Email was designed decades ago without authentication in mind. By default, anyone can send an email claiming to be from your domain - and many spammers, phishers, and scammers do exactly that. SPF, DKIM, and DMARC are three DNS-based standards that work together to verify legitimate senders and protect your domain from being abused.
Setting them up also improves the deliverability of your own emails, since mail servers worldwide use these records to determine whether to accept or reject incoming messages.
What Is Email Spoofing?
Email spoofing is the practice of forging the "From" address in an email to make it appear to come from a trusted sender. A scammer can send an email that looks like it came from support@yourdomain.ca without ever having access to your email account.
This harms your customers (who might be deceived), your domain reputation (spam filters start flagging your legitimate emails), and your business credibility. SPF, DKIM, and DMARC each close a different part of this vulnerability.
SPF: Specifying Authorized Senders
SPF (Sender Policy Framework) is a TXT record in your DNS that lists which mail servers are allowed to send email on behalf of your domain.
When a receiving mail server gets an email from your domain, it checks your SPF record to see if the sending server is on the authorized list. If it is not, the email is flagged as suspicious.
A basic SPF record for a site hosted with cPanel looks like this:
v=spf1 include:yourhostingprovider.com ~all
The include: part references the mail servers at your hosting provider. The ~all at the end means emails from unauthorized servers should be treated as a soft fail (flagged but not necessarily rejected). Changing this to -all is a hard fail (reject).
To add an SPF record, go to your DNS management panel (cPanel > Zone Editor or your domain registrar) and add a TXT record for your domain with the SPF value.
DKIM: Cryptographic Email Signing
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. The signature is generated using a private key on your mail server, and the corresponding public key is published in your DNS.
When a receiving server gets your email, it looks up your DKIM public key in DNS and uses it to verify the signature. If the signature matches, the email is confirmed to have come from your server and has not been tampered with in transit.
In cPanel, DKIM is usually enabled by default. To verify, go to cPanel > Email Deliverability (sometimes called Email Authentication). If DKIM is not enabled, there will be an option to install it. cPanel generates the key pair and adds the DNS record automatically.
DMARC: Telling Receivers What to Do
DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on SPF and DKIM by telling receiving mail servers what to do with emails that fail those checks - and optionally, how to send you reports about what they see.
A DMARC record is a TXT record added to your DNS with the name _dmarc.yourdomain.ca.
A Sensible Setup Progression
Do not jump straight to a strict policy, as it can cause legitimate emails to be blocked if your SPF or DKIM setup is not perfect. Roll out DMARC in stages:
Stage 1 - Monitor only:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.ca
The p=none policy takes no action on failing emails but sends you reports so you can see what is happening.
Stage 2 - Quarantine:
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.ca
Failing emails are delivered to the spam folder rather than the inbox.
Stage 3 - Reject:
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.ca
Failing emails are rejected outright. Only move to this stage once you have confirmed all your legitimate email sources are correctly configured.
Checking Your Records with MXToolbox
Once you have set up your records, verify them using MXToolbox (mxtoolbox.com). Their free tools let you:
- Check your SPF record at mxtoolbox.com/spf.aspx
- Verify your DKIM record at mxtoolbox.com/dkim.aspx
- Analyze your DMARC record at mxtoolbox.com/dmarc.aspx
A clean pass on all three checks means your domain is properly protected and your legitimate emails are far more likely to land in the inbox rather than the spam folder.
