Setting Up SPF, DKIM, and DMARC

<h3>Email Authentication Records Explained</h3> <p>SPF, DKIM, and DMARC are DNS-based email authentication mechanisms that help prevent email spoofing, phishing, and spam. Properly configuring these records significantly improves your email deliverability and protects your domain's reputation.</p> <h3>SPF (Sender Policy Framework)</h3> <p>SPF defines which mail servers are authorized to send email on behalf of your domain. It is implemented as a TXT record on your domain.</p> <p><strong>Setting up SPF in DirectAdmin:</strong></p> <ol> <li>Go to <strong>DNS Management</strong> for your domain.</li> <li>Add a <strong>TXT</strong> record with the name set to your domain (or leave blank for root).</li> <li>Enter the SPF value. A typical record for server-hosted email: <pre><code>v=spf1 a mx ip4:YOUR_SERVER_IP ~all</code></pre></li> </ol> <p>Common SPF examples:</p> <ul> <li>Server only: <code>v=spf1 a mx ~all</code></li> <li>Google Workspace: <code>v=spf1 include:_spf.google.com ~all</code></li> <li>Microsoft 365: <code>v=spf1 include:spf.protection.outlook.com ~all</code></li> <li>Combined (server + Google): <code>v=spf1 a mx include:_spf.google.com ~all</code></li> </ul> <div class="alert alert-info"><strong>Note:</strong> Use <code>~all</code> (soft fail) during testing and switch to <code>-all</code> (hard fail) once confirmed working. You should have only one SPF record per domain.</div> <h3>DKIM (DomainKeys Identified Mail)</h3> <p>DKIM adds a digital signature to your outgoing emails, allowing recipients to verify the message was not tampered with in transit.</p> <p><strong>Enabling DKIM in DirectAdmin:</strong></p> <ol> <li>DirectAdmin servers with Exim or OpenDKIM configured will often generate DKIM keys automatically.</li> <li>Navigate to <strong>E-mail Manager &rarr; DKIM Keys</strong> or check <strong>DNS Management</strong> for existing DKIM records.</li> <li>If a DKIM TXT record exists, it will look something like: <pre><code>x._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqh..."</code></pre></li> <li>If no DKIM record exists, contact your hosting provider to enable DKIM signing for your domain.</li> </ol> <h3>DMARC (Domain-based Message Authentication, Reporting &amp; Conformance)</h3> <p>DMARC tells receiving mail servers what to do with emails that fail SPF and DKIM checks. It also enables reporting so you can monitor authentication results.</p> <p><strong>Adding a DMARC record:</strong></p> <ol> <li>In <strong>DNS Management</strong>, add a TXT record.</li> <li>Set the name to <code>_dmarc</code> (this creates <code>_dmarc.example.com</code>).</li> <li>Enter the DMARC policy value: <pre><code>v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-reports@example.com; pct=100</code></pre></li> </ol> <p>DMARC policy options:</p> <ul> <li><code>p=none</code> &ndash; Monitor only, no action taken (start here).</li> <li><code>p=quarantine</code> &ndash; Suspicious emails are sent to spam.</li> <li><code>p=reject</code> &ndash; Failing emails are rejected entirely.</li> </ul> <div class="alert alert-warning"><strong>Recommendation:</strong> Start with <code>p=none</code> to collect reports without affecting email delivery. After analyzing reports and confirming SPF and DKIM are working correctly, gradually move to <code>p=quarantine</code> and then <code>p=reject</code>.</div>