Configure-dkim,spf,dmarc-to-protect-against-spoofing

From LHYcloud Docs
Revision as of 11:57, 6 September 2025 by Shubh (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search


Email authentication: Email authentication makes sure your emails don’t land in the recipient’s spam folder.

In cPanel, three methods are used: DKIM, SPF, and DMARC.

These features protect your domain and stop spammers from sending fake emails using your name.

When you send an email, you want to make sure it reaches the inbox and does not go into the spam/junk folder.

But sometimes, spammers (bad people) try to send fake emails using your domain name. This is called email spoofing.

To stop this, we use Email Authentication.

It helps the receiver’s mail server (like Gmail, Yahoo, Outlook) to check:

  • Is the email really from your domain?
  • Is it safe and not fake?

In cPanel, email authentication is mainly done with three methods:DKIM, SPF and DMARC.

DKIM (Domain Keys Identified Mail)

  • DKIM checks if an email is safe and unchanged during delivery.
  • It also verifies that the email really came from the sender’s address.
  • This helps reduce fake or spam emails.

How DKIM Works:

  1. When you send an email, it is signed with a digital signature using a private key.
  2. When the receiver gets the email, their system checks it using your public key.
  3. If the signature matches → the email is valid.
  4. If the signature does not match → the email is treated as spam.

Enabling DKIM in cPanel

You just need to go to cPanel → Email Authentication and turn on DKIM.

Once enabled, all outgoing emails from your domain will automatically include this security signature.

To enable DKIM follow these steps −

Step 1 − Open Email Authentication by clicking Authentication found under Mail Section of cPanel Home.

Ath1.png


Step 2 − Find DKIM settings, if disabled then, click Enable button to Enable DKIM.

Auth2.png


Disable DKIM

To disable DKIM follow these steps −

Step 1 − Open Email Authentication by clicking Authentication found under Mail Section of cPanel Home.

Step 2 − Find DKIM setting, if enabled, then click Disable button to Disable DKIM.

Ath4.png


Note − To Enable DKIM, your Nameservers must point to your hosting. It is recommended that you use DKIM Authentication in your hosting.

Advertisement

SPF

Sender Policy Framework (SPF) helps in preventing outgoing messages to spams. This helps to prevent spammers in creating a message that looks like it is originated through your domain. SPF uses TXT type DNS resource records, which specify the hosts that send emails through your domain.

Enable SPF

To enable SPF, follow these steps −

Step 1 − Open Email Authentication by clicking Authentication found under Mail Section of cPanel Home.

Step 2 − Find SPF setting, if disabled, then click Enable button to Enable SPF.

Ath5.png


Disable SPF

To disable SPF, follow these steps −

Step 1 − Open Email Authentication by clicking Authentication found under Mail Section of cPanel Home.

Step 2 − Find SPF setting, if enabled, then click Disable button to disable SPF.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC works together with SPF and DKIM to stop fake emails. It tells mail servers what to do if an email fails authentication and also sends reports back to the domain owner.

How DMARC Works

  1. Domain owner adds a DMARC record in DNS.
  2. When an email arrives:
    • Server checks SPF and DKIM.
    • It also checks if the email matches the sender’s domain.
  3. Based on the DMARC policy → action is taken:
    • none → Just monitor, no action.
    • quarantine → Put in spam/junk.
    • reject → Block the email.
  4. Reports are sent to the email address in the DMARC record.

DMARC Policies

  • p=none → Only monitoring, no blocking.
  • p=quarantine → Suspicious emails go to spam.
  • p=reject → Block fake emails completely.

Steps to Implement DMARC

  1. Plan → List all sources sending emails for your domain.
  2. Add SPF → Publish SPF record in DNS with allowed servers.
  3. Add DKIM → Generate keys, sign emails, and publish public key in DNS.
  4. Enable DMARC (p=none) → Collect reports first, no blocking.
  5. Fix Issues with Third Parties → Make sure they pass SPF/DKIM.
  6. Increase Enforcement → Change policy to quarantine → then reject.
  7. Full Protection → Set policy to reject once everything works fine.


Example Records:

  • SPF: v=spf1 ip4:192.0.2.0/24 include:_spf.example.com -all
  • DMARC (monitoring): v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com
  • DMARC (reject): v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com
Retrieved from "https://docs.lhycloud.com/index.php?title=Configure-dkim,spf,dmarc-to-protect-against-spoofing&oldid=685"