security

guide

Email deliverability for Indian businesses: SPF, DKIM, DMARC explained

12 min read · 22-Dec-2025

the 12-minute guide

villagehosting.in team

22 December 2025

Sending from your domain name and still landing in spam? 90% of the time, SPF, DKIM, or DMARC is either missing or misconfigured. Here is how to fix it in 20 minutes.

Gmail and Outlook now enforce authentication strictly

Since February 2024, Gmail rejects or marks as spam emails from domains sending more than 5,000 messages/day without DMARC. Even for low-volume senders, missing SPF or DKIM is now a near-guarantee of spam folder placement. Fix all three records — it takes 20 minutes.

Why emails from your domain go to spam

When you send email from you@yourcompany.com, receiving servers do not know if the email actually came from you. Any server anywhere could send an email claiming to be from your domain.

Three DNS records prove the email is legitimate:

HOW SPF / DKIM / DMARC PROTECT YOUR EMAIL

SPF

Sender Policy Framework

A DNS TXT record listing servers allowed to send from your domain. Receiving server checks: did this email come from an authorised IP?

DKIM

DomainKeys Identified Mail

A cryptographic signature in every outgoing email, verified against a public key in your DNS. Proves the message was not modified in transit.

DMARC

Domain-based Message Authentication

Ties SPF and DKIM together. Tells receivers what to do when checks fail: p=none (monitor), p=quarantine (spam folder), p=reject (block entirely).

✓ All three records set + DMARC p=reject = spoofed emails claiming to be from your domain are rejected by major providers (Gmail, Outlook, Yahoo)

SPF tells receiving servers which mail servers are allowed to send on behalf of your domain
DKIM adds a cryptographic signature so receivers can verify the email was not tampered with
DMARC tells receivers what to do if SPF or DKIM fails (nothing, quarantine, or reject)

Without all three, you are relying on the goodwill of spam filters — and that goodwill is shrinking.

SPF: who is allowed to send your email

What it is

SPF (Sender Policy Framework) is a DNS TXT record that lists every server permitted to send email from your domain.

How to check if you have SPF

Go to MXToolbox SPF lookup and enter your domain
Or run: nslookup -type=TXT yourdomain.com in a terminal

You should see a record that looks like:

v=spf1 include:secureserver.net ~all

How to set up SPF in cPanel

If you are sending only through your host's mail servers:

cPanel → Zone Editor → your domain → Manage
Add a TXT record with:
- Type: TXT
- Name: @ (or yourdomain.com)
- Value: v=spf1 include:yourhostspf.com ~all

For VillageHosting, the SPF record is:

v=spf1 include:spf.villagehosting.in ~all

If you use multiple sending services

If you send through both your hosting mail server and a service like Mailchimp or SendGrid:

v=spf1 include:spf.villagehosting.in include:servers.mcsv.net ~all

Important: Only one SPF record per domain. Multiple records break delivery.

DKIM: proving the email was not tampered with

What it is

DKIM (DomainKeys Identified Mail) works by adding a digital signature to every outgoing email. Receiving servers check the signature against a public key published in your DNS.

How to set up DKIM in cPanel

cPanel → Email → Email Deliverability
Click "Manage" next to your domain
If DKIM is not installed, click "Install" — cPanel generates the key pair automatically
cPanel also shows the DKIM DNS record you need to add if it is not done automatically

For most cPanel setups, DKIM is installed with one click. Verify it worked:

Go to MXToolbox → DKIM Lookup and enter default._domainkey.yourdomain.com

If you use external email services (Mailchimp, Google Workspace, etc.)

Each service has its own DKIM key. Google Workspace, for example, gives you a TXT record to add to your DNS. Follow each provider's documentation to add their key.

You can have multiple DKIM records (one per selector) — unlike SPF, they do not conflict.

DMARC: telling receivers what to do

What it is

DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together with a policy. If an email fails SPF or DKIM, DMARC tells the receiving server what to do.

The three policies

p=none — Monitor only. Emails still deliver. Useful for testing.
p=quarantine — Failed emails go to spam.
p=reject — Failed emails are rejected outright.

How to add a DMARC record

Add a TXT record in your DNS:

Name: _dmarc (or _dmarc.yourdomain.com)
Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

Start with p=none and a reporting address. After a week, review the reports to make sure your legitimate emails are passing. Then move to p=quarantine, and eventually p=reject once you are confident.

Use p=none for at least one week before enforcing

Jumping straight to p=reject without reviewing DMARC reports first is a common mistake that blocks your own legitimate email — contact forms, transactional mailers, newsletter tools. Monitor reports for 7 days using a free tool like DMARC Analyzer before tightening the policy.

Reading DMARC reports

DMARC reports are XML files sent to the email address in your rua tag. They are hard to read raw. Use a free tool like DMARC Analyzer or MXToolbox DMARC Reports to interpret them.

Verification checklist

After setting up all three, verify:

SPF: MXToolbox SPF Lookup → should show "SPF record found" with no errors
DKIM: MXToolbox DKIM Lookup → should show "DKIM record found"
DMARC: MXToolbox DMARC Lookup → should show your policy
Full test: Send an email from your domain to a Gmail account → click the three dots → Show original → Check "Authentication-Results" → all three should say PASS

Common mistakes

Multiple SPF records: Only one v=spf1 record per domain. Merge them if you have more than one.

Forgot to add DKIM for external services: If you send through Mailchimp, Google Workspace, or Zoho, each needs its own DKIM DNS record.

DMARC too strict too fast: Moving to p=reject before you have reviewed reports often blocks legitimate email (internal tools, form processors). Start with none, monitor for one week, then move to quarantine.

TTL too long during setup: Set TTL to 300 (5 minutes) while configuring. After everything is working, increase to 3600 or higher.

What happens after you get this right

Your emails land in inbox instead of spam
Spoofed emails pretending to be from your domain get rejected
Your sender reputation improves over time
Transactional emails (order confirmations, password resets) actually get seen

DMARC enforcement at p=reject also protects your customers — no one can send a fake invoice or phishing email that appears to come from your domain.

If you are on VillageHosting, DKIM is enabled in cPanel automatically for all domains. The SPF record is pre-configured. Add a DMARC record and you are done.

security

guide

Email deliverability for Indian businesses: SPF, DKIM, DMARC explained

12 min read · 22-Dec-2025

the 12-minute guide

villagehosting.in team

22 December 2025

Sending from your domain name and still landing in spam? 90% of the time, SPF, DKIM, or DMARC is either missing or misconfigured. Here is how to fix it in 20 minutes.

Gmail and Outlook now enforce authentication strictly

Why emails from your domain go to spam

When you send email from you@yourcompany.com, receiving servers do not know if the email actually came from you. Any server anywhere could send an email claiming to be from your domain.

Three DNS records prove the email is legitimate:

HOW SPF / DKIM / DMARC PROTECT YOUR EMAIL

SPF

Sender Policy Framework

A DNS TXT record listing servers allowed to send from your domain. Receiving server checks: did this email come from an authorised IP?

DKIM

DomainKeys Identified Mail

A cryptographic signature in every outgoing email, verified against a public key in your DNS. Proves the message was not modified in transit.

DMARC

Domain-based Message Authentication

Ties SPF and DKIM together. Tells receivers what to do when checks fail: p=none (monitor), p=quarantine (spam folder), p=reject (block entirely).

✓ All three records set + DMARC p=reject = spoofed emails claiming to be from your domain are rejected by major providers (Gmail, Outlook, Yahoo)

SPF tells receiving servers which mail servers are allowed to send on behalf of your domain
DKIM adds a cryptographic signature so receivers can verify the email was not tampered with
DMARC tells receivers what to do if SPF or DKIM fails (nothing, quarantine, or reject)

Without all three, you are relying on the goodwill of spam filters — and that goodwill is shrinking.

SPF: who is allowed to send your email

What it is

SPF (Sender Policy Framework) is a DNS TXT record that lists every server permitted to send email from your domain.

How to check if you have SPF

Go to MXToolbox SPF lookup and enter your domain
Or run: nslookup -type=TXT yourdomain.com in a terminal

You should see a record that looks like:

v=spf1 include:secureserver.net ~all

How to set up SPF in cPanel

If you are sending only through your host's mail servers:

cPanel → Zone Editor → your domain → Manage
Add a TXT record with:
- Type: TXT
- Name: @ (or yourdomain.com)
- Value: v=spf1 include:yourhostspf.com ~all

For VillageHosting, the SPF record is:

v=spf1 include:spf.villagehosting.in ~all

If you use multiple sending services

If you send through both your hosting mail server and a service like Mailchimp or SendGrid:

v=spf1 include:spf.villagehosting.in include:servers.mcsv.net ~all

Important: Only one SPF record per domain. Multiple records break delivery.

DKIM: proving the email was not tampered with

What it is

DKIM (DomainKeys Identified Mail) works by adding a digital signature to every outgoing email. Receiving servers check the signature against a public key published in your DNS.

How to set up DKIM in cPanel

cPanel → Email → Email Deliverability
Click "Manage" next to your domain
If DKIM is not installed, click "Install" — cPanel generates the key pair automatically
cPanel also shows the DKIM DNS record you need to add if it is not done automatically

For most cPanel setups, DKIM is installed with one click. Verify it worked:

Go to MXToolbox → DKIM Lookup and enter default._domainkey.yourdomain.com

If you use external email services (Mailchimp, Google Workspace, etc.)

Each service has its own DKIM key. Google Workspace, for example, gives you a TXT record to add to your DNS. Follow each provider's documentation to add their key.

You can have multiple DKIM records (one per selector) — unlike SPF, they do not conflict.

DMARC: telling receivers what to do

What it is

DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together with a policy. If an email fails SPF or DKIM, DMARC tells the receiving server what to do.

The three policies

p=none — Monitor only. Emails still deliver. Useful for testing.
p=quarantine — Failed emails go to spam.
p=reject — Failed emails are rejected outright.

How to add a DMARC record

Add a TXT record in your DNS:

Name: _dmarc (or _dmarc.yourdomain.com)
Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

Use p=none for at least one week before enforcing

Reading DMARC reports

DMARC reports are XML files sent to the email address in your rua tag. They are hard to read raw. Use a free tool like DMARC Analyzer or MXToolbox DMARC Reports to interpret them.

Verification checklist

After setting up all three, verify:

SPF: MXToolbox SPF Lookup → should show "SPF record found" with no errors
DKIM: MXToolbox DKIM Lookup → should show "DKIM record found"
DMARC: MXToolbox DMARC Lookup → should show your policy
Full test: Send an email from your domain to a Gmail account → click the three dots → Show original → Check "Authentication-Results" → all three should say PASS

Common mistakes

Multiple SPF records: Only one v=spf1 record per domain. Merge them if you have more than one.

Forgot to add DKIM for external services: If you send through Mailchimp, Google Workspace, or Zoho, each needs its own DKIM DNS record.

TTL too long during setup: Set TTL to 300 (5 minutes) while configuring. After everything is working, increase to 3600 or higher.

What happens after you get this right

Your emails land in inbox instead of spam
Spoofed emails pretending to be from your domain get rejected
Your sender reputation improves over time
Transactional emails (order confirmations, password resets) actually get seen

DMARC enforcement at p=reject also protects your customers — no one can send a fake invoice or phishing email that appears to come from your domain.

If you are on VillageHosting, DKIM is enabled in cPanel automatically for all domains. The SPF record is pre-configured. Add a DMARC record and you are done.