Admin

SPF, DKIM, and DMARC

Configure SPF, DKIM, and DMARC records for hosted domains in Opterius Panel to ensure reliable email deliverability.

Last updated 1775606400
  • DKIM
  • DMARC
  • Checking Alignment
  • Related

    • Why These Records Matter

    SPF, DKIM, and DMARC are DNS-based mechanisms that tell receiving mail servers whether a message claiming to come from your domain was legitimately sent by your server. Without them, your outbound mail is more likely to be marked as spam or rejected outright — especially at large providers like Gmail and Outlook.

    Record What it does
    SPF Lists which servers are allowed to send mail for your domain
    DKIM Cryptographically signs messages so the content can be verified
    DMARC Defines what happens when SPF or DKIM checks fail, and where to send reports

    All three should be in place before sending mail from any production domain.

    SPF

    How it works

    SPF is a TXT record on your domain that lists the authorized sending IPs. Receiving servers check it against the message's envelope sender.

    Opterius setup

    When you add a domain in Opterius Panel, an SPF record is automatically created in PowerDNS:

    v=spf1 a mx ip4:YOUR_SERVER_IP ~all

    This permits your server's A record IP and MX IP to send mail. The ~all (softfail) is the default — you can tighten it to -all once you are confident all legitimate sending sources are listed.

    If you send from additional services

    If you use a third-party email service (e.g. transactional email via SendGrid, Mailgun) alongside your own server, add their include: mechanism:

    v=spf1 a mx ip4:YOUR_SERVER_IP include:sendgrid.net ~all

    [!IMPORTANT] SPF has a 10-DNS-lookup limit. Chaining too many include: statements can cause SPF to break silently. Keep the record lean.

    Verification

    dig TXT yourdomain.com +short

    Or check via MXToolbox SPF Lookup.

    DKIM

    How it works

    DKIM uses a private/public key pair. OpenDKIM holds the private key on your server and signs every outbound message. The public key is published as a DNS TXT record. Receiving servers retrieve the public key and verify the signature.

    Per-domain keys

    Opterius generates a unique 2048-bit RSA key pair for each domain. Keys are stored at:

    /etc/opendkim/keys/{domain}/default.private
/etc/opendkim/keys/{domain}/default.txt

    The default.txt file contains the DNS TXT record to publish. Its contents look like:

    default._domainkey IN TXT "v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkq..."

    Setting up DKIM via Opterius

    Opterius calls the agent's /email/setup-deliverability endpoint when a domain is configured for mail. This endpoint:

    1. Generates the key pair under /etc/opendkim/keys/{domain}/
    2. Updates /etc/opendkim/KeyTable and /etc/opendkim/SigningTable
    3. Adds the public key TXT record to PowerDNS automatically

    No manual key generation is required.

    Verifying DKIM

    dig TXT default._domainkey.yourdomain.com +short

    The response should contain v=DKIM1 and p= followed by the base64-encoded public key.

    Send a test message to mail-tester.com or MXToolbox Email Health to confirm the signature is being applied and validates.

    DMARC

    How it works

    DMARC is a TXT record at _dmarc.yourdomain.com. It ties SPF and DKIM together and tells receiving servers what to do when a message fails both checks.

    DMARC also enables aggregate reporting — receiving servers send you XML reports showing how your domain's mail is being handled.

    Opterius does not create DMARC records automatically

    The DMARC policy is a deliberate choice that depends on your mail configuration. Opterius adds SPF and DKIM automatically, but you must add DMARC manually after confirming those are working.

    Recommended starting record

    Start in monitor-only mode (p=none) so you can review reports before enforcing:

    _dmarc.yourdomain.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-reports@yourdomain.com; fo=1"
    Tag Value Meaning
    p none No action on failures — monitor only
    rua mailto:… Aggregate report destination
    ruf mailto:… Forensic (per-failure) report destination
    fo 1 Send forensic reports on any alignment failure

    Tightening the policy

    Once reports confirm SPF and DKIM are passing consistently, move to quarantine, then reject:

    # Step 2 — quarantine failures (goes to spam folder)
"v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc-reports@yourdomain.com"

# Step 3 — reject failures (bounced by receiving server)
"v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com"

    Use pct=25 during quarantine to roll out gradually.

    [!TIP] Tools like DMARC Analyzer or Postmark's DMARC Digests make reading aggregate reports much easier than parsing raw XML.

    Verification

    dig TXT _dmarc.yourdomain.com +short

    Checking Alignment

    For DMARC to pass, at least one of the following must be true:

    • SPF passes and the From: domain aligns with the envelope sender domain
    • DKIM passes and the d= tag in the DKIM signature aligns with the From: domain

    Forwarded mail often breaks SPF alignment. See Email Deliverability for how this affects forwarding setups.

    Related

    Previous
    ← Webmail (Roundcube)
    Next
    Email Deliverability Checklist →