SPF and DKIM Records: Combating Spam

cPanel allows users to add SPF and Domain Keys (DKIM) records to domains for which they have DNS authority. These records can be added in the Email section of the cPanel under Email Deliverability. SPF and DKIM are tools used by many mail servers in an effort to combat spam, so if you’re having an issue with your email being bounced back or arriving in the junk/spam folders of your recipients, it is suggested to enable these settings. This article defines each email security option and provides you the information to add or view the existing records in cPanel. Please keep in mind that as these are DNS settings and may require up to 24 hours before they begin to take effect.

Looking for more control of your webserver? Look no further than InMotion’s VPS Hosting solutions!

About DKIM and SPF Records

Domain Keys Identified Mail (DKIM)

DKIM is an e-mail authentication system that verifies the sender and integrity of the message. It also allows email to be checked that the email is coming from the domain of the sender.

DKIM was originally created in 2004 after merging “enhanced DomainKeys” from Yahoo with “Identified Internet Mail” from Cisco. The combined standard allowed the verification of the message integrity and email sender through the DNS domain as well as the use of signature-based authentication. The use of this standard has been implemented in major email providers such as Yahoo, Google, AOL, and FastMail. For more information please see DomainKeys Identified Mail.

SPF

SPF (Sender Policy Framework) will specify which machines are authorized to send email from your domain(s). This means that only mail sent through an authorized server will appear as valid mail from your domain(s) when the SPF records are checked. Note: This security measure works best to defeat email spoofing when used in combination with a DMARC record.

How to Implement Domain Keys and SPF Records

Email deliverability icon in cPanel
Email Deliverability icon in cPanel

NOTE: cPanel may show the following error when setting up your DKIM and SPF records: Warning: cPanel is unable to verify that this server is an authoritative nameserver for example.com This is a known bug within cPanel due to the fact that cPanel checks the local server for DNS. Since the local server is not configured to handle DNS queries, the error persists but can be disregarded. Remember that in order for any of these DNS entries to apply to your domain, then it must be the authoritative name server.

SPF Records and Domain Keys can be set within the “Email Deliverability” in the Email section of your cPanel. The specific instructions can also be found in cPanel’s documentation for more details. If you need further assistance, or, if you do not have the “Email Deliverability” icon in your cPanel, please contact Support for further assistance.

Adding the DKIM (TXT) Record

When you click on the Email Deliverability icon you will see a list of your domains. Follow the instructions below to add the record to your DNS. Note that if your domain is not the authoritative name server, then you will need to copy the name and value for the key, then manually add it to the domain’s DNS where it is controlled.

  1. Select the domain you wish to edit and then click on the Manage button to the right of the domain name.
  2. If the record does not already exist, then you will see a button labeled Install the Suggested Record. Click on this button to add the record.
  3. If you need the DKIM name and value to copy it to another location, then you will see a COPY button under each value. There is also an option to view and copy the Private Key used with the DKIM record. Note that sharing your private key is a serious security risk. You should only share the key with a trusted user.

If you are not familiar with DKIM, we highly recommend that you request assistance through our live technical support team.

Adding the SPF (TXT) Record

As noted earlier, the SPF record is most effective when used in combination with DMARC. Please see How to Add a DMARC Record for further guidance.

  1. After you click on the Email Deliverability icon, find the domain name that you wish to edit.
  2. Click on Manage.
  3. Scroll down to the SPF section.
  4. If the record does not exist, then you will see a button labeled Install the Suggested Record to install the SPF record.
  5. If you need to manually add the record you will see the option to copy both the name and value of the SPF record.

You can also customize the SPF record by clicking on the Customize option under the displayed value.

Congratulations! You should now be familiar with two great tools for authenticating email. For more information on fighting spam, please see the Combating Spam: Using SpamAssassin tutorial.

AC
Arnel Custodio Technical Writer; WordPress Contributor & Volunteer

As a writer for InMotion Hosting, Arnel has always aimed to share helpful information and provide knowledge that will help solve problems and aid in achieving goals. He's also been active with WordPress local community groups and events since 2004.

More Articles by Arnel

Thoughts on “SPF and DKIM Records: Combating Spam

  • SPF and DKIM settings have moved from Authentication to Email Deliverability – there doesn’t seem to be an Authentcation item any more

  • On mail that my Gmail accounts receive, there is an Authentication header that indicates if the email passes SPF and DKIM checks.

    I don’t see anything like that on mail incoming to accounts my VPS server. I know my DKIM and SPF settings are all correct, and in some instances, I even use the G Suite SMTP relay service for outbound SMTP and have SPF and DKIM setup for that use, as well (and when I send to a Google-based email account, the Authentication header correction shows SPF/DKIM passes). I have no problems with my SPF/DKIM settings.

    Using this relay, one of my VPS websites will send email to the Gmail SMTP relay, send on behalf of my domain and authenticate with DKIM. The Gmail server is included in SPF, and it’s sent back to my IMAP account on my VPS. I’ve found this bypasses a lot of spam filters because Gmail servers are well known and more trusted than smaller, less-known VPS servers.

    But, is this type of SPF/DKIM email header checking available on inbound mail on VPS-based email accounts?

    • Hello,

      You can enable the DKIM under your email authentication settings in your cPanel, To check for SPF all you have to do is enable SpamAssassin in your cPanel and it will check the SPF records.

      Best Regards,
      Kyle M

  • My mailchimp emails go through ok, but quite regulary my personal replies to customers end up in spam, even with prior communication that had gone through fine. I can’t seem to find any pattern or specific providers though. Not sure what to do next? Can the email software im using impact it? (outlook 2013)

    • Hello Caren,

      I would suggest it just to be safe as some servers may block the email as it would look like spoofing to them.

      Best Regards,
      TJ Edens

  • I am also experiencing similar problems.

     

    I have a website, which takes in external registration and confirmation of these registrants will be sent to the user’s email. upon clicking on this link in the email, the user will be registered and can he can use this website.

     

    The email containing the confirmation link is sent to spam email box. So really dont know how to overcome this issue. spf records are already been added in the dns settings. what else should i do. can someone shedlight on it

     

    Thanks in advance

    • Hello rathankar,

      You may want to contact the server that is hosting the email and have them take a look at a copy of the email so they can see why their server may think it is spam.

      Kindest Regards,
      Scott M

  • Hello! ALL of our company emails from [email protected]*******.com get sent to the SPAM folder if the recipient is a GMAIL user – every single time! This has been happening for years… I’ve just taken over as webmaster and I’d love to see if I can do something about it. We’re on a low-end server… I know we could upgrade and try that… but that’s a larger task and I’d like to exhaust all other options first. Does anybody have any insight for me? It would be greatly appreciated!

  • allways gmail and other domains  think my domain is send spam and block our domain .the question hot to resolve this problems.

    example :MDaemon Delivery Status Notification – https://www.altn.com/dsn/
    ————————————————————————–

    The attached message had PERMANENT fatal delivery errors.

    After one or more unsuccessful delivery attempts the attached message has
    been removed from the MDaemon mail queue on this server. The number and
    frequency of delivery attempts are determined by local configuration.

    ————————————————————————–
    YOUR MESSAGE WAS NOT DELIVERED TO ONE OR MORE RECIPIENTS
    ————————————————————————–

    Failed address: [email protected]

    — Session Transcript —
    Sun 2015-01-25 11:34:46: Session 216355; child 0001
    Sun 2015-01-25 11:34:46: Parsing message <xxxxxxxxxxxxxxxxxxxxxxxx\pd35000076253.msg>
    Sun 2015-01-25 11:34:46: * From: [email protected]
    Sun 2015-01-25 11:34:46: * To: [email protected]
    Sun 2015-01-25 11:34:46: * Subject: test
    Sun 2015-01-25 11:34:46: * Size (bytes): 2172
    Sun 2015-01-25 11:34:46: * Message-ID: <[email protected]>
    Sun 2015-01-25 11:34:46: Attempting SMTP connection to [gmail.com]
    Sun 2015-01-25 11:34:46: Resolving MX records for [gmail.com] (DNS Server: 196.202.139.242)…
    Sun 2015-01-25 11:34:46: * P=005 S=000 D=gmail.com TTL=(24) MX=[gmail-smtp-in.l.google.com]
    Sun 2015-01-25 11:34:46: * P=010 S=001 D=gmail.com TTL=(24) MX=[alt1.gmail-smtp-in.l.google.com]
    Sun 2015-01-25 11:34:46: * P=020 S=002 D=gmail.com TTL=(24) MX=[alt2.gmail-smtp-in.l.google.com]
    Sun 2015-01-25 11:34:46: * P=030 S=003 D=gmail.com TTL=(24) MX=[alt3.gmail-smtp-in.l.google.com]
    Sun 2015-01-25 11:34:46: * P=040 S=004 D=gmail.com TTL=(24) MX=[alt4.gmail-smtp-in.l.google.com]
    Sun 2015-01-25 11:34:46: Attempting SMTP connection to [gmail-smtp-in.l.google.com:25]
    Sun 2015-01-25 11:34:46: Resolving A record for [gmail-smtp-in.l.google.com] (DNS Server: 196.202.139.242)…
    Sun 2015-01-25 11:34:46: * D=gmail-smtp-in.l.google.com TTL=(4) A=[74.125.195.26]
    Sun 2015-01-25 11:34:46: Attempting SMTP connection to [74.125.195.26:25]
    Sun 2015-01-25 11:34:46: Waiting for socket connection…
    Sun 2015-01-25 11:34:46: * Connection established (172.16.0.2:51405 -> 74.125.195.26:25)
    Sun 2015-01-25 11:34:46: Waiting for protocol to start…
    Sun 2015-01-25 11:34:46: <– 220 mx.google.com ESMTP w8si13460231wjw.51 – gsmtp
    Sun 2015-01-25 11:34:46: –> EHLO mail.krcsd.com
    Sun 2015-01-25 11:34:46: <– 250-mx.google.com at your service, [212.0.145.90]
    Sun 2015-01-25 11:34:46: <– 250-SIZE 35882577
    Sun 2015-01-25 11:34:46: <– 250 SMTPUTF8
    Sun 2015-01-25 11:34:46: –> MAIL From:<[email protected]> SIZE=2172
    Sun 2015-01-25 11:34:46: <– 250 2.1.0 OK w8si13460231wjw.51 – gsmtp
    Sun 2015-01-25 11:34:46: –> RCPT To:<[email protected]>
    Sun 2015-01-25 11:34:47: <– 250 2.1.5 OK w8si13460231wjw.51 – gsmtp
    Sun 2015-01-25 11:34:47: –> DATA
    Sun 2015-01-25 11:34:47: <– 354 End data with a single dot on a line
    Sun 2015-01-25 11:34:47: Sending <xxxxxxxxxxxxxxxxxxxxxxxx\pd35000076253.msg> to [74.125.195.26]
    Sun 2015-01-25 11:34:47: Transfer Complete
    Sun 2015-01-25 11:34:58: <– 550-5.7.1 [212.0.145.90 12] Our system has detected that this message is
    Sun 2015-01-25 11:34:59: <– 550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail,
    Sun 2015-01-25 11:34:59: <– 550-5.7.1 this message has been blocked. Please visit
    Sun 2015-01-25 11:34:59: <– 550-5.7.1 https://support.google.com/mail/bin/answer.py?hl=en&answer=188131 for
    Sun 2015-01-25 11:34:59: <– 550 5.7.1 more information. w8si13460231wjw.51 – gsmtp
    Sun 2015-01-25 11:34:59: –> QUIT
    — End Transcript —

    • It appears that Gmail may have blocked the server IP due to suspected spam. If your account is hosted with us, you may submit a ticket with live support in which they will be happy to assist you. If you are sending this email from outside of our server, you will need to request delisting from Google.

  • my e-mailing of invoices and purchase orders  from quickbooks pro are suddenly going into spam files to those i’m sending to. I’m using exede as an internet provider,outlook as my e-mail,the invoices are sent pdf format.my e-mail is yahoo. all parties are clueless,as am i. there is no notification on my end anything is wrong. just in much digging with my customers,could i fing this out. any miracle would be appreciated. my livlihood depends on this getting straightened out.

     

    • Hello Bobby,

      The receiving server is typically the one that determines whether to place the email in the Spam folder or not. If you can log into the yahoo mail server to see if it is the same there. That will confirm the server is the one that placed it in the spam folder. As to why, I can only guess that something in the spam algorithm has changed where it is flagging those specific email. Is there a way to whitelist the email address it comes from?

      Kindest Regards,
      Scott M

  • Hello there,
    I’m trying to figure out WHY most of the e-mail I send are always going to others SPAM box… I just send a couple of e-mails per dayand of course I’m NOT a spammer! Can someone please help me?

    • Hello Marco,

      Sorry to hear that you’re having problems with sent email going into spam. If your emails are being sent to the SPAM box, it may be depend on several things. The content of your messages, server reputation, or the email filter settings on the destination server. You need to provide more information on the issue in order for us to more thoroughly investigate the problem. We would need to know your domain name, or at least the email address you’re using and the destination you’re sending the email to. You may also be receiving a bounce-back message that explains the issue. If you are getting a bounce-back message, then that information would be invaluable in determining the cause of your email problems.

      We would be happy to help, but at present we need more information in order to proceed. If you wish for us to investigate the issue, then please respond with more info to this post. If you wish for the issue to be handled privately, then please contact our live technical support team via phone/chat/email as per the information at the bottom of the page.

      Kindest regards,
      Arnel C.

  • this is the email address that correspondence was sent.

    the msg. was sent on Tuesday morning and I didn’t recieve it unitl Friday morning.

    • Hello Chris,

      SPF records would not delay email delivery. Although email was intended to be delivered within 24 hours, it can be delayed longer at times due to other issues with one or more email servers along the route.

      Kindest Regards,
      Scott M

Was this article helpful? Let us know!