Product » A free email server for Windows and Linux » Knowledge Base

Document information

Document ID: 5144
Subject: How to use SPF, DKIM and DMARC for your domain
Creation date: 8/10/17 1:29 PM
Last modified on: 8/10/18 3:03 PM

How to use SPF, DKIM and DMARC

Implementing SPF, DKIM and DMARC is a daunting task and many administrators are reluctant in implementing these technologies simply because they are not very easy to employ, particularly DKIM and DMARC. This article not only explains why these technologies are important but also how easy they are to implement in Xeams.


SPF prevents forgery by designating a handful of IP addresses where emails can originate for your domain. SPF check will fail if a spammer sends a forged message from their own IP, allowing Xeams and other servers to treat that as spam.

It is very easy to forge a sender's email address but is very difficult to forge an IP address. This makes SPF very effective in combating email forgeries.
DKIM ensures the message was actually composed by someone belonging to the domain they claim to be part of. Additionally, it ensures the message is not modified in transit. Technically, the message is digitally signed by the email server before leaving and this signature is verified by the receiving end, allowing the receiving end to verify the authenticity of the message.

Xeams can assign a score to any incoming message where DKIM signature does not match.
DMARC builds on top of SPF and DKIM. This not only helps prevent forgery but also provides a sophisticated reporting mechanism allowing the senders to fine tune their SPF and DKIM rules.

Xeams adds a score if DMARC alignment fails. Additionally, it can also process incoming reports and send outbound reports to other email servers on the Internet.


SPF, DKIM and DMARC affect both incoming emails from the Internet as well as emails that go out from your server to other domains on the Internet.

Implementing for your domain

All three mechanisms require a TXT record in your DNS server. In addition to the TXT record, DKIM also requires creating a public/private key pair for DKIM signature. Xeams can automatically create these signatures for you without using any other third-party tool, saving you precious time and effort.

Determine which servers/machines will send emails for your domain to the Internet. It is very common to have only one machine send out-bound emails within your company, which is usually the email server.

Example 1:

Assume every outbound email goes through your email server. In that case, your SPF record will look like:
v=spf1 mx ~all

Example 2:

Assume you have a third-party company that sends outbound emails on your behalf and their public IP address is In that case, your SPF record will look like:
v=spf1 mx ip4: ~all

Example 3:

Taking the above examples one step further, assume you have outsourced your HR department to another company that also uses SPF and can send emails on your behalf. The domain name of that company is In that case, the SPF record will become:
v=spf1  mx ip4: ~all
Notice the ending ~all at the end of each record. This means a SOFTFAIL. An alternative approach is to use a -all, which indicates a FAIL. Receiving server will most likely reject any incoming message that fails an SPF test and see a -all in the SPF record. Further analysis will be performed when a ~all is used before considering it a forged message.

Relatively speaking, implementing DKIM is probably the most difficult of these three mechanism since it involves creating public/private keys. However, it is a breeze creating these keys in Xeams. Following steps demonstrate how to accomplish this goal.

  • Login to the web interface of your Xeams as admin
  • Select DKIM under Filter Management
  • Enter your domain name in the New Domain field on the right hand side
  • Enter an arbitrary value for Selector. Conventionally, it is recommended to use the current date in YYYYMMDD format.
  • Click Add
  • The system will automatically generate a public/private key using random values and display the public key on the following page. You need to paste this key in the TXT record of your DNS server.
  • When pasting the public key, ensure you use the host name display on the page, which will be in the following format:

Since DMARC provides a mechanism for reporting, its associated DNS record contains appropriate information to handle these reports. Additionally, companies can gradually rollout DMARC. For example, you can initially ask other companies to just submit reports to your Xeams without considering them spam if DMARC alignment fails. Once you are confident the reports you see in Xeams do not include any failed status for your IP addresses, you can make the rule a bit tighter.

Example 1:

When first using DMARC, set the policy (p) to none.
"v=DMARC1; p=none;"
This ensures the receiving servers will not consider your email junk even if DMARC does not align.

Example 2:

Once you do not see any abnormalities in the DMARC reports, consider changing the policy to quarantine. The DNS record will then look like:
"v=DMARC1; p=quarantine;"
The email address specified above ( is a special address handled automatically by Xeams to accept incoming reports from other servers.


The easiest way to test your configuration is to run Diagnostic Test - Outbound under the Tools menu from Xeams's web interface. We recommended you run this test periodically to ensure your email server is running correctly.

Add a comment to this document

Do you have a helpful tip related to this document that you'd like to share with other users?

Important: This area is reserved for useful tips. Therefore, do not post questions here. Instead, use our public forums to post questions.