Half your client support tickets will be "my emails go to spam." Proper email authentication configuration solves 90% of these issues.
The Three Pillars
| Protocol | Purpose | What It Does | |----------|---------|-------------| | SPF | Sender authorization | Tells receiving servers which IPs can send email for a domain | | DKIM | Message authentication | Digitally signs emails to verify they haven't been altered | | DMARC | Policy enforcement | Tells receivers what to do with emails that fail SPF/DKIM |
SPF Configuration
An SPF record is a TXT DNS record:
v=spf1 include:_spf.yourhostingserver.com a mx ~all
| Component | Meaning |
|-----------|---------|
| v=spf1 | SPF version |
| include: | Authorize another domain's servers |
| a | Authorize the domain's A record IP |
| mx | Authorize the domain's mail server IPs |
| ~all | Soft fail for other sources |
Common Mistakes
| Mistake | Impact | Fix |
|---------|--------|-----|
| Missing SPF record | High spam rate | Add one immediately |
| Multiple SPF records | Both ignored | Combine into one |
| Too many DNS lookups (>10) | SPF breaks | Use fewer includes |
| Using -all too early | Blocks legitimate email | Start with ~all, move to -all |
DKIM Configuration
DKIM adds a cryptographic signature to every outgoing email.
Setup in cPanel
- Go to Email > Authentication
- Enable DKIM
- Copy the DKIM DNS record
- Add it to the domain's DNS as a TXT record
The DNS record looks like:
default._domainkey.domain.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEB..."
DMARC Configuration
DMARC ties SPF and DKIM together with a policy:
_dmarc.domain.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@domain.com"
DMARC Policies
| Policy | Meaning | When to Use |
|--------|---------|-------------|
| p=none | Monitor only | Initial setup, gathering data |
| p=quarantine | Send failures to spam | After verifying SPF/DKIM work |
| p=reject | Block failures entirely | Full confidence in authentication |
Start with p=none for 30 days. Review reports. Then move to p=quarantine, then p=reject.
Testing Email Authentication
Online Tools
| Tool | URL | Tests | |------|-----|-------| | MXToolbox | mxtoolbox.com | SPF, DKIM, DMARC, blacklists | | Mail Tester | mail-tester.com | Full delivery scoring | | Google Postmaster Tools | postmaster.google.com | Gmail-specific delivery |
From Command Line
# Check SPF
dig TXT domain.com | grep spf
# Check DKIM
dig TXT default._domainkey.domain.com
# Check DMARC
dig TXT _dmarc.domain.com
Deliverability Troubleshooting
| Symptom | Likely Cause | Solution | |---------|-------------|----------| | All emails to spam | Missing SPF/DKIM | Configure both | | Gmail blocks emails | IP blacklisted | Check MXToolbox, request delisting | | Outlook rejects | DMARC reject policy with issues | Fix SPF/DKIM alignment | | Intermittent delivery | Shared IP reputation | Consider dedicated IP | | Specific recipient bounces | Recipient server config | Contact recipient's admin |
Best Practice for Resellers
Set up SPF, DKIM, and DMARC for every new client account during provisioning. Don't wait for the "my emails go to spam" ticket.
Automating this in your account provisioning saves hours of support time and makes your hosting look professional from day one.
Space-Node's reseller hosting includes proper email infrastructure with clean IPs and server-level DKIM configuration, giving your clients' emails the best chance of reaching inboxes.
