In this article, you will learn:
- What SPF, DKIM and DMARC are for and how they work
- How to set up these mechanisms
- Common problems
- Frequently asked questions
SPF, DKIM and DMARC
SPF, DKIM and DMARC are measures against fraudulent emails. If you do not use them, or do not have them configured correctly, you increase the chance that the recipient's system will mark your message as spam, or reject your email and return it as undeliverable.
- SPF (Sender Policy Framework) is an email authentication system that allows domain owners to use a special DNS record to determine which servers may send emails on behalf of their domain. Recipients can then verify SPF records and decide whether to accept, reject, or otherwise process the email.
- DKIM (DomainKeys Identified Mail) is a method that allows the organization responsible for sending an email to attach a digital signature to the message. Recipients can verify this signature and confirm that the email has not been altered after sending and that it comes from a legitimate source.
- DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication policy and reporting protocol that helps protect email domains from abuse such as phishing and spoofing. DMARC uses SPF and DKIM to verify that outgoing emails are legitimate, and defines how the recipient should handle emails that fail verification. It is set up through a special DNS record.
Setting up email authentication mechanisms
To ensure maximum deliverability of your mail, configure all the protective mechanisms mentioned. Whenever you change providers, or add one (for example, if you use a mass email sending service in addition to our mail), make sure you integrate SPF correctly in particular according to that provider's manual.
SPF record setup
The SPF record specifies the servers authorized to send mail on behalf of the domain or subdomain where it is set. A detailed guide to setting up DNS records can be found in the article DNS – Domain Records.
Set no more than 1 SPF record for a domain. Having more than one record will invalidate SPF authentication.
If you use only VEDOS services for sending emails (Webhosting, WebSite, Mailhosting) without WEDOS Protection ⧉, set the SPF record:
Name TTL Type Data (empty) 300 TXT v=spf1 mx a include:_spf.we.wedos.net -all

If you use only another email provider, use SPF according to their instructions. If you need to specify more than one provider, or if you are dealing with SPF issues, follow the article Emails – SPF record.
DKIM setup
Email verification via DKIM is handled entirely by us.
For verifying messages sent from Webhosting via the PHP mail() function, we use these DNS records, which are usually generated automatically on our servers:
Name TTL Type Data key1.wedos-dkim._domainkey 300 CNAME key1.dkim-we.wedos.net key2.wedos-dkim._domainkey 300 CNAME key2.dkim-we.wedos.net
If you use third-party DNS, or if you do not have these records for a domain pointing to our Webhosting for any reason, add them. For these records to work properly, also ensure the return-path parameter is set correctly.
Emails sent via SMTP are verified using a shared DKIM key at shared.dkim-wes1.wedos.net. This setting is automatic; you do not need to enable it anywhere, but you also cannot disable it.
DMARC setup
The basic DMARC record, which improves email deliverability, has the form:
Name TTL Type Data _dmarc 300 TXT v=DMARC1; p=none; rua=mailto:vas-email@domena.tld
where replace vas-email@domena.tld with the email address where you want any aggregated reports to be sent.

Common problems
Common problems include:
- Persistent spamming or undelivered mail
- Non-functional SPF, DKIM and DMARC when sending using the mail() function from Webhosting
- Display of a message about sending via the domain shared.dkim-wes1.wedos.net
- Incompatible DMARC
Mail with SPF, DKIM and DMARC is undeliverable
Problem: Although SPF, DKIM and DMARC are set up, the mail ends up in spam, or is not delivered at all.
Solution: Check that all records are set correctly and have propagated (DNS record changes may take 30 - 60 minutes or longer to take effect). The most common mistake is having more than one SPF record for a single domain and putting record data in quotation marks.
If you suspect blocking of emails by the sender or recipient, follow the instructions in Emails – Blocking.
Sending via the mail() function
Problem: When sending via the mail() function on Webhosting, SPF, DKIM and DMARC fail.
Cause: In the basic settings of the mail() function, the sender of such emails is the Webhosting server, for example hcX-wdXXX.wedos.net, which your configured records do not apply to.
Solution: Set the return-path in the mail() function to contain an address on your domain according to this guide.
Via the domain shared.dkim-wes1.wedos.net
Problem: The recipient of the message sees an unwanted notice about sending via the domain shared.dkim-wes1.wedos.net.

Solution: Make sure you have SPF set up correctly and propagated. If so, this message should not appear.
Incompatible DMARC
Problem: Advanced DMARC settings mark messages as problematic.
Cause: For emails sent via shared.dkim-wes1.wedos.net, DKIM alignment does not work correctly.
Solution: Make sure you have valid SPF, and if necessary adjust the DMARC record parameters.
Frequently asked questions
Is all of this really necessary?
If you want your emails to be trustworthy, yes. Different providers have different rules for spam filtering and rejecting emails, but at minimum SPF and DKIM are key to ensuring reliable delivery.
Can you set it up for me?
You can set up DKIM DNS automatically by pointing the domain to hosting according to this guide. We usually do not set SPF and DMARC records because we do not have enough information about the mail services you use, which we could jeopardize by incorrect configuration. We can set up the basic records listed in this guide for you, but this is a paid service according to the price list.
How do I make sense of DMARC reports?
Basics for reading DMARC reports can be found, for example, in our community guide ⧉.