In this article you will learn:
- What SPF, DKIM and DMARC are for and how they work
- How to set up these mechanisms
- Common problems
- Frequently Asked Questions
SPF, DKIM and DMARC
SPF, DKIM and DMARC are measures against fraudulent emails. If you don't use them or don't have them set up properly, you increase the chances that the recipient's system will mark your message as spam or reject your email and return it as undeliverable.
- The Sender Policy Framework (SPF ) is an e-mail authentication system that allows domain owners to determine, through a special DNS record, which servers are allowed to send e-mail on behalf of their domain. Recipients can then validate the SPF records and decide whether to accept, reject, or otherwise process the email.
- DKIM (DomainKeys Identified Mail) is a method that allows the organisation responsible for sending the email to attach a digital signature to the message. Recipients can verify this signature to confirm that the email has not been altered after it was sent and that it came from a legitimate source.
- DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication policy and reporting protocol that helps protect email domains from abuse such as phishing and spoofing. DMARC uses SPF and DKIM to verify that emails sent are legitimate and defines how recipients should handle emails that fail authentication. It is set via a special DNS record.
Setting up email authentication mechanisms
To ensure maximum deliverability of your mail, set up all the above mentioned protection mechanisms. Whenever you change or add a provider (for example, if you use a bulk email service in addition to our mail service), make sure you integrate SPF correctly, especially according to the manual of that provider.
SPF record settings
An SPF record specifies the servers that are authorized to send mail on behalf of the domain or subdomain for which it is set. For detailed instructions on setting up DNS records, see DNS - Domain Records.
Set a maximum of 1 SPF record for the domain. Specifying more than one record will invalidate SPF authentication.
If you use only VEDOS services (Webhosting, WebSite, Mailhosting) to send emails without WEDOS Protection ⧉, set up an SPF record:
Name TTL Type Data (empty) 300 TXT v=spf1 mx a include:_spf.we.wedos.net -all
If you use another email provider exclusively, use SPF according to their instructions. If you need to specify more than one provider, or if you are troubleshooting problems with SPF, follow the Email - SPF record article.
DKIM settings
The verification of e-mails via DKIM is handled entirely by us.
To verify messages sent from the web host via the PHP mail() function, we use the following DNS records, which are usually generated automatically on our servers:
Name TTL Type Data key1.wedos-dkim._domainkey 300 CNAME key1.dkim-we.wedos.net key2.wedos-dkim._domainkey 300 CNAME key2.dkim-we.wedos.net
If you are using a foreign DNS, or do not have these records for a domain pointing to our Webhosting for any reason, please add them. Also ensure that the return-path parameter is set correctly for these records to work properly.
Emails sent via SMTP are authenticated using a shared DKIM key at shared.dkim-wes1.wedos.net. This setting is automatic, you don't have to turn it on anywhere, but you can't deactivate it.
DMARC settings
The DMARC setup issue is quite complex. If you don't want to solve it and just enter a basic DMARC record that will improve email deliverability, use:
Name TTL Type Data _dmarc 300 TXT v=DMARC1; p=none; rua=mailto:vas-email@domena.tld
Where vas-email@domena.tld replace with the email address to which you want to send any aggregated reports.
Common problems
Common problems include:
- Continued spamming or non-delivery of mail
- Broken SPF, DKIM and DMARC when sending mail() functions from webhosting
- Showing message about sending via domain shared.dkim-wes1.wedos.net
- Incompatible DMARC
Mail with SPF, DKIM and DMARC is undeliverable
Problem: Even though SPF, DKIM and DMARC are set, mail ends up in spam or is not delivered at all.
Solution: Make sure you have all records set up correctly and propsed (DNS record changes can take 30-60 minutes or longer to take effect). The most common mistake is having multiple SPF records for one domain and putting record dates in quotes.
If you suspect that the sender or recipient is blocking emails, follow the instructions in Emails - Blocking.
Sending via mail()
Problem: SPF, DKIM and DMARC fail when sending via mail() on webhosting.
Cause: in the basic settings of the mail() function, the sender of such e-mails is a web hosting server, for example hcX-wdXXX.wedos.net, to which the records you set do not apply.
Solution: Set the return-path containing the address on your domain in the mail() function according to this tutorial.
Through the domain shared.dkim-wes1.wedos.net
Problem: The message recipient is receiving an unwanted message about sending through the domain shared.dkim-wes1.wedos.net.
Solution: Make sure you have the correct SPF record set and signed. If so, this message should not be displayed.
Incompatible DMARC
Problem: The DMARC advanced settings mark messages as problematic.
Cause: For emails sent via shared.dkim-wes1.wedos.net DKIM alignment is not working properly.
Solution: Make sure you have a valid SPF and modify the DMARC record parameters if necessary.
Frequently Asked Questions
Is all this really necessary?
If you want your emails to be trustworthy, yes. Different providers have different rules for spamming and rejecting emails, but at a minimum, SPF and DKIM are key to ensuring reliable delivery.
Can you set it up for me?
You can set up DKIM DNS automatically by pointing the domain to the hosting according to this guide. As a rule, we do not set SPF and DMARC records because we do not have enough information about the mail services you use, which could be compromised by incorrect settings. We can set up the basic records mentioned in this guide, but it is a chargeable service according to the price list.
How do I find my way around the DMARC reports?
You can find the basics of reading DMARC reports, for example, in our community guide ⧉.