DKIM & SPF Records

DKIM and SPF are email authentication methods that prove your messages are legitimately sent from your domain. Setting them up improves deliverability and protects against spoofing.

What Is SPF?

Sender Policy Framework (SPF) is a DNS TXT record that lists the mail servers authorised to send email on behalf of your domain. When a receiving mail server gets a message from your domain, it checks the SPF record to verify the sending server is permitted. If the server is not listed, the message is more likely to be marked as spam or rejected.

What Is DKIM?

DomainKeys Identified Mail (DKIM) adds a cryptographic signature to every outgoing email. The receiving server uses a public key published in your DNS to verify that the message has not been altered in transit and was truly sent from your domain.

Why They Matter

Better inbox placement — Gmail, Outlook, Yahoo, and other providers favour messages that pass SPF and DKIM checks.
Spoofing protection — Prevents others from forging your domain in the "From" address of spam or phishing emails.
Fewer bounces — Messages authenticated with SPF and DKIM are far less likely to be rejected by recipient servers.

Enabling DKIM and SPF in cPanel

If your domain's DNS is managed through cPanel (i.e. your nameservers point to Ultra Web Hosting), DKIM and SPF records may already be enabled automatically. To verify or enable them:

Log into cPanel and go to the Email section.
Click Email Deliverability.
Find your domain in the list. cPanel shows the status of SPF and DKIM with a green checkmark (valid) or a warning icon (issues found).
If either record has a problem, click Manage next to the domain.
cPanel will show the recommended records. Click Install the suggested record for each one to apply them automatically.

Note The Email Deliverability tool can only install DNS records automatically if your domain uses the hosting server's nameservers. If your DNS is managed elsewhere (e.g. Cloudflare, your domain registrar), you will need to add the records manually.

Adding SPF and DKIM Records Manually

If your DNS is managed externally, you will need to copy the records from cPanel and add them at your DNS provider.

SPF Record

In cPanel, go to Email Deliverability → Manage for your domain.
Copy the suggested SPF record. It will look similar to:
```
v=spf1 +a +mx +ip4:XXX.XXX.XXX.XXX ~all
```
At your DNS provider, create a new TXT record for your root domain (@ or yourdomain.com).
Paste the SPF value and save.

Warning Your domain should have only one SPF record. If you already have an existing SPF record (e.g. from Google Workspace or another service), you need to merge the values into a single record rather than creating a second one. Multiple SPF records will cause validation failures.

DKIM Record

In cPanel, go to Email Deliverability → Manage for your domain.
Copy the suggested DKIM record. It includes a selector name (e.g. default._domainkey) and a long TXT value starting with v=DKIM1;.
At your DNS provider, create a new TXT record with the name default._domainkey.yourdomain.com.
Paste the DKIM value and save.

Tip DKIM records are often very long. Some DNS providers require you to split the value into multiple strings of 255 characters. Check your provider's documentation if the record fails to save.

Verifying Your Records

After adding or updating your records, allow up to 24 hours for DNS propagation. You can verify them in several ways:

cPanel — Return to Email Deliverability. Green checkmarks confirm the records are valid.

Command line — Use dig to query your records:

dig TXT yourdomain.com +short
dig TXT default._domainkey.yourdomain.com +short

Online tools — Use services like MXToolbox, Mail Tester, or Google Admin Toolbox to check SPF and DKIM status.

DMARC (Optional but Recommended)

Domain-based Message Authentication, Reporting & Conformance (DMARC) ties SPF and DKIM together and tells receiving servers what to do when authentication fails. Adding a basic DMARC record is strongly recommended once SPF and DKIM are in place.

Create a TXT record with the name _dmarc.yourdomain.com and the following value:

v=DMARC1; p=none; rua=mailto:you@yourdomain.com

This starts DMARC in monitoring mode (p=none), sending aggregate reports to your address. Once you confirm everything is working, you can change the policy to p=quarantine or p=reject for stronger protection.

Note Replace you@yourdomain.com in the DMARC record with an address where you want to receive authentication reports. These reports are XML files that help you identify unauthorised senders using your domain.