SMTP Authentication Setup Guide

Step-by-step SPF, DKIM, and DMARC configuration for professional email sending

Why Authentication Matters

Without proper authentication, your emails are more likely to be flagged as spam or rejected entirely. ISPs use authentication to verify you are who you claim to be.

✅ CloudMails Handles Authentication

CloudMails automatically configures SPF, DKIM, and DMARC for your sending domains. This guide explains the underlying setup for understanding or manual configuration.

1. SPF Setup (Sender Policy Framework)

SPF specifies which mail servers are authorized to send email for your domain.

How SPF Works

When a receiving server gets your email, it checks your SPF record to verify the sending server is authorized.

1Create SPF Record

Add a TXT record to your DNS with this format:

v=spf1 include:_spf.cloudmails.eu ~all

This tells receiving servers: "The servers at _spf.cloudmails.eu are authorized senders. All others are softfail."

2Deploy SPF Record

Go to your DNS provider and add:

  • Type: TXT
  • Name/Host: @ (or your subdomain)
  • Value: v=spf1 include:_spf.cloudmails.eu ~all
  • TTL: 3600 (1 hour)

3Verify SPF

Use this command to verify:

nslookup -type=TXT yourdomain.com

You should see your SPF record returned.

SPF Syntax Reference

v=spf1 [mechanism] [mechanism] ... [modifier] Mechanisms: - ip4:192.168.1.1 - Specific IPv4 address - ip6:2001:db8::1 - Specific IPv6 address - include:domain.com - Include another domain's SPF - a - Authorize the A/AAAA records - mx - Authorize the MX records - all - End rule (fail, softfail, neutral, pass) Qualifiers: - + (pass, default) - - (fail) - ~ (softfail) - ? (neutral)

2. DKIM Setup (DomainKeys Identified Mail)

DKIM adds a cryptographic signature that proves your email wasn't tampered with in transit.

How DKIM Works

Your sending server signs the email with a private key. The receiving server uses the public key from your DNS to verify the signature.

1Generate DKIM Key Pair

CloudMails generates this for you automatically. If doing manually:

openssl genrsa -out dkim_private.pem 2048 openssl rsa -in dkim_private.pem -pubout -out dkim_public.pem

2Deploy DKIM Record

Add to your DNS:

  • Type: TXT
  • Name/Host: cloudmails._domainkey
  • Value: (CloudMails provides this value)
  • TTL: 3600

3Verify DKIM

CloudMails automatically verifies DKIM setup. You can also use online DKIM lookup tools.

CloudMails DKIM Advantage

CloudMails rotates DKIM keys automatically and manages multiple DKIM selectors for different sending purposes. This prevents key compromise from affecting all your sending.

3. DMARC Setup (Domain-based Message Authentication)

DMARC tells receiving servers what to do when emails fail SPF/DKIM authentication.

DMARC Policy Levels

p=none # Monitor only, no action taken p=quarantine # Send failures to spam folder p=reject # Hard reject failures (recommended)

1Create Initial DMARC Record

Start with monitoring to see your baseline:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100

2Deploy DMARC Record

Add to your DNS:

  • Type: TXT
  • Name/Host: _dmarc
  • Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100
  • TTL: 3600

3Upgrade After 2-4 Weeks

After monitoring your DMARC reports:

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=100

After another 2 weeks with good metrics:

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; pct=100

⚠️ DMARC Reject Requires 100% Authentication

Before setting p=reject, make sure your SPF and DKIM are working correctly. p=reject on broken authentication will block ALL your email.

4. Combined Authentication Flow

All three work together to verify your identity:

✅ Complete Authentication Flow

  1. SPF check – Is the sending server in your SPF record?
  2. DKIM check – Does the cryptographic signature verify?
  3. DMARC check – Do SPF and DKIM align with your sending domain?
  4. DMARC policy – Apply the policy (none/quarantine/reject)

Email Authentication Services →