How to Set Up DKIM and SPF Records

SPF, DKIM, and DMARC are email authentication standards that prove your emails are legitimate. Without them, your emails are far more likely to land in spam folders or be rejected entirely.

Understanding Email Authentication

| Standard | What It Does | How It Works | |---|---|---| | SPF | Specifies which servers can send email for your domain | DNS TXT record listing authorised IP addresses | | DKIM | Adds a digital signature to each email | Cryptographic key pair; public key in DNS | | DMARC | Tells receivers what to do with failing emails | Policy record that references SPF and DKIM |

Together, these three records dramatically improve deliverability and protect your domain from spoofing.

Check Current Status

1. Log in to cPanel
2. Go to Email > Email Deliverability
3. You will see the status for each domain:
   • Green checkmark = properly configured
   • Warning icon = needs attention
   • Red X = not configured

Set Up SPF

Automatic Setup (cPanel Managed DNS)

If your domain's nameservers point to BearHost:

1. In Email Deliverability, click Repair next to SPF if it shows an issue
2. cPanel will automatically create the correct SPF record
3. Verify it shows as valid

Manual Setup (External DNS)

If your DNS is managed elsewhere (GoDaddy, Namecheap, Cloudflare, etc.):

Add a TXT record at your registrar:

| Type | Name | Value | TTL | |---|---|---|---| | TXT | @ | v=spf1 +a +mx +ip4:YOUR_SERVER_IP ~all | 3600 |

SPF Syntax Explained

• v=spf1 — SPF version (required)
• +a — allow the server in your A record
• +mx — allow your mail server
• +ip4:1.2.3.4 — allow a specific IP
• include:_spf.google.com — allow Google (if using Google Workspace)
• ~all — soft fail for unauthorised senders (recommended)
• -all — hard fail for unauthorised senders (strict)

Example for Multiple Services

If you send from BearHost AND Google Workspace:

v=spf1 +a +mx +ip4:YOUR_SERVER_IP include:_spf.google.com ~all

You can only have ONE SPF record per domain. Combine all sources into a single record.

Set Up DKIM

Automatic Setup (cPanel Managed DNS)

1. In Email Deliverability, click Repair next to DKIM
2. cPanel generates the DKIM key pair and adds the DNS record automatically
3. Verify it shows as valid

Manual Setup (External DNS)

1. In Email Deliverability, click Manage next to your domain
2. Copy the DKIM record name and value shown
3. At your registrar, add a TXT record:

| Type | Name | Value | TTL | |---|---|---|---| | TXT | default._domainkey | (paste the long DKIM value from cPanel) | 3600 |

The DKIM value is a long string starting with v=DKIM1; k=rsa; p=.... Copy the entire value exactly.

Set Up DMARC

DMARC tells email receivers how to handle messages that fail SPF or DKIM checks.

Recommended Rollout Strategy

Start with monitoring, then gradually increase enforcement:

Phase 1: Monitor Only (2–4 weeks)

| Type | Name | Value | TTL | |---|---|---|---| | TXT | _dmarc | v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com | 3600 |

This collects reports without affecting delivery. Review reports to ensure all legitimate email passes.

Phase 2: Quarantine (2–4 weeks)

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=50

Sends 50% of failing emails to spam. Monitor for false positives.

Phase 3: Reject

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

Fully rejects emails that fail authentication. Only apply after confirming no legitimate email is affected.

Test Your Setup

mail-tester.com

1. Visit mail-tester.com
2. Copy the test email address shown
3. Send an email from your domain to that address
4. Click Then check your score
5. Aim for a score of 9/10 or higher

Check Gmail Headers

1. Send an email to a Gmail account
2. Open the email in Gmail
3. Click the three dots > Show original
4. Look for:
   • SPF: PASS
   • DKIM: PASS
   • DMARC: PASS

Troubleshooting

• SPF: too many DNS lookups: SPF allows a maximum of 10 DNS lookups. Reduce include: statements or use IP addresses directly.
• DKIM: signature not found: Ensure the DKIM DNS record name matches exactly what cPanel shows. Propagation can take up to 24 hours.
• DMARC reports unreadable: Use a free DMARC report analyser like dmarcian.com to parse XML reports.
• Emails still going to spam: Check your email content for spammy keywords, too many links, or missing unsubscribe headers.