Understanding Email Authentication (SPF, DKIM, and DMARC) Print

🔒 Understanding Email Authentication (SPF, DKIM, and DMARC)

Email authentication helps protect your domain and your customers from spam, phishing, and spoofing.
Three key records — SPF, DKIM, and DMARC — work together to verify that emails sent from your domain are legitimate.
This guide explains what each does and how to check or add them in your TK Internet Marketing hosting account.

🧠 What Is Email Authentication?

When you send an email, the receiving mail server checks your domain’s DNS records to confirm the message is authorized.
If authentication records are missing or incorrect, your messages may land in spam or be rejected.

✉️ SPF (Sender Policy Framework)

Purpose: Identifies which mail servers are allowed to send emails on behalf of your domain.

Example SPF Record:

v=spf1 +a +mx +ip4:123.45.67.89 ~all

How It Works:

• +a and +mx approve your hosting server and mail exchanger.

• +ip4: adds your specific server IP.

• ~all means all other senders are not authorized but still accepted with a warning (use -all to reject unauthorized mail completely).

Where to Add SPF:

1. Log in to your Client Area → Domains → Manage DNS.

2. Add a new TXT record with the value above (adjust IP to match your hosting server).

3. Save changes — propagation may take a few hours.

💡 You can test your SPF record using mxtoolbox.com/spf.aspx.

🧾 DKIM (DomainKeys Identified Mail)

Purpose: Ensures your messages haven’t been tampered with in transit.
It adds a digital signature to each outgoing message that the receiving server can verify.

How It Works:

• Your mail server signs each outgoing email with a unique encrypted key.

• The recipient’s server checks your DKIM record in DNS to confirm it matches the signature.

How to Enable DKIM in cPanel:

1. Log in to cPanel through your Client Area.

2. Go to Email → Email Deliverability.

3. Find your domain and click Manage.

4. If DKIM is missing, click Install the Suggested Record.

You’ll see a TXT record beginning with default._domainkey — that’s your DKIM key.

💡 Once installed, all emails sent from your domain via cPanel mail will include a valid DKIM signature automatically.

🛡️ DMARC (Domain-based Message Authentication, Reporting & Conformance)

Purpose: Provides instructions to receiving mail servers on what to do if SPF or DKIM fails.
It also lets you receive reports on who’s sending email from your domain.

Example DMARC Record:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; sp=none; aspf=r;

How It Works:

• p=quarantine tells mail servers to move unauthenticated messages to spam.

• rua and ruf send daily reports about unauthorized messages to your chosen email address.

• aspf=r sets relaxed matching for subdomains.

Where to Add DMARC:

1. In your Client Area → Domains → Manage DNS, add a new TXT record:

   • Name: _dmarc

   • Value: (use the example above or your customized version)

2. Save and allow 1–4 hours for propagation.

💡 To make DMARC stricter later, you can change p=quarantine to p=reject.

📈 Step 5: Test Your Authentication Setup

You can verify that your SPF, DKIM, and DMARC are working using these free tools:

• https://mxtoolbox.com

• https://dmarcian.com/dmarc-inspector

• https://mail-tester.com

Send a test message to one of these services — it will scan your email headers and confirm your records are valid.

💬 Need Help?

If you’re unsure how to edit your DNS or want TK Internet Marketing to configure SPF, DKIM, and DMARC for you, open a ticket under Email Support in your Client Area or email support@tkinternetmarketing.com.

We can verify your records, correct deliverability issues, and help improve your sender reputation.