Understanding SPF, DKIM, and DMARC — Email Authentication Explained
SPF, DKIM, and DMARC are email authentication standards that protect your domain from being used for spam and phishing. They also improve your email deliverability — emails that pass these checks are less likely to land in recipients' spam folders. This article explains what each record does and how Unisolva configures them for you.
Why Email Authentication Matters
- Without SPF, DKIM, and DMARC, anyone can send an email claiming to be from your domain
- Unauthenticated emails are frequently blocked or marked as spam by receiving mail servers
- Major email providers (Gmail, Outlook) now require SPF and DKIM for reliable delivery
- DMARC tells receiving servers what to do when an email fails authentication — protect your domain from impersonation
SPF — Sender Policy Framework
SPF is a DNS TXT record that lists which mail servers are authorized to send email on behalf of your domain.
How it works
- You publish an SPF record in your domain's DNS zone
- When a receiving mail server gets an email from your domain, it checks your DNS for the SPF record
- If the sending server's IP is on the authorized list, the email passes SPF
- If not, the email may be marked as spam or rejected
Example SPF record
v=spf1 include:_spf.yourmailprovider.com ~all
|
???? Note Unisolva configures SPF records automatically for all hosting plans and email services. If you use an external email service (like a bulk email platform), contact support at my.unisolva.com to add that service to your SPF record. |
DKIM — DomainKeys Identified Mail
DKIM adds a digital signature to every email your domain sends. Receiving servers verify the signature against a public key published in your DNS to confirm the email was not tampered with in transit.
How it works
- Your mail server signs every outgoing email with a private cryptographic key
- The corresponding public key is published as a DNS TXT record
- When a receiving server gets your email, it retrieves your public key from DNS and verifies the signature
- If the signature matches, the email passes DKIM — proving it genuinely came from your server and was not altered
|
???? Note Unisolva configures DKIM for all hosted email accounts. For Google Workspace and Microsoft 365, Unisolva adds the DKIM DNS records to your domain as part of the setup process. |
DMARC — Domain-based Message Authentication, Reporting & Conformance
DMARC builds on SPF and DKIM by telling receiving mail servers what to do when an email fails both checks. It also enables reporting so you can see who is sending email on behalf of your domain.
DMARC policies
- none — monitor only. Emails that fail SPF/DKIM are delivered normally, but reports are sent to you. Best for getting started without risking email delivery.
- quarantine — emails that fail are sent to the spam/junk folder instead of the inbox.
- reject — emails that fail are rejected outright and never delivered. The strongest protection.
Example DMARC record
v=DMARC1; p=quarantine; rua=mailto:[email protected]
|
???? Tip Start with p=none to collect reports and understand your email traffic before moving to p=quarantine or p=reject. This prevents accidentally blocking legitimate emails. |
How Unisolva Configures These for You
For all Unisolva hosting plans and email services:
- SPF — configured automatically for your domain on all hosting plans
- DKIM — configured automatically for cPanel email; added during setup for Google Workspace and Microsoft 365
- DMARC — a basic DMARC record is set up for your domain. Open a support ticket at my.unisolva.com to request a policy change (e.g. moving from none to quarantine or reject)
Checking Your Email Authentication Status
- Send a test email from your domain to a Gmail address
- In Gmail, open the email and click the three-dot menu (⋮) > Show Original
- At the top of the raw message, look for the authentication results:
- SPF: PASS — your SPF record is correctly configured
- DKIM: PASS — your DKIM signature is valid
- DMARC: PASS — your DMARC policy is in place
- If any of these show FAIL, open a support ticket at my.unisolva.com with a screenshot — our team will diagnose and fix the DNS configuration
|
⚠️ Warning If SPF or DKIM is failing, your emails may be landing in spam for many recipients. This is a common cause of "my emails are going to spam" issues. Contact support at my.unisolva.com immediately if you see authentication failures. |
Common Questions
Do I need to set these up myself?
No. Unisolva configures SPF, DKIM, and DMARC for you as part of your hosting and email service setup. You only need to take action if you add a third-party email sending service (e.g. Mailchimp, Sendinblue) that sends email on behalf of your domain — in that case, contact support to update your SPF record.
Will these affect my existing email?
Properly configured authentication records improve deliverability — they will not block any legitimate email. Issues only arise if you add a new sending service without updating your SPF record, or if you set DMARC to "reject" before verifying that all your email sources pass SPF and DKIM.
Related Articles
- Professional Email with Unisolva — Choosing the Right Plan
- Getting Started with OX App Suite
- Getting Started with Google Workspace on Unisolva
- Getting Started with Microsoft 365 on Unisolva
