM Setup Documentation


How to locate your SPF Record and activate it

An example of an SPF Record looks like this:

"v=spf1 a mx ip4:162.211.84.243 ip4:170.249.239.26 ip4:170.249.239.206 ~all"

There are 3 main components to every SPF Record

v=spf1 a mx - This designates the TXT Record as an SPF Record specifically

ip4:211.136.121.57 - Each listed IP address in your SPF Record means that an email message is authorized to be sent from your email domain.

For Example, if your SPF Record includes ip4:170.249.239.26 but it does not include ip4:197.204.255.93 and a hacker attempts to send an email that looks like it is from you from the IP address, 197.204.255.93 then the email will not be delivered to the intended email recipient(s).

all - All is a required tag. It should be placed at the end of the SPF record. Depending on the qualifiers used (~, +, -, ?), this mechanism indicates how the recipient should treat emails from non-authorized sources.

Qualifier

Action receiving server takes with a match

+
Passes authentication. The server with matching IP address is authorized to send for your domain. Messages are authenticated. This is the default action when the mechanism doesn’t use a qualifier.
-
Fails authentication. The server with matching IP address is not authorized to send for the domain. The SPF record doesn’t include the sending server IP address or domain so messages won’t pass authentication.
~
Soft fails authentication. It's unlikely that the server with matching IP address is authorized to send for the domain. The receiving server will typically accept the message but mark it as suspicious.
?
Neutral. Neither passes nor fails authentication. The SPF record doesn’t explicitly state that the IP address is authorized to send for the domain. SPF records with neutral results often use ?all.

Should you use ~ or -

cPanel and DirectAdmin SPF Record

Both cPanel and DirectAdmin create an SPF Record for you when you the account is created on the server.

Google Workspace SPF Record

If you are only using Google Workspace to send emails (some use additional providers such as Constant Contact, Mailchimp, etc) then your SPF Record will look like this:

v=spf1 include:_spf.google.com ~all

Microsoft 365 SPF Record

If you are only using Microsoft 365 to send emails (some use additional providers such as Constant Contact, Mailchimp, etc) then your SPF Record will look like this:

v=spf1 include:spf.protection.outlook.com -all


How to create your DMARC Record and activate it

An example of a DMARC policy record looks like this (replace example.com with your domain)

v=DMARC1; p=reject; rua=mailto:postmaster@example.com, mailto:dmarc@example.com; pct=100; adkim=s; aspf=s

The v and p tags must be listed first. Other tags can be listed in any order.