CS · EN

Emails - SPF, DKIM and DMARC

In this article, you will learn:


SPF, DKIM and DMARC

SPF, DKIM and DMARC are measures against fraudulent emails. If you do not use them, or do not have them configured correctly, you increase the chance that the recipient's system will mark your message as spam, or reject your email and return it as undeliverable.

  • SPF (Sender Policy Framework) is an email authentication system that allows domain owners to use a special DNS record to determine which servers may send emails on behalf of their domain. Recipients can then verify SPF records and decide whether to accept, reject, or otherwise process the email.
  • DKIM (DomainKeys Identified Mail) is a method that allows the organization responsible for sending an email to attach a digital signature to the message. Recipients can verify this signature and confirm that the email has not been altered after sending and that it comes from a legitimate source.
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication policy and reporting protocol that helps protect email domains from abuse such as phishing and spoofing. DMARC uses SPF and DKIM to verify that outgoing emails are legitimate, and defines how the recipient should handle emails that fail verification. It is set up through a special DNS record.

Setting up email authentication mechanisms

To ensure maximum deliverability of your mail, configure all the protective mechanisms mentioned. Whenever you change providers, or add one (for example, if you use a mass email sending service in addition to our mail), make sure you integrate SPF correctly in particular according to that provider's manual.

SPF record setup

The SPF record specifies the servers authorized to send mail on behalf of the domain or subdomain where it is set. A detailed guide to setting up DNS records can be found in the article DNS – Domain Records.

Set no more than 1 SPF record for a domain. Having more than one record will invalidate SPF authentication.

If you use only VEDOS services for sending emails (Webhosting, WebSite, Mailhosting) without WEDOS Protection ⧉, set the SPF record:

Name      TTL    Type   Data
(empty)  300    TXT   v=spf1 mx a include:_spf.we.wedos.net -all
Setting up the basic SPF record in VEDOS
Setting up the basic SPF record in WEDOS

If you use only another email provider, use SPF according to their instructions. If you need to specify more than one provider, or if you are dealing with SPF issues, follow the article Emails – SPF record.

DKIM setup

Email verification via DKIM is handled entirely by us.

For verifying messages sent from Webhosting via the PHP mail() function, we use these DNS records, which are usually generated automatically on our servers:

Name                           TTL   Type    Data
key1.wedos-dkim._domainkey	300   CNAME  key1.dkim-we.wedos.net
key2.wedos-dkim._domainkey	300   CNAME  key2.dkim-we.wedos.net

If you use third-party DNS, or if you do not have these records for a domain pointing to our Webhosting for any reason, add them. For these records to work properly, also ensure the return-path parameter is set correctly.

Emails sent via SMTP are verified using a shared DKIM key at shared.dkim-wes1.wedos.net. This setting is automatic; you do not need to enable it anywhere, but you also cannot disable it.

DMARC setup

The basic DMARC record, which improves email deliverability, has the form:

Name   TTL    Type   Data
_dmarc  300    TXT   v=DMARC1; p=none; rua=mailto:vas-email@domena.tld

where replace vas-email@domena.tld with the email address where you want any aggregated reports to be sent.

Setting up the basic DMARC record
Setting up the basic DMARC record

Common problems

Common problems include:

Mail with SPF, DKIM and DMARC is undeliverable

Problem: Although SPF, DKIM and DMARC are set up, the mail ends up in spam, or is not delivered at all.

Solution: Check that all records are set correctly and have propagated (DNS record changes may take 30 - 60 minutes or longer to take effect). The most common mistake is having more than one SPF record for a single domain and putting record data in quotation marks.

If you suspect blocking of emails by the sender or recipient, follow the instructions in Emails – Blocking.

Sending via the mail() function

Problem: When sending via the mail() function on Webhosting, SPF, DKIM and DMARC fail.

Cause: In the basic settings of the mail() function, the sender of such emails is the Webhosting server, for example hcX-wdXXX.wedos.net, which your configured records do not apply to.

Solution: Set the return-path in the mail() function to contain an address on your domain according to this guide.

Via the domain shared.dkim-wes1.wedos.net

Problem: The recipient of the message sees an unwanted notice about sending via the domain shared.dkim-wes1.wedos.net.

Message about sending via the domain shared.dkim-wes1.wedos.net in Gmail
Message about sending via the domain shared.dkim-wes1.wedos.net in Gmail

Solution: Make sure you have SPF set up correctly and propagated. If so, this message should not appear.

Incompatible DMARC

Problem: Advanced DMARC settings mark messages as problematic.

Cause: For emails sent via shared.dkim-wes1.wedos.net, DKIM alignment does not work correctly.

Solution: Make sure you have valid SPF, and if necessary adjust the DMARC record parameters.


Frequently asked questions

Is all of this really necessary?

If you want your emails to be trustworthy, yes. Different providers have different rules for spam filtering and rejecting emails, but at minimum SPF and DKIM are key to ensuring reliable delivery.

Can you set it up for me?

You can set up DKIM DNS automatically by pointing the domain to hosting according to this guide. We usually do not set SPF and DMARC records because we do not have enough information about the mail services you use, which we could jeopardize by incorrect configuration. We can set up the basic records listed in this guide for you, but this is a paid service according to the price list.

How do I make sense of DMARC reports?

Basics for reading DMARC reports can be found, for example, in our community guide ⧉.