Set up DKIM and DMARC for inbox delivery
Two DNS records that decide whether your email hits the inbox or spam.
What you'll set up
- SPF — tells mail servers which servers can send for your domain
- DKIM — a digital signature on outbound mail
- DMARC — a policy for what to do if SPF/DKIM fail
All three are DNS TXT records. Cernet exposes them as a 15-minute self-serve flow.
Step 1 — Enable DKIM
Cernet cPanel → Email → Email Deliverability. Find your domain, click Manage. Under DKIM: Install the suggested record. Done.
Step 2 — Enable SPF
Same page. Under SPF: Install the suggested record. Important: if you also send mail via external services (MailChimp, Brevo, Google Workspace), add them to the SPF string. Example:
v=spf1 +a +mx +ip4:193.34.103.42 include:_spf.mlsend.com include:_spf.google.com ~allStep 3 — Configure DMARC
Add a new TXT record with name _dmarc.yourdomain.com and value:
v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100; aspf=r; adkim=rp=quarantine = "suspicious mail to spam". Stricter: p=reject (mail rejected outright). Start with p=quarantine, monitor 2 weeks, then tighten.
Step 4 — Test your setup
Send a test email to mail-tester.com and check the score. Below 8/10? Something is off. Above 9/10? Production-ready.
Step 5 — Monitor DMARC reports
Mail servers send daily aggregate reports to the rua address in your DMARC. Read them or use DMARCian / Postmark DMARC for visualisation.
Common mistakes
- SPF too permissive:
+allin SPF means "anyone can send". Always use~allor-all. - DMARC without SPF + DKIM first: legitimate mail gets rejected.
- DKIM record not published: cPanel shows it as set but DNS propagation can take up to 4 hours.