Email Authentication Records

Rachel B.
  • Updated
Follow

If emails are going to spam, or if mail testing tools report problems with email authentication records like SPF, DKIM, or DMARC, then DNS will need to be looked at and possibly records corrected. There could even be bouncebacks that specifically call out one of these records.

DKIM, SPF, and DMARC are extremely important to help ensure the best possible email deliverability.

Some example errors are as follows, particularly from bouncebacks.

550 DKIM Sender Invalid

550 5.7.23 SPF validation failed

SPF unauthorized mail is prohibited You're mail was rejected because you are not using a server that is authorized to send mail from your domain. This is a problem with your email configuration. Please contact your email provider to learn how to fix this problem.

Related Articles

Update SPF Record
Correcting a Failing DKIM Record
Add DMARC Record in cPanel

Check DNS Records

CAUTION: The Email Deliverability tool in cPanel often falsely reports issues with Email Authentication records or that DNS for a domain isn't controlled by this cPanel. You must check the DNS and WHOIS to determine where the nameservers are and if the Email Authentication records are correct.
REPLACE: In all below instances of DOMAIN.COM ensure to replace with the domain you are troubleshooting.

  1. Check the domain's nameservers using a tool such as dnschecker.org
    1. Select the dropdown that shows A
    2. Select NS in the dropdown menu
    3. Search for DOMAIN.COM
      CAUTION: If the nameservers are not set to InMotion Hosting's nameservers, then the DNS is not controlled here in cPanel. The nameservers determine where the DNS is controlled. If not controlled here, DNS modifications will need to be made at the provider of the nameservers.
  2. Check the domain's MX records
    NOTE: The MX record shows where the domain's email is set to be delivered to. The purpose of checking is to determine if InMotion Hosting is your mail provider, or if your mail is provided by a third party.
    1. Select the dropdown that shows NS
    2. Select MX in the dropdown menu
    3. Search for DOMAIN.COM
      TIP:       This is commonly set to something like MAIL.DOMAIN.COM. Other times, it may show something like ASPMX.L.GOOGLE.COM or DOMAIN_COM.OUTLOOK.COM. If it shows something like the latter, that tells you your mail provider. If the provider is not apparent from the MX record, continue to steps 2.4-2.10.
    4. Copy the result of the MX lookup
    5. Select the dropdown that shows MX
    6. Select A in the dropdown menu
    7. Paste the results gotten from the MX lookup in the search box and search
    8. The result should be an IP address, which will need to be copied
    9. Perform a whois lookup on the IP address at ICANN
    10. Under Contact Information>Registrant>Name will be the name of the organization who provides email for the domain
  3. Determine if the domain has an SPF record
    1. Back in the dnschecker.org tool, select the dropdown that shows A
    2. Select TXT in the dropdown menu
    3. Search for DOMAIN.COM
    4. The SPF record will begin with v=spf1
    5. If the domain lacks an SPF record, it will need to be added to ensure reliable email delivery
    6. If the domain has an SPF record, ensure that it is valid according to your mail provider's recommendations
      TIP: If Inmotion Hosting is the mail provider, the recommended SPF record can be found in cPanel, following this guide. If the mail provider is a third party, check with them for the recommended SPF record.
  4. Determine if the domain has a DMARC record
    1. Back in the dnschecker.org tool, ensure TXT is selected in the dropdown
    2. Search _DMARC.DOMAIN.COM
    3. If no results are given, a DMARC record should be added using cPanel, or the below values if the DNS is managed by a third party
      1. To instruct recipients to reject all unauthenticated emails
        Name TTL Type Value
        _DMARC.DOMAIN.COM 900 TXT v=DMARC1;p=reject;sp=reject;adkim=r;aspf=r;pct=100;fo=0;rf=afrf;ri=86400
      2. To instruct recipients to quarantine (spam) all unauthenticated emails
        Name TTL Type Value
        _DMARC.DOMAIN.COM 900 TXT v=DMARC1;p=quarantine;sp=quarantine;adkim=r;aspf=r;pct=100;fo=0;rf=afrf;ri=86400
      3. To instruct recipients to handle all unauthenticated emails however the recipient chooses
        Name TTL Type Value
        _DMARC.DOMAIN.COM 900 TXT v=DMARC1;p=none;sp=none;adkim=r;aspf=r;pct=100;fo=0;rf=afrf;ri=86400
  5. Determine if the domain has a DKIM record
    1. Back in the dnschecker.org tool, ensure TXT is selected in the dropdown
    2. Search DEFAULT._DOMAINKEY.DOMAIN.COM
    3. If no results are given, a DKIM record should be added using cPanel, or following the instructions of the third party mail provider if the mail is provided by a third party
  6. Note that DNS changes may take up to 48 hours to take effect as the DNS records propagate

Related articles

Comments

0 comments

Article is closed for comments.