Email remains one of the most widely used forms of communication, both for personal and business purposes. Just like with other digital communication channels, it’s important to keep your email traffic secure. Without proper protection, malicious actors can attempt to impersonate your email address or domain name. This is called spoofing, and it can lead to confusion, reputational damage, and even security risks for the recipient.
To prevent this kind of abuse, several email security standards have been developed, including SPF, DKIM, and DMARC. These technologies work together to verify whether an email really comes from your domain, and whether it was altered during transmission. By configuring them correctly, you increase the chances that your emails are reliably delivered to the recipient’s inbox and not mistakenly marked as spam. At the same time, you reduce the risk that others misuse your domain to send fake emails.
In this article, we’ll explain what SPF, DKIM, and DMARC are, how they work together to secure your email traffic, and why it's essential to have them set up properly.
Spoofing
With spoofing, a malicious actor pretends to be someone else by sending an email from a forged sender address. It may appear as though the message comes from a trusted source — for example, info@cloud86.io — while in reality, it does not.
These fake emails are often used for phishing, scams, or the spread of malware. Spoofing is not only dangerous for the recipient, but it also damages your reputation as the sender.
To prevent this, there are three main techniques that combine to ensure reliable and secure email communications: SPF, DKIM and DMARC.
SPF: who is allowed to send emails on behalf of your domain?
Sender Policy Framework (SPF) is a technique you use to indicate, via a DNS record, which servers are allowed to send emails on behalf of your domain name. Think of it as a list of allowed senders.
When a receiving mail server receives an email, it checks to see if the sending server appears in your domain's SPF record. Is that not the case? Then the email is marked as suspicious or even rejected immediately. This helps prevent others from impersonating your domain and increases the likelihood that your legitimate emails land cleanly in the inbox.
At Cloud86, a correct SPF record is set up automatically when you purchase a Web hosting package or create a new DNS zone through our platform.
Voorbeeld SPF record
| Naam | Type | TTL | RDATA |
| @ | TXT | 14400 | "v=spf1 +a +mx +ip4:45.82.188.XX -all" |
DNS Record:
- @: This means that the SPF record applies to the root domain, such as cloud86example.com.
- TXT: SPF records are stored as TXT records in DNS, so mail servers can read the contents.
-
TTL (Time To Live): This is the time in seconds that the record remains in cache; 14400 seconds = 4 hours. That is why it can take up to 4 hours before DNS changes are visible.
-
RDATA: The contents of the SPF record, which defines the allowed senders.
SPF Waarde:
- v=spf1: Indicates an SPF record version 1.
- +a: Allows emails to be sent from the IP address associated with your domain's A record (the server your website is running on).
- +mx: Permits emails to be sent from the mail servers set up in your domain's MX records (the servers where your mail runs).
- +ip4:45.82.188.XX: Explicitly authorizes the IP address 45.82.188.XX to send emails on behalf of your domain (this is a specific server IP, the exact value can be found in Plesk: Where can I find my server name and ip address?).
- -all: All other servers are explicitly denied (hard fail).
So this record means: only the server on the A record, the MX servers, and the IP address 45.82.188.14 are allowed to send emails on behalf of this domain - all others are rejected.
DKIM: verifying authenticity and content
DomainKeys Identified Mail (DKIM) ensures that e-mails sent on behalf of your domain have a digital signature. This signature is added automatically by the sending server and is linked to a DNS record on your domain.
When the recipient receives your e-mail, his mail server can check:
- Whether the e-mail really comes from your domain
- Whether the content has not been modified along the way
This extra check helps to increase trust in your e-mails and reduces the chance that your messages will end up in the spam folder. At Cloud86 DKIM is not active by default, but you can enable it through our manual:
When you use our migration service, we ensure that existing DKIM settings are correctly taken over or changed. This keeps your email secure, without the need for your own technical knowledge.
DMARC: your email policy and security control
Domain-based Message Authentication, Reporting & Conformance (DMARC) is a security layer that uses the outcomes of SPF and DKIM. With a DMARC record, you specify what should happen if an e-mail on behalf of your domain fails these checks.
For example, you can specify that:
- the email should be rejected (reject),
- the email should be placed in the spam folder (quarantine),
- the email should be accepted, for example for monitoring purposes (none).
DMARC helps you to increase the reliability of your e-mail traffic and limit abuse of your domain. Want to know if your domain already has a DMARC record, or what the content is? Check it at https://mxtoolbox.com/DMARC.aspx.
Example DMARC record
| Naam | Type | TTL | RDATA |
| _dmarc | TXT | 14400 | "v=DMARC1; p=quarantine; rua=mailto:dmarc@cloud86example.com" |
DMARC Value:
- v=DMARC1: Indicates a DMARC record version 1.
- p=quarantine: Place emails that fail in the spam folder.
- rua=mailto:...: Send a combined (aggregated) report of messages that fail and send it to the mail address listed after mailto. We recommend using a separate mail address for this. In addition to rua, you also have ruf, which sends each message separately instead of combined.
Example mail rejection
When a receiving mail server rejects an e-mail because it fails the DMARC check (and your policy is set to reject), the sender may get the following message:
Your message wasn't delivered because the recipient's email provider rejected it
Diagnostic information for administrators:
Generating server: [server naam] [ontvanger adres].
Remote server returned '550 5.7.509 Access denied, sending domain [afzender domein] does not pass DMARC verification and has a DMARC policy of reject.'
Betrouwbare beveiligde mail bij Cloud86
To ensure that your email traffic is reliable, secure and working correctly at Cloud86, it is important that the correct DNS records are set. The table below contains all the essential settings required for:
- correct delivery of emails (A and MX records)
- protection against spam and spoofing (SPF, DKIM, DMARC).
When you set these records or have them created automatically through our web hosting or DNS management environment, you ensure a solid foundation of your email security and delivery reliability.
| Naam | Type | TTL | RDATA |
| @ | A | 14400 | <ip server> |
| @ | MX | 14400 | 10 <domainn> |
| _dmarc | TXT | 14400 | "v=DMARC1; p=quarantine; sp=quarantine;" |
| _domainkey | TXT | 14400 | "o=-" |
| cloud86._domainkey | TXT | 14400 | <dkim record (Enable DKIM)> |
| @ | TXT | 14400 | "v=spf1 +a +mx +ip4:<ip server> -all" |
Note: Are you using our migration service or moving your domain name to Cloud86? Then we will automatically ensure that these settings are created or taken over correctly and completely..