In this article, you will learn:

• What are SPF, DKIM and DMARC
• How to set these mechanisms up
• Common issues
• Frequently asked questions

SPF, DKIM and DMARC are measures against fraudulent emails. If you don’t use them, or if you don’t have them set up correctly, you increase the chance that the recipient’s system will mark your message as spam, or reject your email and return it as undeliverable.

• SPF (Sender Policy Framework) is an email authentication system that allows domain owners to determine which servers are allowed to send email on behalf of their domain through special DNS records. Recipients can then verify SPF records and decide whether to accept, reject, or process the email otherwise.
• DKIM (DomainKeys Identified Mail) is a method that allows the organization responsible for sending the email to attach a digital signature. Recipients can verify this signature and confirm that the email has not been altered after sending and that it is from a legitimate source.
• DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication policy and reporting protocol that helps protect email domains from abuse, such as phishing and spoofing. DMARC uses SPF and DKIM to verify that outgoing emails are legitimate and defines how the recipient should deal with emails that fail verification. It is set through a special DNS record.

To ensure maximum deliverability, set up all the mentioned protection mechanisms. Whenever you change or add a provider (for example, if in addition to our mail, you also use a service for sending bulk emails), make sure that you integrate SPF correctly, according to that provider’s manual.

An SPF record specifies the servers authorized to send mail on behalf of the domain or subdomain for which it is set. Detailed instructions for setting up DNS records can be found in the article DNS – Domain Records.

Do not set more than 1 SPF record per domain. Specifying multiple records cancels SPF verification.

If you only use WEDOS services (Webhosting, WebSite, Mailhosting) without WEDOS Global Protection to send emails, set the following SPF record:

Name       TTL    Type  Data
(empty)    300    TXT   v=spf1 mx a include:_spf.we.wedos.net -all

If you use WEDOS Global, add the IPv4 and IPv6 addresses of the web host to the SPF record according to the instructions Emails – SPF Record.

If you use another email provider exclusively, define SPF according to their instructions. If you need to enter more providers or you are having issues with SPF, read the article Emails – SPF Record.

Email verification via DKIM is handled entirely by us.

To verify messages sent from the web hosting via the PHP mail() function, we use the following DNS records, which are usually generated automatically on our DNS servers:

Name                            TTL   Type   Data
key1.wedos-dkim._domainkey	300   CNAME  key1.dkim-we.wedos.net
key2.wedos-dkim._domainkey	300   CNAME  key2.dkim-we.wedos.net

If you use a different DNS server provider, or for any reason you do not have these records for the domain pointing to our web hosting, add them. For these entries to function properly, also ensure the return-path parameter is set properly.

We authenticate emails sent via SMTP using a shared key at shared.dkim-wes1.wedos.net. This setting is automatic, you don’t have to turn it on anywhere, but you can’t deactivate it either.

The issue of DMARC settings is quite complex. If you don’t want to deal with it and just want to enter a basic DMARC record that will improve email deliverability, use:

Name    TTL    Type  Data
_dmarc  300    TXT   v=DMARC1; p=none; rua=mailto:your-email@domain.tld

and update your-email@domain.tld with the email address you want to send reports to.

You can find more information about DMARC in this article on our blog.

Common issues include:

• Continued spamming or undeliverability
• SPF, DKIM and DMARC failing with the mail() function
• Gmail notification about sending via shared.dkim-wes1.wedos.net
• Incompatible DMARC

Issue: Even though SPF, DKIM and DMARC are set, the mail ends up in spam or is not delivered at all.

Solution: Check that all records are correctly set and propagated (DNS record changes can take 30-60 minutes or more to take effect). The most common mistakes include multiple SPF records for one domain and putting record data in quotes.

Issue: SPF, DKIM and DMARC fail when sending via mail() function.

Cause: The default sender for the mail() function is the web hosting server, for example hcX-wdXXX.wedos.net, to which the records you set do not apply.

Solution: In the mail() function, set the return-path containing an address on your domain.

Issue: Recipients using Gmail see an unwanted note about sending via the shared.dkim-wes1.wedos.net domain.

Solution: Make sure you have your SPF record set up and propagated correctly. If so, this message should not be displayed.

Issue: Advanced DMARC settings mark messages as problematic.

Cause: DKIM alignment does not work correctly for emails sent via shared.dkim-wes1.wedos.net.

Solution: Make sure you have a valid SPF and adjust the record’s DMARC parameters if necessary.

Question: Is all this really necessary?
Answer: If you want your emails to be trusted, yes. Different providers have different rules for spamming and rejecting emails, but at the minimum SPF and DKIM are key to ensure reliable delivery.

Question: Can you set these up for me?
Answer: You can set up DKIM DNS automatically by directing your domain to a hosting service according to this guide. As a rule, we do not set SPF and DMARC records, because we do not have enough information about the email services you use, the functioning of which could be jeopardized by incorrect settings. We can set up the basic records listed in this manual for you, but this is a paid service according to the price list.