{"id":4437,"date":"2026-02-04T15:40:41","date_gmt":"2026-02-04T12:40:41","guid":{"rendered":"https:\/\/www.dchost.com\/blog\/spf-dkim-and-dmarc-basics-for-small-businesses\/"},"modified":"2026-02-04T15:40:41","modified_gmt":"2026-02-04T12:40:41","slug":"spf-dkim-and-dmarc-basics-for-small-businesses","status":"publish","type":"post","link":"https:\/\/www.dchost.com\/blog\/en\/spf-dkim-and-dmarc-basics-for-small-businesses\/","title":{"rendered":"SPF, DKIM and DMARC Basics for Small Businesses"},"content":{"rendered":"<div class=\"dchost-blog-content-wrapper\"><p>Most small businesses eventually face the same question: \u201cWhy are my emails going to spam, and what do I actually need to fix it?\u201d The answer almost always involves three short acronyms that look more intimidating than they really are: <strong>SPF<\/strong>, <strong>DKIM<\/strong> and <strong>DMARC<\/strong>. These are the standard email authentication methods that tell other mail servers, \u201cYes, this message really came from us, and it hasn\u2019t been tampered with.\u201d When they are missing or misconfigured, your invoices, password resets and newsletters are far more likely to land in junk folders or be rejected outright.<\/p>\n<p>In this guide, we\u2019ll walk through SPF, DKIM and DMARC in clear language, then show you how to set them up step\u2011by\u2011step on your own domain. The focus is on realistic small business setups: shared hosting email, a <a href=\"https:\/\/www.dchost.com\/vps\">VPS<\/a> with your own mail server, or a mix of your own domain plus third\u2011party email services. If you want to go further after this article, you can also review our detailed checklist on <a href=\"https:\/\/www.dchost.com\/blog\/en\/e-postalar-neden-spam-klasorune-dusuyor-paylasimli-hosting-ve-vps-icin-teslim-edilebilirlik-kontrol-listesi\/\">why your emails go to spam and how to fix deliverability issues on shared hosting and VPS<\/a>. For now, let\u2019s get the foundations right.<\/p>\n<div id=\"toc_container\" class=\"toc_transparent no_bullets\"><p class=\"toc_title\">\u0130&ccedil;indekiler<\/p><ul class=\"toc_list\"><li><a href=\"#Why_Email_Authentication_Matters_for_Small_Businesses\"><span class=\"toc_number toc_depth_1\">1<\/span> Why Email Authentication Matters for Small Businesses<\/a><\/li><li><a href=\"#Core_Concepts_SPF_DKIM_and_DMARC_in_Plain_Language\"><span class=\"toc_number toc_depth_1\">2<\/span> Core Concepts: SPF, DKIM and DMARC in Plain Language<\/a><ul><li><a href=\"#What_SPF_Does\"><span class=\"toc_number toc_depth_2\">2.1<\/span> What SPF Does<\/a><\/li><li><a href=\"#What_DKIM_Does\"><span class=\"toc_number toc_depth_2\">2.2<\/span> What DKIM Does<\/a><\/li><li><a href=\"#What_DMARC_Adds_on_Top\"><span class=\"toc_number toc_depth_2\">2.3<\/span> What DMARC Adds on Top<\/a><\/li><\/ul><\/li><li><a href=\"#Before_You_Start_Prerequisites_and_Planning\"><span class=\"toc_number toc_depth_1\">3<\/span> Before You Start: Prerequisites and Planning<\/a><ul><li><a href=\"#1_List_All_Systems_That_Send_Email_for_Your_Domain\"><span class=\"toc_number toc_depth_2\">3.1<\/span> 1. List All Systems That Send Email for Your Domain<\/a><\/li><li><a href=\"#2_Confirm_You_Have_DNS_Access\"><span class=\"toc_number toc_depth_2\">3.2<\/span> 2. Confirm You Have DNS Access<\/a><\/li><li><a href=\"#3_Decide_Who_Will_Own_Email_Delivery\"><span class=\"toc_number toc_depth_2\">3.3<\/span> 3. Decide Who Will Own Email Delivery<\/a><\/li><\/ul><\/li><li><a href=\"#Step_1_Set_Up_a_Clean_SPF_Record\"><span class=\"toc_number toc_depth_1\">4<\/span> Step 1: Set Up a Clean SPF Record<\/a><ul><li><a href=\"#1_Check_for_Existing_SPF_Records\"><span class=\"toc_number toc_depth_2\">4.1<\/span> 1. Check for Existing SPF Records<\/a><\/li><li><a href=\"#2_Map_SPF_Mechanisms_to_Your_Real_Senders\"><span class=\"toc_number toc_depth_2\">4.2<\/span> 2. Map SPF Mechanisms to Your Real Senders<\/a><\/li><li><a href=\"#3_Choose_the_Right_SPF_Policy_Ending\"><span class=\"toc_number toc_depth_2\">4.3<\/span> 3. Choose the Right SPF Policy Ending<\/a><\/li><li><a href=\"#4_Add_or_Update_the_SPF_TXT_Record_in_DNS\"><span class=\"toc_number toc_depth_2\">4.4<\/span> 4. Add or Update the SPF TXT Record in DNS<\/a><\/li><\/ul><\/li><li><a href=\"#Step_2_Enable_DKIM_Signing\"><span class=\"toc_number toc_depth_1\">5<\/span> Step 2: Enable DKIM Signing<\/a><ul><li><a href=\"#1_Enable_DKIM_in_Your_Hosting_Panel_or_Mail_Server\"><span class=\"toc_number toc_depth_2\">5.1<\/span> 1. Enable DKIM in Your Hosting Panel or Mail Server<\/a><\/li><li><a href=\"#2_Understand_Selectors_and_DKIM_DNS_Records\"><span class=\"toc_number toc_depth_2\">5.2<\/span> 2. Understand Selectors and DKIM DNS Records<\/a><\/li><li><a href=\"#3_Add_DKIM_Records_for_Each_Sender\"><span class=\"toc_number toc_depth_2\">5.3<\/span> 3. Add DKIM Records for Each Sender<\/a><\/li><\/ul><\/li><li><a href=\"#Step_3_Publish_a_Safe_DMARC_Policy\"><span class=\"toc_number toc_depth_1\">6<\/span> Step 3: Publish a Safe DMARC Policy<\/a><ul><li><a href=\"#1_DMARC_Alignment_in_Simple_Terms\"><span class=\"toc_number toc_depth_2\">6.1<\/span> 1. DMARC Alignment in Simple Terms<\/a><\/li><li><a href=\"#2_Start_with_a_MonitoringOnly_DMARC_Record\"><span class=\"toc_number toc_depth_2\">6.2<\/span> 2. Start with a Monitoring\u2011Only DMARC Record<\/a><\/li><li><a href=\"#3_Review_Reports_and_Fix_Legitimate_Failures\"><span class=\"toc_number toc_depth_2\">6.3<\/span> 3. Review Reports and Fix Legitimate Failures<\/a><\/li><li><a href=\"#4_Gradually_Enforce_Quarantine_and_Reject\"><span class=\"toc_number toc_depth_2\">6.4<\/span> 4. Gradually Enforce Quarantine and Reject<\/a><\/li><\/ul><\/li><li><a href=\"#Step_4_Test_Monitor_and_Iterate\"><span class=\"toc_number toc_depth_1\">7<\/span> Step 4: Test, Monitor and Iterate<\/a><ul><li><a href=\"#1_Use_Online_Checkers_and_Live_Mailboxes\"><span class=\"toc_number toc_depth_2\">7.1<\/span> 1. Use Online Checkers and Live Mailboxes<\/a><\/li><li><a href=\"#2_Watch_Outbound_Volumes_and_Rate_Limits\"><span class=\"toc_number toc_depth_2\">7.2<\/span> 2. Watch Outbound Volumes and Rate Limits<\/a><\/li><li><a href=\"#3_Align_Authentication_with_IP_Reputation\"><span class=\"toc_number toc_depth_2\">7.3<\/span> 3. Align Authentication with IP Reputation<\/a><\/li><\/ul><\/li><li><a href=\"#RealWorld_Scenarios_Putting_It_All_Together\"><span class=\"toc_number toc_depth_1\">8<\/span> Real\u2011World Scenarios: Putting It All Together<\/a><ul><li><a href=\"#Scenario_1_Email_on_Shared_Hosting_Only\"><span class=\"toc_number toc_depth_2\">8.1<\/span> Scenario 1: Email on Shared Hosting Only<\/a><\/li><li><a href=\"#Scenario_2_SelfHosted_Mail_on_a_VPS\"><span class=\"toc_number toc_depth_2\">8.2<\/span> Scenario 2: Self\u2011Hosted Mail on a VPS<\/a><\/li><li><a href=\"#Scenario_3_Mixed_Setup_with_Marketing_Platform\"><span class=\"toc_number toc_depth_2\">8.3<\/span> Scenario 3: Mixed Setup with Marketing Platform<\/a><\/li><\/ul><\/li><li><a href=\"#Common_Mistakes_and_How_to_Avoid_Them\"><span class=\"toc_number toc_depth_1\">9<\/span> Common Mistakes and How to Avoid Them<\/a><ul><li><a href=\"#1_Multiple_SPF_Records\"><span class=\"toc_number toc_depth_2\">9.1<\/span> 1. Multiple SPF Records<\/a><\/li><li><a href=\"#2_Ignoring_the_SPF_10Lookup_Limit\"><span class=\"toc_number toc_depth_2\">9.2<\/span> 2. Ignoring the SPF 10\u2011Lookup Limit<\/a><\/li><li><a href=\"#3_Enforcing_DMARC_Too_Early\"><span class=\"toc_number toc_depth_2\">9.3<\/span> 3. Enforcing DMARC Too Early<\/a><\/li><li><a href=\"#4_Not_Aligning_Visible_From_Domains\"><span class=\"toc_number toc_depth_2\">9.4<\/span> 4. Not Aligning Visible \u201cFrom\u201d Domains<\/a><\/li><li><a href=\"#5_Forgetting_About_DNS_TTLs_During_Changes\"><span class=\"toc_number toc_depth_2\">9.5<\/span> 5. Forgetting About DNS TTLs During Changes<\/a><\/li><\/ul><\/li><li><a href=\"#Where_dchostcom_Fits_Into_Your_Email_Strategy\"><span class=\"toc_number toc_depth_1\">10<\/span> Where dchost.com Fits Into Your Email Strategy<\/a><\/li><li><a href=\"#Wrapping_Up_A_Practical_Roadmap_for_Your_Next_30_Days\"><span class=\"toc_number toc_depth_1\">11<\/span> Wrapping Up: A Practical Roadmap for Your Next 30 Days<\/a><\/li><\/ul><\/div>\n<h2><span id=\"Why_Email_Authentication_Matters_for_Small_Businesses\">Why Email Authentication Matters for Small Businesses<\/span><\/h2>\n<p>Every email you send has to pass several silent trust checks before it appears in someone\u2019s inbox. Large providers and corporate mail gateways are constantly asking:<\/p>\n<ul>\n<li>Is this domain allowed to send from this IP address?<\/li>\n<li>Was this email altered in transit?<\/li>\n<li>Does the sender\u2019s policy say we should accept, quarantine or reject suspicious messages?<\/li>\n<\/ul>\n<p>SPF, DKIM and DMARC give structured answers to these questions. Without them, your messages look similar to spam and phishing attempts, even if your content is legitimate.<\/p>\n<p>For a small business, the impact is very concrete:<\/p>\n<ul>\n<li><strong>Lost revenue<\/strong>: abandoned carts because order emails never arrive.<\/li>\n<li><strong>Support load<\/strong>: customers opening tickets because password resets are missing.<\/li>\n<li><strong>Brand risk<\/strong>: attackers trying to spoof your domain in phishing campaigns.<\/li>\n<\/ul>\n<p>The good news: you don\u2019t need to be an email engineer to fix the basics. With access to your DNS panel (often through your hosting control panel) and a bit of planning, you can get SPF, DKIM and DMARC into a healthy state in a single afternoon.<\/p>\n<h2><span id=\"Core_Concepts_SPF_DKIM_and_DMARC_in_Plain_Language\">Core Concepts: SPF, DKIM and DMARC in Plain Language<\/span><\/h2>\n<h3><span id=\"What_SPF_Does\">What SPF Does<\/span><\/h3>\n<p><strong>SPF (Sender Policy Framework)<\/strong> is a DNS record that lists <strong>which servers are allowed to send email<\/strong> for your domain. When a receiving server gets a message claiming to be from <code>you@example.com<\/code>, it checks the SPF record of <code>example.com<\/code> and asks: \u201cIs the sending IP mentioned here?\u201d<\/p>\n<p>Think of SPF as a guest list at the door. If an IP address is on the list, SPF passes. If not, it fails. SPF looks only at <strong>who sent the message and from where<\/strong>, not at the content.<\/p>\n<h3><span id=\"What_DKIM_Does\">What DKIM Does<\/span><\/h3>\n<p><strong>DKIM (DomainKeys Identified Mail)<\/strong> attaches a <strong>digital signature<\/strong> to each email. Your mail server signs outgoing messages with a private key. The matching public key is stored as a DNS record. Receiving servers use the public key to verify that:<\/p>\n<ul>\n<li>The email really came from a server that controls your domain.<\/li>\n<li>The headers and body have not been modified in transit.<\/li>\n<\/ul>\n<p>In practical terms, DKIM proves that the content your recipient sees is the same content you sent.<\/p>\n<h3><span id=\"What_DMARC_Adds_on_Top\">What DMARC Adds on Top<\/span><\/h3>\n<p><strong>DMARC (Domain-based Message Authentication, Reporting and Conformance)<\/strong> builds on SPF and DKIM. It lets domain owners publish a <strong>policy<\/strong> telling receivers what to do when SPF and\/or DKIM fail, and it enables <strong>reporting<\/strong> so you can see who is sending on behalf of your domain.<\/p>\n<p>DMARC answers questions like:<\/p>\n<ul>\n<li>If someone sends an email pretending to be us and it fails checks, should it be rejected or quarantined?<\/li>\n<li>Which IPs and providers are actually sending email using our domain every day?<\/li>\n<\/ul>\n<p>DMARC is where you move from \u201cI hope everything is okay\u201d to \u201cI can see exactly what\u2019s happening and control how strict we are.\u201d We cover the reporting and policy side in much more detail in our article <a href=\"https:\/\/www.dchost.com\/blog\/en\/dmarc-raporlari-aggregate-ve-forensic-analiz-ile-pnonedan-prejecte-gecis\/\">DMARC in context: why the reports matter more than the record and how to move from p=none to p=reject<\/a>.<\/p>\n<h2><span id=\"Before_You_Start_Prerequisites_and_Planning\">Before You Start: Prerequisites and Planning<\/span><\/h2>\n<p>Before editing DNS records, spend 10\u201315 minutes mapping your real-world setup. This avoids breaking legitimate email when you tighten policies later.<\/p>\n<h3><span id=\"1_List_All_Systems_That_Send_Email_for_Your_Domain\">1. List All Systems That Send Email for Your Domain<\/span><\/h3>\n<p>Typical sources include:<\/p>\n<ul>\n<li>Your main mailboxes (e.g. <code>info@<\/code>, <code>sales@<\/code>) on shared hosting or a VPS<\/li>\n<li>Transactional email from your website or shop (order confirmations, password resets)<\/li>\n<li>Newsletter or marketing platforms using your domain as the \u201cFrom\u201d address<\/li>\n<li>CRM, helpdesk, invoicing, or booking systems that send emails as your domain<\/li>\n<\/ul>\n<p>If a system sends mail as <code>@yourdomain.com<\/code>, it must be reflected in SPF\/DKIM\/DMARC somehow, or you will eventually block your own traffic.<\/p>\n<h3><span id=\"2_Confirm_You_Have_DNS_Access\">2. Confirm You Have DNS Access<\/span><\/h3>\n<p>You will be adding SPF, DKIM and DMARC as <strong>TXT records<\/strong> (and sometimes CNAMEs) in DNS. Depending on your setup, DNS may live:<\/p>\n<ul>\n<li>At your registrar (where you bought the domain)<\/li>\n<li>On your hosting provider\u2019s nameservers<\/li>\n<li>On a third\u2011party DNS service<\/li>\n<\/ul>\n<p>If you are unsure how your DNS is structured, our guide on <a href=\"https:\/\/www.dchost.com\/blog\/en\/yeni-aldiginiz-alan-adini-hosting-hesabina-baglamak-adim-adim-nameserver-dns-ve-ssl-rehberi\/\">connecting a new domain to hosting step\u2011by\u2011step<\/a> explains how nameservers and DNS zones fit together.<\/p>\n<h3><span id=\"3_Decide_Who_Will_Own_Email_Delivery\">3. Decide Who Will Own Email Delivery<\/span><\/h3>\n<p>As your infrastructure grows, it becomes important to know whether you will:<\/p>\n<ul>\n<li>Keep email on shared hosting with your website<\/li>\n<li>Move to a VPS and run your own mail server<\/li>\n<li>Use specialist hosted email or a mix of services<\/li>\n<\/ul>\n<p>Each option has different implications for SPF and DKIM. If you are evaluating where to host email, you may find our comparison of <a href=\"https:\/\/www.dchost.com\/blog\/en\/kendi-hosting-e-postaniz-mi-google-workspace-microsoft-365-mi\/\">self\u2011hosted email vs hosted productivity suites<\/a> helpful from both technical and operational angles.<\/p>\n<h2><span id=\"Step_1_Set_Up_a_Clean_SPF_Record\">Step 1: Set Up a Clean SPF Record<\/span><\/h2>\n<p>SPF is usually the easiest place to start, but it\u2019s also easy to clutter with years of old services. We\u2019ll focus on building a clean, minimal record that reflects your current reality.<\/p>\n<h3><span id=\"1_Check_for_Existing_SPF_Records\">1. Check for Existing SPF Records<\/span><\/h3>\n<p>Use a DNS lookup tool or your hosting panel to see if there is already a TXT record starting with <code>v=spf1<\/code> at your root domain (e.g. <code>example.com<\/code>). Important rules:<\/p>\n<ul>\n<li>You must have <strong>only one SPF record per domain<\/strong>.<\/li>\n<li>If there are multiple, they should be merged into a single record.<\/li>\n<\/ul>\n<h3><span id=\"2_Map_SPF_Mechanisms_to_Your_Real_Senders\">2. Map SPF Mechanisms to Your Real Senders<\/span><\/h3>\n<p>An SPF record is built from mechanisms that describe allowed senders. Common ones:<\/p>\n<ul>\n<li><code>a<\/code>: Allow the IP(s) of the domain\u2019s A\/AAAA record.<\/li>\n<li><code>mx<\/code>: Allow the IP(s) of the domain\u2019s MX records.<\/li>\n<li><code>ip4:<\/code> \/ <code>ip6:<\/code>: Allow specific IPv4\/IPv6 addresses or ranges.<\/li>\n<li><code>include:<\/code>: Trust another domain\u2019s SPF policy (used by many email providers).<\/li>\n<\/ul>\n<p>Example for a small business using its hosting provider for email plus a newsletter service:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">v=spf1 mx include:news.examplemail.com -all<\/code><\/pre>\n<p>This says:<\/p>\n<ul>\n<li>Emails from the IPs of our MX records are allowed.<\/li>\n<li>Emails sent via <code>news.examplemail.com<\/code> (your newsletter provider) are allowed via their SPF.<\/li>\n<li>Everything else should be rejected (<code>-all<\/code> is a hard fail).<\/li>\n<\/ul>\n<p>For more complex multi\u2011provider setups and the SPF 10\u2011DNS\u2011lookup limit, we\u2019ve written a dedicated piece on <a href=\"https:\/\/www.dchost.com\/blog\/en\/gelismis-spf-yonetimi-10-dns-lookup-limitine-takilmadan-coklu-e-posta-servisi-kullanmak\/\">advanced SPF management without hitting the 10\u2011lookup wall<\/a>.<\/p>\n<h3><span id=\"3_Choose_the_Right_SPF_Policy_Ending\">3. Choose the Right SPF Policy Ending<\/span><\/h3>\n<p>The end of your SPF record controls how strict it is:<\/p>\n<ul>\n<li><code>~all<\/code> \u2013 \u201cSoft fail\u201d (not recommended long\u2011term, but okay while transitioning)<\/li>\n<li><code>-all<\/code> \u2013 \u201cHard fail\u201d, recommended once you\u2019re sure your record is correct<\/li>\n<\/ul>\n<p>For example:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">v=spf1 mx -all<\/code><\/pre>\n<p>Start with <code>~all<\/code> if you\u2019re unsure whether you\u2019ve captured every sender, then move to <code>-all<\/code> once you\u2019ve verified logs and DMARC reports.<\/p>\n<h3><span id=\"4_Add_or_Update_the_SPF_TXT_Record_in_DNS\">4. Add or Update the SPF TXT Record in DNS<\/span><\/h3>\n<p>In your DNS panel:<\/p>\n<ol>\n<li>Find the zone for your domain (e.g. <code>example.com<\/code>).<\/li>\n<li>Add a new <strong>TXT<\/strong> record (or update the existing SPF record).<\/li>\n<li>Set the name\/host to <code>@<\/code> (or leave it blank, depending on UI).<\/li>\n<li>Paste your SPF string, for example: <code>v=spf1 mx include:news.examplemail.com -all<\/code>.<\/li>\n<li>Save and wait for DNS propagation (usually minutes, sometimes a couple of hours).<\/li>\n<\/ol>\n<p>You can confirm the change with a DNS lookup tool or via command line using <code>dig TXT example.com<\/code>.<\/p>\n<h2><span id=\"Step_2_Enable_DKIM_Signing\">Step 2: Enable DKIM Signing<\/span><\/h2>\n<p>DKIM requires two parts: generating keys on the sending side, and publishing the public key in DNS as a TXT record (or sometimes via CNAME). The exact steps depend on where your mailboxes and sending services live, but the logic is always the same.<\/p>\n<h3><span id=\"1_Enable_DKIM_in_Your_Hosting_Panel_or_Mail_Server\">1. Enable DKIM in Your Hosting Panel or Mail Server<\/span><\/h3>\n<p>On shared hosting with a control panel (like cPanel or DirectAdmin\u2011style interfaces), there is usually an \u201cEmail Deliverability\u201d or \u201cDKIM\u201d option where you can:<\/p>\n<ul>\n<li>Turn DKIM on for your domain.<\/li>\n<li>See the DKIM DNS records you need to publish if DNS is hosted elsewhere.<\/li>\n<\/ul>\n<p>On a VPS with your own mail stack (e.g. Postfix + OpenDKIM or rspamd), you will generate a DKIM key pair, configure the mail server to sign outgoing messages, and note the public key string that must go into DNS. We have a cPanel\/VPS\u2011specific walk\u2011through in our article <a href=\"https:\/\/www.dchost.com\/blog\/en\/spf-dkim-ve-dmarc-nedir-ozel-alan-adi-ile-e-posta-dogrulamasini-cpanel-ve-vpste-sifirdan-kurmak\/\">SPF, DKIM and DMARC explained for cPanel and VPS email<\/a>.<\/p>\n<h3><span id=\"2_Understand_Selectors_and_DKIM_DNS_Records\">2. Understand Selectors and DKIM DNS Records<\/span><\/h3>\n<p>DKIM uses a <strong>selector<\/strong> to allow multiple keys per domain (for rotation, testing, different systems, etc.). A typical DKIM DNS record lives at:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">selector._domainkey.example.com<\/code><\/pre>\n<p>The TXT value will look like:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">v=DKIM1; k=rsa; p=PUBLIC_KEY_HERE...<\/code><\/pre>\n<p>Where <code>p=<\/code> is a long base64 string (your public key). You don\u2019t edit that string manually; you paste it exactly as generated by your mail server or service.<\/p>\n<h3><span id=\"3_Add_DKIM_Records_for_Each_Sender\">3. Add DKIM Records for Each Sender<\/span><\/h3>\n<p>Each system that signs with DKIM will give you either:<\/p>\n<ul>\n<li>Plain TXT records (selector, host, value) to paste into DNS, or<\/li>\n<li>CNAME records that point to a key hosted on their domain.<\/li>\n<\/ul>\n<p>For each sender (your main mail server, newsletter platform, etc.):<\/p>\n<ol>\n<li>Log in to your DNS panel.<\/li>\n<li>Add the DKIM TXT or CNAME record they provide.<\/li>\n<li>Save and wait for propagation.<\/li>\n<\/ol>\n<p>Once the DNS side is set, send a test email to a mailbox you control (e.g. a personal address) and inspect the message headers. You should see a line like:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector; ...<\/code><\/pre>\n<p>Most online DKIM checkers can also verify that the key is reachable and valid.<\/p>\n<h2><span id=\"Step_3_Publish_a_Safe_DMARC_Policy\">Step 3: Publish a Safe DMARC Policy<\/span><\/h2>\n<p>With SPF and DKIM in place and passing, you\u2019re ready to add DMARC. DMARC will give you visibility into who is using your domain and allow you to gradually move from \u201cmonitor only\u201d to \u201cblock abuse.\u201d<\/p>\n<h3><span id=\"1_DMARC_Alignment_in_Simple_Terms\">1. DMARC Alignment in Simple Terms<\/span><\/h3>\n<p>DMARC looks at two things:<\/p>\n<ul>\n<li><strong>Authentication<\/strong>: Did SPF and\/or DKIM pass?<\/li>\n<li><strong>Alignment<\/strong>: Does the authenticated domain match the visible \u201cFrom\u201d domain?<\/li>\n<\/ul>\n<p>Alignment is what makes DMARC powerful. It\u2019s not enough that some random domain passes SPF or DKIM; it has to align with your domain. There are two alignment modes:<\/p>\n<ul>\n<li><strong>relaxed<\/strong>: <code>mail.example.com<\/code> is allowed for <code>example.com<\/code>.<\/li>\n<li><strong>strict<\/strong>: The domain must match exactly.<\/li>\n<\/ul>\n<p>Most small businesses start with relaxed alignment and only tighten to strict if they have a very controlled setup.<\/p>\n<h3><span id=\"2_Start_with_a_MonitoringOnly_DMARC_Record\">2. Start with a Monitoring\u2011Only DMARC Record<\/span><\/h3>\n<p>Create a DMARC record as a TXT entry at:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">_dmarc.example.com<\/code><\/pre>\n<p>A safe starting policy looks like this:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-forensic@example.com; fo=1<\/code><\/pre>\n<p>What it means:<\/p>\n<ul>\n<li><code>v=DMARC1<\/code> \u2013 DMARC version.<\/li>\n<li><code>p=none<\/code> \u2013 Monitor only; do not block failing emails yet.<\/li>\n<li><code>rua=<\/code> \u2013 Aggregate reports (daily XML summaries).<\/li>\n<li><code>ruf=<\/code> \u2013 Forensic\/failure reports (optional and less widely used now).<\/li>\n<li><code>fo=1<\/code> \u2013 Request reports on any authentication failure.<\/li>\n<\/ul>\n<p>Use an address that can handle a lot of automated reports (not a personal inbox). Many companies create <code>dmarc@<\/code> or <code>dmarc-reports@<\/code> and pipe it into a dedicated folder or DMARC analysis tool.<\/p>\n<h3><span id=\"3_Review_Reports_and_Fix_Legitimate_Failures\">3. Review Reports and Fix Legitimate Failures<\/span><\/h3>\n<p>For a few weeks, leave DMARC at <code>p=none<\/code> and watch the reports. You will see:<\/p>\n<ul>\n<li>All the IPs that send email as your domain<\/li>\n<li>Whether SPF and DKIM are passing and aligning<\/li>\n<li>Potential abuse sources trying to spoof your domain<\/li>\n<\/ul>\n<p>Use this period to add missing senders to SPF, enable DKIM where it\u2019s off, or adjust \u201cFrom\u201d addresses for systems that cannot be aligned properly.<\/p>\n<h3><span id=\"4_Gradually_Enforce_Quarantine_and_Reject\">4. Gradually Enforce Quarantine and Reject<\/span><\/h3>\n<p>Once you\u2019re confident that all legitimate mail passes SPF\/DKIM with correct alignment, you can start protecting recipients from spoofed messages. DMARC supports three main policies:<\/p>\n<ul>\n<li><code>p=none<\/code> \u2013 Monitor only.<\/li>\n<li><code>p=quarantine<\/code> \u2013 Suspicious mail goes to spam\/quarantine.<\/li>\n<li><code>p=reject<\/code> \u2013 Suspicious mail is rejected at SMTP; recipients never see it.<\/li>\n<\/ul>\n<p>A safe progression is:<\/p>\n<ol>\n<li>Stay on <code>p=none<\/code> for a few weeks while fixing issues.<\/li>\n<li>Move to <code>p=quarantine<\/code> with <code>pct=25<\/code> (25% of failing mail) and gradually increase to <code>pct=100<\/code>.<\/li>\n<li>Finally switch to <code>p=reject<\/code> when you\u2019re comfortable that legitimate messages are not being blocked.<\/li>\n<\/ol>\n<p>Example \u201cquarantine 50%\u201d policy:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc-reports@example.com<\/code><\/pre>\n<p>Our article on <a href=\"https:\/\/www.dchost.com\/blog\/en\/dmarc-raporlari-aggregate-ve-forensic-analiz-ile-pnonedan-prejecte-gecis\/\">using DMARC reports to move from p=none to p=reject<\/a> walks through these phases with real\u2011world tips and sample report interpretations.<\/p>\n<h2><span id=\"Step_4_Test_Monitor_and_Iterate\">Step 4: Test, Monitor and Iterate<\/span><\/h2>\n<p>Once SPF, DKIM and DMARC are technically in place, you still need a feedback loop. Email ecosystems change: you add new tools, migrate servers, or switch newsletter platforms. Each change can affect authentication.<\/p>\n<h3><span id=\"1_Use_Online_Checkers_and_Live_Mailboxes\">1. Use Online Checkers and Live Mailboxes<\/span><\/h3>\n<p>Send test emails to different mailbox providers you or your team use (personal addresses are fine). Check the headers to confirm:<\/p>\n<ul>\n<li><strong>SPF:<\/strong> <code>spf=pass<\/code> and domain alignment<\/li>\n<li><strong>DKIM:<\/strong> <code>dkim=pass<\/code> with your domain in <code>d=<\/code><\/li>\n<li><strong>DMARC:<\/strong> <code>dmarc=pass<\/code> for legitimate messages<\/li>\n<\/ul>\n<p>Combine this with online SPF\/DKIM\/DMARC validators that can parse your DNS records and highlight syntax issues.<\/p>\n<h3><span id=\"2_Watch_Outbound_Volumes_and_Rate_Limits\">2. Watch Outbound Volumes and Rate Limits<\/span><\/h3>\n<p>Even with perfect authentication, you can still hurt your sender reputation by sending too many emails too quickly from a shared IP or a fresh VPS. On shared hosting and VPS, you should be aware of provider\u2011side SMTP limits and abuse protections. Our guide on <a href=\"https:\/\/www.dchost.com\/blog\/en\/paylasimli-hosting-ve-vpste-outbound-e-posta-guvenligi-ve-smtp-rate-limit-yonetimi\/\">outbound email security on shared hosting and VPS<\/a> explains typical rate limits and safe sending patterns.<\/p>\n<h3><span id=\"3_Align_Authentication_with_IP_Reputation\">3. Align Authentication with IP Reputation<\/span><\/h3>\n<p>If you later move to a dedicated IP for email (for example on a VPS or <a href=\"https:\/\/www.dchost.com\/dedicated-server\">dedicated server<\/a>), you\u2019ll need to warm it up carefully so receivers learn that good mail comes from that IP. DMARC, SPF and DKIM are the technical proof; IP warm\u2011up and good content are the behavioural proof. For that phase, see our guide on <a href=\"https:\/\/www.dchost.com\/blog\/en\/dedicated-ip-isitma-ve-e-posta-itibari-yonetimi\/\">dedicated IP warm\u2011up and email reputation management<\/a>.<\/p>\n<h2><span id=\"RealWorld_Scenarios_Putting_It_All_Together\">Real\u2011World Scenarios: Putting It All Together<\/span><\/h2>\n<h3><span id=\"Scenario_1_Email_on_Shared_Hosting_Only\">Scenario 1: Email on Shared Hosting Only<\/span><\/h3>\n<p>Many small businesses keep their website and email on the same shared hosting account. A robust baseline for this setup looks like:<\/p>\n<ul>\n<li><strong>SPF:<\/strong> <code>v=spf1 mx -all<\/code> (assuming your MX is your shared hosting server)<\/li>\n<li><strong>DKIM:<\/strong> Enabled in your hosting control panel, DNS records published correctly<\/li>\n<li><strong>DMARC:<\/strong> <code>v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com<\/code> for monitoring, then later <code>p=reject<\/code> once reports are clean<\/li>\n<\/ul>\n<p>This alone is a big improvement over having no authentication. If you later move your website to a VPS but keep email on shared hosting, remember to verify that SPF (<code>mx<\/code> mechanism) still points to the right MX hostnames and IPs.<\/p>\n<h3><span id=\"Scenario_2_SelfHosted_Mail_on_a_VPS\">Scenario 2: Self\u2011Hosted Mail on a VPS<\/span><\/h3>\n<p>If you run your own mail server on a VPS or dedicated server, you have more control, but also more responsibility:<\/p>\n<ul>\n<li>Set a correct <strong>PTR (reverse DNS)<\/strong> record for your mail server IP.<\/li>\n<li>Publish SPF including your mail server IP (e.g. <code>ip4:203.0.113.10<\/code> and\/or <code>mx<\/code> if MX is that server).<\/li>\n<li>Configure DKIM signing at the MTA level and publish the selector\u2019s public key in DNS.<\/li>\n<li>Publish a DMARC policy at <code>_dmarc.example.com<\/code> and monitor reports closely.<\/li>\n<\/ul>\n<p>If you send over IPv6 as well, don\u2019t forget the <code>ip6:<\/code> mechanism in SPF, and make sure reverse DNS is set for IPv6 too. We cover those details in our article on <a href=\"https:\/\/www.dchost.com\/blog\/en\/ipv6-ile-e-posta-gonderimi-reverse-dns-spf-ve-teslim-edilebilirlik-rehberi\/\">sending email over IPv6 with proper reverse DNS and SPF<\/a>.<\/p>\n<h3><span id=\"Scenario_3_Mixed_Setup_with_Marketing_Platform\">Scenario 3: Mixed Setup with Marketing Platform<\/span><\/h3>\n<p>Another common pattern is: main mailboxes on hosting or a VPS, plus a marketing platform sending newsletters from <code>newsletter@yourdomain.com<\/code>.<\/p>\n<p>Key steps:<\/p>\n<ul>\n<li>Add the marketing platform\u2019s <code>include:<\/code> directive to your SPF record.<\/li>\n<li>Publish the DKIM records (TXT or CNAME) they provide for your domain.<\/li>\n<li>Ensure the \u201cFrom\u201d address they use is <code>@yourdomain.com<\/code>, not a random subdomain you didn\u2019t configure.<\/li>\n<li>Check DMARC reports to confirm that both your primary mail server and the marketing platform show up as passing and aligned.<\/li>\n<\/ul>\n<p>In some cases, it makes sense to use <strong>separate sending domains<\/strong> for transactional vs marketing email (for example <code>billing.yourdomain.com<\/code> and <code>news.yourdomain.com<\/code>) to isolate reputation issues. We discuss the pros and cons in our guide on <a href=\"https:\/\/www.dchost.com\/blog\/en\/e-posta-icin-ayri-gonderim-alan-adi-kullanmak-transactional-ve-pazarlama-e-postalari-icin-dogru-domain-ve-dns-stratejisi\/\">using separate sending domains for transactional and marketing emails<\/a>.<\/p>\n<h2><span id=\"Common_Mistakes_and_How_to_Avoid_Them\">Common Mistakes and How to Avoid Them<\/span><\/h2>\n<h3><span id=\"1_Multiple_SPF_Records\">1. Multiple SPF Records<\/span><\/h3>\n<p>Only one SPF TXT record is allowed per domain. If a provider\u2019s documentation tells you to \u201cadd this SPF record\u201d and you already have one, don\u2019t just create a second record. Instead, <strong>merge their mechanisms<\/strong> into your existing record.<\/p>\n<h3><span id=\"2_Ignoring_the_SPF_10Lookup_Limit\">2. Ignoring the SPF 10\u2011Lookup Limit<\/span><\/h3>\n<p>SPF allows only 10 DNS lookups per evaluation. Too many <code>include:<\/code>, <code>mx<\/code> or <code>a<\/code> mechanisms can push you over this limit, causing SPF to fail even if everything else is correct. This is especially common when using several third\u2011party services. Our article on <a href=\"https:\/\/www.dchost.com\/blog\/en\/gelismis-spf-yonetimi-10-dns-lookup-limitine-takilmadan-coklu-e-posta-servisi-kullanmak\/\">advanced SPF management<\/a> shows strategies such as flattening and consolidation.<\/p>\n<h3><span id=\"3_Enforcing_DMARC_Too_Early\">3. Enforcing DMARC Too Early<\/span><\/h3>\n<p>Jumping straight to <code>p=reject<\/code> without a monitoring phase is risky. You may block emails from systems you forgot about (old CRMs, booking tools, or HR platforms). Always start with <code>p=none<\/code>, analyse reports for a few weeks, then gradually move to quarantine and reject.<\/p>\n<h3><span id=\"4_Not_Aligning_Visible_From_Domains\">4. Not Aligning Visible \u201cFrom\u201d Domains<\/span><\/h3>\n<p>Some systems send from <code>no-reply@thirdparty.com<\/code> while putting your brand name only in the display name. These messages cannot help your DMARC posture because SPF\/DKIM will align with <code>thirdparty.com<\/code>, not your domain. Where possible, configure those systems to send as <code>@yourdomain.com<\/code> with DKIM signing on your domain and appropriate SPF entries.<\/p>\n<h3><span id=\"5_Forgetting_About_DNS_TTLs_During_Changes\">5. Forgetting About DNS TTLs During Changes<\/span><\/h3>\n<p>When making big SPF or DMARC changes, you may want to lower DNS TTL values temporarily so you can roll back quickly if something goes wrong. Our guide to <a href=\"https:\/\/www.dchost.com\/blog\/en\/dns-ttl-degerlerini-dogru-ayarlamak-a-mx-cname-ve-txt-kayitlari-icin-stratejik-rehber\/\">DNS TTL best practices for A, MX, CNAME and TXT records<\/a> explains how to choose TTLs that balance flexibility with stability.<\/p>\n<h2><span id=\"Where_dchostcom_Fits_Into_Your_Email_Strategy\">Where dchost.com Fits Into Your Email Strategy<\/span><\/h2>\n<p>As the infrastructure team behind this blog, we see SPF, DKIM and DMARC issues every week across shared hosting, VPS and dedicated environments. The patterns are consistent: once DNS and policies are cleaned up, deliverability improves, support tickets about \u201cmissing emails\u201d drop and brands gain better control over how their domains are used.<\/p>\n<p>Whether you run your email on a shared hosting plan, a managed VPS or your own dedicated or colocated server, you need the same building blocks:<\/p>\n<ul>\n<li>Stable DNS with full control over TXT\/CNAME records<\/li>\n<li>Mail servers configured for SPF, DKIM and DMARC alignment<\/li>\n<li>Monitoring and logs to see what actually happens in production<\/li>\n<\/ul>\n<p>At dchost.com we design our shared hosting, VPS, dedicated and colocation services with those requirements in mind, so that when you\u2019re ready to tighten email authentication, the underlying platform doesn\u2019t get in your way.<\/p>\n<h2><span id=\"Wrapping_Up_A_Practical_Roadmap_for_Your_Next_30_Days\">Wrapping Up: A Practical Roadmap for Your Next 30 Days<\/span><\/h2>\n<p>SPF, DKIM and DMARC look complex from the outside, but they boil down to three simple questions: who is allowed to send email for your domain, how do we prove messages weren\u2019t tampered with, and what should receivers do when something looks wrong? Once you answer those questions in DNS and on your mail servers, you\u2019ve done most of the hard work.<\/p>\n<p>Over the next 30 days, you can follow this practical roadmap:<\/p>\n<ul>\n<li><strong>Week 1:<\/strong> List all current senders, clean up your SPF record and verify that it matches reality.<\/li>\n<li><strong>Week 2:<\/strong> Enable DKIM for each sending system, publish keys, and confirm that signatures pass in message headers.<\/li>\n<li><strong>Week 3:<\/strong> Publish a DMARC <code>p=none<\/code> policy, start collecting and reviewing reports, and fix any legitimate failures.<\/li>\n<li><strong>Week 4:<\/strong> Begin moving cautiously toward <code>p=quarantine<\/code>, with an eye on eventually reaching <code>p=reject<\/code> once you\u2019re comfortable.<\/li>\n<\/ul>\n<p>If you want a more hands\u2011on checklist that extends beyond authentication into rate limits, content, bounce handling and IP reputation, our article <a href=\"https:\/\/www.dchost.com\/blog\/en\/spf-dkim-dmarc-ve-rdns-ile-e-posta-teslim-edilebilirligini-nasil-adim-adim-yukseltirsin\/\">Inbox or spam? A friendly step\u2011by\u2011step guide to SPF, DKIM, DMARC and rDNS<\/a> pairs well with this one.<\/p>\n<p>When you are ready to consolidate email, upgrade your hosting, or move to a VPS or dedicated server with more control, our team at dchost.com can help you choose the right infrastructure and migrate without losing email or SEO. The key is to treat SPF, DKIM and DMARC not as one\u2011off tasks, but as part of your long\u2011term domain and hosting architecture. Once they are in place and monitored, you\u2019ll spend less time chasing lost emails and more time focusing on your actual business.<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Most small businesses eventually face the same question: \u201cWhy are my emails going to spam, and what do I actually need to fix it?\u201d The answer almost always involves three short acronyms that look more intimidating than they really are: SPF, DKIM and DMARC. These are the standard email authentication methods that tell other mail [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":4438,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-4437","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-teknoloji"],"_links":{"self":[{"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/posts\/4437","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/comments?post=4437"}],"version-history":[{"count":0,"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/posts\/4437\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/media\/4438"}],"wp:attachment":[{"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/media?parent=4437"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/categories?post=4437"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/tags?post=4437"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}