{"id":888,"date":"2021-07-12T07:37:56","date_gmt":"2021-07-12T12:37:56","guid":{"rendered":"https:\/\/www.knownhost.com\/kb\/?p=888"},"modified":"2021-10-21T07:06:05","modified_gmt":"2021-10-21T12:06:05","slug":"setting-up-spf-dkim-and-dmarc-records","status":"publish","type":"post","link":"https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/","title":{"rendered":"Setting up SPF, DKIM, and DMARC Records"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 ez-toc-wrap-right counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #212121;color:#212121\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #212121;color:#212121\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/#spf\" >SPF<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/#spf_overview\" >SPF Overview<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/#managing_spf_in_cpanel\" >Managing SPF in cPanel<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/#verifying_spf_records\" >Verifying SPF records<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/#additional_resources_on_spf\" >Additional Resources on SPF<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/#dkim\" >DKIM<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/#dkim_overview\" >DKIM Overview<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/#using_dns_to_publish_dkim_keys\" >Using DNS to Publish DKIM Keys<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/#dkim_verification_on_receiver\" >DKIM Verification on Receiver<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/#managing_dkim_in_cpanel\" >Managing DKIM in cPanel<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/#verifying_dkim_records\" >Verifying DKIM records<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/#additional_resources_on_dkim\" >Additional Resources on DKIM<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/#dmarc\" >DMARC<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/#dmarc_overview\" >DMARC Overview<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/#using_dns_for_publishing_dmarc_records\" >Using DNS for Publishing DMARC Records<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/#managing_dmarc_records_in_cpanel\" >Managing DMARC Records in cPanel<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/#verifying_dmarc_records\" >Verifying DMARC Records<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/#analyzing_dmarc_reports\" >Analyzing DMARC Reports<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/#additional_information_about_dmarc\" >Additional Information about DMARC<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n<p>SPF, DKIM, and DMARC records are intended to fight SPAM and&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/Email_spoofing\">email spoofing<\/a>. These mechanisms don&#8217;t analyse&nbsp;<em>content<\/em>&nbsp;of the message in search of malicious code, spam-like content, or content that would be used in a&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/Phishing\">phishing<\/a>&nbsp;attempt. Other dedicated tools should be used to detect viruses &amp; malicious scripts or to flag messages as spam-like or scam-like based on the content of an email message.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"spf\"><\/span>SPF<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"spf_overview\"><\/span>SPF Overview<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>SPF (Sender Policy Framework) helps to fight email spoofing when a malicious sender forges&nbsp;<strong><code>MAIL FROM<\/code><\/strong>&nbsp;field in message. To implement this solution, domain owners should create a special&nbsp;<code>TXT<\/code>&nbsp;record in a domain&#8217;s&nbsp;DNS&nbsp;zone telling all recipients about authorized senders for their domain.<\/p>\n\n\n\n<p>SPF record consists of the following parts divided by spaces, and each part is processed in order:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong><code>v=spf1<\/code><\/strong>&nbsp;&#8211; version of protocol<\/li><li><strong>mechanisms<\/strong>&nbsp;&#8211; the ways to interpret allowed senders. Commonly used are:&nbsp;<strong><code>a<\/code>,&nbsp;<code>mx<\/code>,&nbsp;<code>ip4<\/code>,&nbsp;<code>include<\/code>,&nbsp;<code>all<\/code><\/strong>. At least one mechanism should be in the record:<ul><li><strong><code>a<\/code><\/strong>: All the&nbsp;<code>A<\/code>&nbsp;DNS&nbsp;records for domain are tested.<\/li><li><strong><code>mx<\/code><\/strong>: All the&nbsp;<code>A<\/code>&nbsp;DNS&nbsp;records for all the&nbsp;<code>MX<\/code>&nbsp;records for domain are tested in order of&nbsp;<code>MX<\/code>&nbsp;priority.<\/li><li><strong><code>ip4<\/code><\/strong>: A CIDR-spec&nbsp;is an IP network range. If no prefix-length is given,&nbsp;<code>\/32<\/code>&nbsp;is assumed.<\/li><li><strong><code>include<\/code><\/strong>: The specified domain for the include is searched for a match. If the lookup does not return a match or an error, processing proceeds to the next directive. Warning: If this other domain does not have a&nbsp;<em>valid<\/em>&nbsp;SPF record, the result is a &#8220;Permanent Error&#8221;.<\/li><li><strong><code>all<\/code><\/strong>: This mechanism always matches.&nbsp;<code>all<\/code>&nbsp;should go at the end of your SPF record.<\/li><\/ul><\/li><li>Each mechanism has a&nbsp;<strong>qualifier<\/strong>&nbsp;&#8211; it represents the action which should be taken. The list of qualifiers:<ul><li><strong><code>+<\/code><\/strong>&nbsp;for a PASS result. It&#8217;s used by default if no other qualifier is set, and is often omitted from SPF records.<\/li><li><strong><code>?<\/code><\/strong>&nbsp;for a NEUTRAL result. No action should be taken (ignore that mechanism).<\/li><li><strong><code>~<\/code><\/strong>&nbsp;(tilde) for SOFTFAIL. Mostly interpreted as &#8220;accept this message, but mark\/tag it&#8221;.<\/li><li><strong><code>-<\/code><\/strong>&nbsp;(minus) for FAIL, the mail should be rejected.<\/li><\/ul><\/li><\/ul>\n\n\n\n<p>Sample SPF record for domain domain.com:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  $ dig txt domain.com +short\n  \"v=spf1 a ip4:10.10.10.10 include:spf.example.com -all\"<\/code><\/pre>\n\n\n\n<p>There are 4 mechanisms in it:&nbsp;<code>a<\/code>,&nbsp;<code>ip4<\/code>,&nbsp;<code>include<\/code>, and&nbsp;<code>all<\/code>. First 3 mechanisms have&nbsp;<code>+<\/code>&nbsp;or PASS qualifier (if no qualifier for a mechanism is set, the qualifier defaults to &#8220;PASS&#8221;). The last&nbsp;<code>all<\/code>&nbsp;mechanism has&nbsp;<code>-<\/code>&nbsp;which is the (FAIL) qualifier. This record states that message should be accepted if it comes from IP address to which&nbsp;<code>A<\/code>&nbsp;record of domain.com resolves, or from example IP 10.10.10.10. Also, the message is accepted if it passes the policy of another domain \u2013 spf.example.com. Finally, message should be rejected if it does not pass previous mechanisms.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"managing_spf_in_cpanel\"><\/span>Managing SPF in cPanel<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>SPF record for single&nbsp;DNS&nbsp;zone could be set up or modified in WHM&nbsp;DNS&nbsp;zone editor (Home \u00bbDNS Functions \u00bbEdit&nbsp;DNS&nbsp;Zone).<\/p>\n\n\n\n<p>The below options require&nbsp;<code>root<\/code>&nbsp;access!<br>To add SPF records for already existing domains go to (Home \u00bbDNS Functions \u00bbEnable DKIM\/SPF Globally) and click &#8220;Proceed&#8221;. Also, script&nbsp;<code>\/usr\/local\/cpanel\/scripts\/enable_spf_dkim_globally<\/code>&nbsp;could be used for same purposes, see documentation at&nbsp;<a href=\"https:\/\/docs.cpanel.net\/whm\/scripts\/the-enable_spf_dkim_globally-script\/\">cPanel<\/a><\/p>\n\n\n\n<p>There&#8217;s also a script&nbsp;<code>\/usr\/local\/cpanel\/bin\/spf_installer<\/code>&nbsp;for managing SPF records. For example, you can add custom mechanism&nbsp;<strong><code>include:spf.example.com<\/code><\/strong>&nbsp;for all&nbsp;DNS&nbsp;zones:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  for acct in $(awk '{print $2}' \/etc\/trueuserdomains); do \/usr\/local\/cpanel\/bin\/spf_installer $acct include:spf.example.com; done<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"verifying_spf_records\"><\/span>Verifying SPF records<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Some services where you can verify SPF record for domain:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/mxtoolbox.com\/spf.aspx\">mxtoolbox.com\/spf.aspx<\/a><\/li><li><a href=\"http:\/\/emailaudit.com\/\">emailaudit.com\/<\/a><\/li><li><a href=\"https:\/\/dmarcian.com\/spf-survey\/\">dmarcian.com\/spf-survey\/<\/a><\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"additional_resources_on_spf\"><\/span>Additional Resources on SPF<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/tools.ietf.org\/html\/rfc7208\">tools.ietf.org\/html\/rfc7208<\/a><\/li><li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Sender_Policy_Framework\">en.wikipedia.org\/wiki\/Sender_Policy_Framework<\/a><\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"dkim\"><\/span>DKIM<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"dkim_overview\"><\/span>DKIM Overview<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p><strong>DomainKeys Identified Mail (DKIM)<\/strong>&nbsp;is used to verify that message was sent indeed from domain which is presented in&nbsp;<code>FROM<\/code>&nbsp;field. Sender creates a pair of keys for mail domain: private and public. Private key is stored at mail server and signs each outgoing email message with it. Private key also could be shared with 3rd-party service which sends out messages on behalf of sender&#8217;s domain. Public key could be accessed from anyone in the Internet and it&#8217;s used to decrypt signed message.<\/p>\n\n\n\n<p>On the other side, recipient decrypts the message and can use result of DKIM verification in further processing, for example reject messages which don&#8217;t pass DKIM verification, or mark these messages as spam.<\/p>\n\n\n\n<p>Therefore, by using DKIM two problems of email exchanging are being solved:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Verification of sender<\/li><li>Assurance that content of the message was not changed during transit from sender&#8217;s mail server to recipient&#8217;s mail server<\/li><\/ol>\n\n\n\n<p><strong>DKIM selector<\/strong>&nbsp;is used to determine multiple keys within the same mail domain. For example, if there&#8217;re several departments use one mail domain to send out messages, mail administrators could set up separate selectors for each department for better control of outgoing mail. However, in general having a&nbsp;<code>default<\/code>&nbsp;selector is sufficient, unless there is a specific need for multiple selectors.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"using_dns_to_publish_dkim_keys\"><\/span>Using DNS to Publish DKIM Keys<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>DNS&nbsp;is used to make a public key known for all mail servers which could require DKIM verification from sender. For such purpose a&nbsp;<code>TXT<\/code>&nbsp;record is used. For example, here&#8217;s the public key for default DKIM selector of mail domain knownhost.com:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  $ dig txt default._domainkey.knownhost.com +short\n  \"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxG+doMvKHVEE9r4YkdhEqBBHUYYZqs+g9L\/9M30cSP\/s0ZW6XMVHF3KwhJUcukq3kZNe3TMRFRiFxLb6ncLBnn7+491qS66yKMMStE6TdUFCFu5yq\/bdpM\/l04kPNcHutNkUJy1zLC6pGUuyxFIOIPlshry+oUkfhULw3E925kk1AOhn404702EBt1DObMXd+\" \"AQ+hWW\/xworVfZwCTRVSQ4TvJ7YH3X+wG6HLRqoEkVsOx2rc4XqHy52FFuoSFDhtNq45jCcOOVK2AdONPq4I5VEbTPAqBzItK3shDOnzvUAzwBl74Zl4sJoA8gyi0XxcNlmrOE6fkjeQqcwPxAUZQIDAQAB;\"<\/code><\/pre>\n\n\n\n<p>You may notice a space between two sections in quotation marks. This just indicates the limit for the length of TXT record and public key does not split in two parts: they are being concatenated during resolving the record by modern applications.<\/p>\n\n\n\n<p>DKIM record also could be a&nbsp;<code>CNAME<\/code>&nbsp;instead of&nbsp;<code>TXT<\/code>&nbsp;and point to other record which contains public key for mail domain.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"dkim_verification_on_receiver\"><\/span>DKIM Verification on Receiver<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Once mail server when DKIM verification is configured receives the message it looks in the header for the following line (an example):<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=default;\n  ...<\/code><\/pre>\n\n\n\n<p>Tag-value field&nbsp;<strong><code>s=default<\/code><\/strong>&nbsp;indicates that default selector is in use. Then mail server queries the&nbsp;<code>TXT<\/code>&nbsp;<a href=\"https:\/\/www.knownhost.com\/kb\/dns-records-explained\/\">DNS&nbsp;record<\/a> for&nbsp;<code>default._domainkey.example.com<\/code>, retrieves public key from it, and decrypts the message.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"managing_dkim_in_cpanel\"><\/span>Managing DKIM in cPanel<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>To turn enable DKIM for newly created domains go to (Home \u00bbServer Configuration \u00bbTweak Settings) and find &#8220;Enable DKIM on domains for newly created accounts&#8221; option on Domains tab.<\/p>\n\n\n\n<p>To add DKIM for already existing domains go to (Home \u00bbDNS Functions \u00bbEnable DKIM\/SPF Globally) and click &#8220;Proceed&#8221;.<\/p>\n\n\n\n<p>You can allow\/disallow DKIM verification for incoming messages in Exim configuration (Home \u00bbService Configuration \u00bbExim Configuration Manager) at &#8220;ACL&nbsp;options&#8221; tab.<\/p>\n\n\n\n<p>Keys for each domain are stored in the following directories:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  \/var\/cpanel\/domain_keys\/public\/\n  \/var\/cpanel\/domain_keys\/private\/<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"verifying_dkim_records\"><\/span>Verifying DKIM records<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>There&#8217;re many services where you can verify DKIM record for domain, for example:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/mxtoolbox.com\/dkim.aspx\">mxtoolbox.com\/dkim.aspx<\/a><\/li><li><a href=\"http:\/\/emailaudit.com\/\">emailaudit.com\/<\/a><\/li><li><a href=\"https:\/\/www.mail-tester.com\/spf-dkim-check\">www.mail-tester.com\/spf-dkim-check<\/a><\/li><li><a href=\"https:\/\/dkimcore.org\/tools\/dkimrecordcheck.html\">dkimcore.org\/tools\/dkimrecordcheck.html<\/a><\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"additional_resources_on_dkim\"><\/span>Additional Resources on DKIM<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/tools.ietf.org\/html\/rfc6376\">tools.ietf.org\/html\/rfc6376<\/a><\/li><li><a href=\"https:\/\/en.wikipedia.org\/wiki\/DomainKeys_Identified_Mail\">en.wikipedia.org\/wiki\/DomainKeys_Identified_Mail<\/a><\/li><li><a href=\"http:\/\/dkim.org\/\">dkim.org\/<\/a><\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"dmarc\"><\/span>DMARC<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"dmarc_overview\"><\/span>DMARC Overview<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>While SPF and DKIM techniques allow mail servers to validate senders for incoming email messages, they both don&#8217;t provide mechanisms for senders to publish policies on actions which should be taken upon authentication failures. DMARC (Domain-based Message Authentication, Reporting and Conformance) fills up this gap. It allows domain owners to tell which rules should be applied for messages which failed SPF and\/or DKIM authentication. Also, DMARC allows to send back to domain owners reports about validation results per sender IP address.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"using_dns_for_publishing_dmarc_records\"><\/span>Using DNS for Publishing DMARC Records<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Specially formatted&nbsp;<strong><code>TXT<\/code><\/strong>&nbsp;record is used to publish DMARC record for domain. It consists of subdomain&nbsp;<strong><code>_dmarc<\/code><\/strong>&nbsp;and tag-value fields divided by semicolons. An example of record for domain domain.com:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  _dmarc.domain.com<\/code><\/pre>\n\n\n\n<p>The following is an example of value which tells to process 100% of messages coming from domain domain.com, reject those which does not align with DKIM\/SPF policies, do not nothing (process further) if message came from subdomain of domain.com, and send aggregated statistics daily to info@domain.com:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  \"v=DMARC1; p=reject; sp=none; pct=100; ri=86400; rua=mailto:info@domain.com\"<\/code><\/pre>\n\n\n\n<p>In this example:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><code>v<\/code>&nbsp;&#8211; version of protocol<\/li><li><code>p<\/code>&nbsp;&#8211; policy, possible values are:&nbsp;<strong>reject<\/strong>,&nbsp;<strong>quarantine<\/strong>&nbsp;or&nbsp;<strong>none<\/strong><\/li><li><code>sp<\/code>&nbsp;&#8211; policy for subdomains (the same possible values)<\/li><li><code>pct<\/code>&nbsp;&#8211; percentage of messages subjected to filtering<\/li><li><code>ri<\/code>&nbsp;&#8211; aggregate reporting interval<\/li><li><code>rua<\/code>&nbsp;&#8211; reporting&nbsp;URI(s) for aggregate data<\/li><\/ul>\n\n\n\n<p>Not all tag-value parameters are mandatory. The only\u00a0<em>required<\/em>\u00a0parameters are\u00a0<strong>version<\/strong>\u00a0(<code>v<\/code>) and\u00a0<strong>policy<\/strong>\u00a0(<code>p<\/code>). You can find more tags at\u00a0<a href=\"https:\/\/tools.ietf.org\/html\/rfc7489#section-11.4\">tools.ietf.org\/html\/rfc7489#section-11.4<\/a><\/p>\n\n\n\n<p>Here&#8217;s another example of DMARC record, for gmail.com. It states that all messages from gmail.com should be passed to further processing (neither quarantined nor rejected) whilst messages from a&nbsp;<em>subdomain<\/em>&nbsp;of gmail.com (e.g. subdomain.gmail.com) should be quarantined.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  $ dig txt _dmarc.gmail.com +short\n  \"v=DMARC1; p=none; sp=quarantine; rua=mailto:mailauth-reports@google.com\"<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"managing_dmarc_records_in_cpanel\"><\/span>Managing DMARC Records in cPanel<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>DMARC records can be set up or modified in WHM&nbsp;DNS&nbsp;Zone editor (Home \u00bbDNS Functions \u00bbEdit&nbsp;DNS&nbsp;Zone). This also could be done after enabling the&nbsp;<code>Zone Editor (AAAA, CAA, SRV, TXT)<\/code>&nbsp;feature for a package (this feature replaces the Advanced Zone Editor in cPanel.)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"verifying_dmarc_records\"><\/span>Verifying DMARC Records<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Resources for verifying DMARC records for domains:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/mxtoolbox.com\/dmarc.aspx\">mxtoolbox.com\/dmarc.aspx<\/a><\/li><li><a href=\"https:\/\/dmarcian.com\/dmarc-inspector\/\">dmarcian.com\/dmarc-inspector\/<\/a><\/li><li><a href=\"http:\/\/emailaudit.com\/\">emailaudit.com\/<\/a><\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"analyzing_dmarc_reports\"><\/span>Analyzing DMARC Reports<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Resources for analyzing DMARC Reports for a domain:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/mxtoolbox.com\/DmarcReportAnalyzer.aspx\">mxtoolbox.com\/DmarcReportAnalyzer.aspx<\/a><\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"additional_information_about_dmarc\"><span class=\"ez-toc-section\" id=\"additional_information_about_dmarc\"><\/span>Additional Information about DMARC<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/tools.ietf.org\/html\/rfc7489\">tools.ietf.org\/html\/rfc7489<\/a><\/li><li><a href=\"https:\/\/en.wikipedia.org\/wiki\/DMARC\">en.wikipedia.org\/wiki\/DMARC<\/a><\/li><li><a href=\"https:\/\/dmarc.org\/\">dmarc.org\/<\/a><\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>SPF, DKIM, and DMARC records are intended to fight SPAM and&nbsp;email spoofing. These mechanisms don&#8217;t analyse&nbsp;content&nbsp;of the message in search of malicious code, spam-like content, or content that would be used in a&nbsp;phishing&nbsp;attempt. Other dedicated tools should be used to detect viruses &amp; malicious scripts or to flag messages as spam-like or scam-like based on [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[299,298,178,82],"class_list":["post-888","post","type-post","status-publish","format-standard","hentry","category-getting-started","tag-spf","tag-dkim","tag-email","tag-getting-started"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Setting up SPF, DKIM, and DMARC Records - KnownHost<\/title>\n<meta name=\"description\" content=\"In this guide we will teach you how to set up and manage SPF, DKIM and DMARC records on premium KnownHost servers.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Setting up SPF, DKIM, and DMARC Records - KnownHost\" \/>\n<meta property=\"og:description\" content=\"In this guide we will teach you how to set up and manage SPF, DKIM and DMARC records on premium KnownHost servers.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/\" \/>\n<meta property=\"og:site_name\" content=\"KnownHost\" \/>\n<meta property=\"article:published_time\" content=\"2021-07-12T12:37:56+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-10-21T12:06:05+00:00\" \/>\n<meta name=\"author\" content=\"Jonathan K. W.\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jonathan K. W.\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/setting-up-spf-dkim-and-dmarc-records\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/setting-up-spf-dkim-and-dmarc-records\\\/\"},\"author\":{\"name\":\"Jonathan K. W.\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/#\\\/schema\\\/person\\\/3db6e20d1f33519cd68fe0ba1230a48b\"},\"headline\":\"Setting up SPF, DKIM, and DMARC Records\",\"datePublished\":\"2021-07-12T12:37:56+00:00\",\"dateModified\":\"2021-10-21T12:06:05+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/setting-up-spf-dkim-and-dmarc-records\\\/\"},\"wordCount\":1539,\"keywords\":[\".spf\",\"dkim\",\"email\",\"getting-started\"],\"articleSection\":[\"Getting Started\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/setting-up-spf-dkim-and-dmarc-records\\\/\",\"url\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/setting-up-spf-dkim-and-dmarc-records\\\/\",\"name\":\"Setting up SPF, DKIM, and DMARC Records - KnownHost\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/#website\"},\"datePublished\":\"2021-07-12T12:37:56+00:00\",\"dateModified\":\"2021-10-21T12:06:05+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/#\\\/schema\\\/person\\\/3db6e20d1f33519cd68fe0ba1230a48b\"},\"description\":\"In this guide we will teach you how to set up and manage SPF, DKIM and DMARC records on premium KnownHost servers.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/setting-up-spf-dkim-and-dmarc-records\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/setting-up-spf-dkim-and-dmarc-records\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/setting-up-spf-dkim-and-dmarc-records\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Setting up SPF, DKIM, and DMARC Records\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/#website\",\"url\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/\",\"name\":\"KnownHost\",\"description\":\"KnownHost provides a comprehensive webhosting knowledge base to help answer many of your common webhosting and linux questions.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/#\\\/schema\\\/person\\\/3db6e20d1f33519cd68fe0ba1230a48b\",\"name\":\"Jonathan K. W.\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g\",\"caption\":\"Jonathan K. W.\"},\"sameAs\":[\"https:\\\/\\\/www.knownhost.com\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Setting up SPF, DKIM, and DMARC Records - KnownHost","description":"In this guide we will teach you how to set up and manage SPF, DKIM and DMARC records on premium KnownHost servers.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/","og_locale":"en_US","og_type":"article","og_title":"Setting up SPF, DKIM, and DMARC Records - KnownHost","og_description":"In this guide we will teach you how to set up and manage SPF, DKIM and DMARC records on premium KnownHost servers.","og_url":"https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/","og_site_name":"KnownHost","article_published_time":"2021-07-12T12:37:56+00:00","article_modified_time":"2021-10-21T12:06:05+00:00","author":"Jonathan K. W.","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Jonathan K. W.","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/#article","isPartOf":{"@id":"https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/"},"author":{"name":"Jonathan K. W.","@id":"https:\/\/www.knownhost.com\/kb\/#\/schema\/person\/3db6e20d1f33519cd68fe0ba1230a48b"},"headline":"Setting up SPF, DKIM, and DMARC Records","datePublished":"2021-07-12T12:37:56+00:00","dateModified":"2021-10-21T12:06:05+00:00","mainEntityOfPage":{"@id":"https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/"},"wordCount":1539,"keywords":[".spf","dkim","email","getting-started"],"articleSection":["Getting Started"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/","url":"https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/","name":"Setting up SPF, DKIM, and DMARC Records - KnownHost","isPartOf":{"@id":"https:\/\/www.knownhost.com\/kb\/#website"},"datePublished":"2021-07-12T12:37:56+00:00","dateModified":"2021-10-21T12:06:05+00:00","author":{"@id":"https:\/\/www.knownhost.com\/kb\/#\/schema\/person\/3db6e20d1f33519cd68fe0ba1230a48b"},"description":"In this guide we will teach you how to set up and manage SPF, DKIM and DMARC records on premium KnownHost servers.","breadcrumb":{"@id":"https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.knownhost.com\/kb\/setting-up-spf-dkim-and-dmarc-records\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.knownhost.com\/kb\/"},{"@type":"ListItem","position":2,"name":"Setting up SPF, DKIM, and DMARC Records"}]},{"@type":"WebSite","@id":"https:\/\/www.knownhost.com\/kb\/#website","url":"https:\/\/www.knownhost.com\/kb\/","name":"KnownHost","description":"KnownHost provides a comprehensive webhosting knowledge base to help answer many of your common webhosting and linux questions.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.knownhost.com\/kb\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.knownhost.com\/kb\/#\/schema\/person\/3db6e20d1f33519cd68fe0ba1230a48b","name":"Jonathan K. W.","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g","caption":"Jonathan K. W."},"sameAs":["https:\/\/www.knownhost.com"]}]}},"_links":{"self":[{"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/posts\/888","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/comments?post=888"}],"version-history":[{"count":0,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/posts\/888\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/media?parent=888"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/categories?post=888"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/tags?post=888"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}