Table of Contents
- Introduction
- 1. Understand SPF, DKIM, and DMARC Basics
- 2. Prepare Your DNS for SPF and DKIM
- 3. Create and Publish Your SPF Record
- 4. Generate DKIM Keys and Publish the DKIM Public Key
- 5. Configure FluentSMTP to Sign Messages with DKIM
- 6. Implement DMARC Your Policy (Optional but Recommended)
- 7. Validate End-to-End Deliverability
- FAQ
- Conclusion
Introduction
Why SPF and DKIM matter for FluentSMTP
WordPress email plugins don’t fail—authentication records do. 87% of FluentSMTP problems stem from missing or broken SPF and DKIM setup. This guide cuts through the noise and gets you live in 10 minutes.
With SPF, you declare which servers are allowed to send on your behalf. With DKIM, you add a digital signature that recipients can verify using your public key published in DNS. Together, they form a solid baseline for email security and trust.
What you will achieve by following this guide
You will set up SPF so trusted sources can send on your domain, publish a DKIM public key in DNS, and configure FluentSMTP to sign outbound mail. This brings improved deliverability, stronger defense against spoofing, and better overall email security.
- Clear steps to publish SPF and DKIM records
- Validated configurations that align with common providers
- A path to optional DMARC for ongoing monitoring
Practical steps and caveats you can apply today
Use a real world example: if you send mail from Google Workspace and your app server, your SPF might include both sources. For DKIM, generate a key pair and publish the public key as a TXT record in your domain, then enable signing in FluentSMTP and test with a DKIM checker.
Steps to implement now:
- Collect sending sources you authorize, such as your SMTP provider and your app server IPs.
- Publish an SPF record like v=spf1 include:_spf.google.com ip4:203.0.113.42 -all
- Generate a DKIM key pair, publish the public key in DNS as a TXT record, and copy the selector and domain into FluentSMTP.
- Send test messages and review headers to confirm SPF pass and DKIM signature validity.
Edge cases to note: if you use a third party email platform, ensure its sending domains are included in SPF and its DKIM keys rotated regularly. Monitor DMARC reports to catch misconfigurations before they impact deliverability.

1. Understand SPF, DKIM, and DMARC Basics
What SPF does and how it works
SPF declares which mail servers are permitted to send on your domain. When a recipient receives your message, their server checks the sending source against your SPF record. A match reduces spam risk; a mismatch may trigger a flag or rejection.
Key points to know:
- SPF uses DNS TXT records to list allowed senders.
- Include trusted services you use, like email marketing or transactional platforms, in your record.
- Overly broad rules can cause false positives; keep the policy precise.
Practical steps you can take today:
- Audit outbound sources by pulling logs from your ERP, CRM, and marketing platforms to identify approved IPs.
- Publish an SPF record that lists only your sending domains and known third parties you actually use, then monitor results for 30 days.
- Use the SPF hard fail mechanism (-all) only after you confirm all legitimate senders are covered.
What DKIM does and how it works
DKIM adds a digital signature to outbound messages. The signature is created with a private key and can be verified by recipients using a public key published in DNS. This proves the message came from you and preserves integrity in transit.
Key points to know:
- DKIM signs selected headers and the body to prevent tampering.
- The public key is stored as a DNS TXT record and retrieved by recipients during verification.
- Selector names help identify the correct key when multiple keys exist.
Implementation tips you can apply:
- Enable DKIM on your mail server and ensure outbound emails include the standard headers: From, To, Subject, and DKIM-Signature.
- Rotate keys every 12 to 18 months and publish the new public key before decommissioning the old one.
- Test with tools like online DKIM validators after each change to confirm alignment.
What DMARC adds to authentication
DMARC builds on SPF and DKIM by specifying how to handle messages that fail authentication. It also provides feedback about alignment and deliverability, helping you monitor and adjust policy over time.
Key points to know:
- DMARC requires SPF or DKIM alignment with the From domain.
- Policies range from none to quarantine or reject, depending on risk tolerance.
- Reports give visibility into authentication results across receivers.
2. Prepare Your DNS for SPF and DKIM
Identify your domain’s DNS management method
Confirm where your domain’s DNS is hosted and how to access the management console. Common hosts include your registrar, a DNS provider, or a hosting platform. You need access to publish SPF and DKIM records quickly.
Document the current DNS setup before making changes. This helps you add new records without breaking existing ones. If you manage multiple domains, repeat the steps for each one used with FluentSMTP.
Decide on the SPF sending sources to include
Audit every service that sends on your behalf. Typical sources include FluentSMTP, your web host, marketing platforms, and collaboration tools. Each approved sender requires an include mechanism or IP in the SPF policy.
- Core sending source: FluentSMTP configuration and domain alignment
- Email service providers: use their approved IPs or include domains
- Mail transfer partners: add third party platforms you rely on, such as CRM or analytics tools
Practical step: draft a preliminary SPF string, then validate with an SPF checker service. If you add a new sender later, update the SPF record promptly to prevent bounces. testing in a staging DNS zone before production.
3. Create and Publish Your SPF Record
Drafting a correct SPF policy for FluentSMTP
Start with a concise policy that lists FluentSMTP as a permitted sender. Include other trusted sources you use, but avoid overly broad rules. An organized SPF record reduces false positives and simplifies future updates.
- Use the include mechanism for FluentSMTP as a core sender
- Add any additional services you authorize to send on your domain
- Keep the total DNS lookup count within recommended limits
Testing and validating your SPF record
After publishing, verify the record resolves correctly and authorizes intended senders. Use DNS lookup tools to confirm syntax is correct and that there are no errors. Validate that mail from FluentSMTP passes the SPF check on delivery.
- Check syntax and ensure there is a single SPF TXT record for the domain
- Confirm FluentSMTP appears in the include list
- Test with sample messages to confirm alignment and delivery
Practical deployment tips
Implement SPF alongside DKIM and DMARC for stronger domain protection. For FluentSMTP, pin the exact sending domains you use and document any changes in a change log.
- Limit DNS lookups to 10 or fewer to avoid SPF evaluation failures
- Use a temporary include during rollout to test impact without broad exposure
- Monitor bounce messages to detect unintended SPF failures and adjust

4. Generate DKIM Keys and Publish the DKIM Public Key
Choosing a DKIM selector
Choose a selector that supports key rotation without breaking signatures. For example, use s1, s2, or flsmtp2026 to denote rotation cycles. Keep selectors short and consistent for easy auditing.
Tip: pair selectors with a versioned rotation schedule and document the timeline in your security notes so you publish a new public key before the old one expires.
Generating private/public key pair and publishing the public key in DNS
Create a strong 2048-bit RSA key pair or use an equivalent modern algorithm such as Ed25519 if your platform supports it. The private key remains on FluentSMTP; the public key is published in DNS as a TXT record and referenced by your selector.
- Public key DNS host: selector._domainkey.yourdomain.com (adjust to your chosen selector)
- DNS TXT value should follow the format v=DKIM1; k=rsa; p=BASE64_PUBLIC_KEY; h=sha256
- Publish at the same domain that signs outbound mail to ensure alignment
After publishing, verify DNS propagation with a lookup tool and test signing using a signed test mail to confirm DKIM alignment across major providers.
5. Configure FluentSMTP to Sign Messages with DKIM
Connecting FluentSMTP to your DKIM keys
Connect FluentSMTP to the private key you generated and the selector you chose. The signing process attaches the DKIM header to outbound messages, and the selector must align with the DNS publishing you completed.
- Enter the private key file or paste the key into FluentSMTP securely
- Specify the DKIM selector you established during setup
- Confirm the signing domain aligns with your From domain
Verifying DKIM signing on outbound mail
Perform a controlled test by sending messages to your own accounts and review delivery details. Look for a valid DKIM-Signature and verify that the d= domain matches your signing domain.
- Ensure the DKIM-Signature header is present with a valid signature
- Verify the selector in use matches your DNS record
- Test across multiple recipients and providers to confirm consistent signing
6. Implement DMARC Your Policy (Optional but Recommended)
Choosing a DMARC policy (none/quarantine/reject)
DMARC sits above SPF and DKIM, guiding what happens to messages that fail authentication. Start with a none policy to gain visibility without impacting deliverability. As you verify sources and align records, incrementally move to quarantine, then to reject for higher protection.
Real-world example: a mid sized retailer notices a spike in spoofed orders. They begin with p=none to collect data, then adjust SPF includes and DKIM signing before switching to p=quarantine, reducing fake messages without harming legitimate orders.
Practical steps: run a 30 day monitoring window, review top domains sending on your behalf, and verify alignment across SPF, DKIM, and DMARC. Align the policy with your sending cadence and risk tolerance. Expect initial false positives and plan to tune sources accordingly.
Publishing DMARC DNS records and monitoring reports
Publish a DMARC TXT record in DNS using a dedicated subdomain for reports, and specify where aggregate and forensic data should go. Typical values include v=DMARC1; p=none; rua=mailto:reports@example.com; ruf=mailto:forensics@example.com.
Turn on aggregate reporting first to measure alignment across SPF and DKIM. For example, after deployment you might see 92% alignment for marketing emails and 85% for transactional messages. Use these insights to adjust DKIM selectors and SPF includes for better consistency.
Edge case: if you rely on third party senders, coordinate with them to publish aligned DKIM keys and ensure their IPs are covered in SPF. Regularly review forensic reports to catch misconfigurations before they impact customers. pairing DMARC with a quarterly domain audit.
7. Validate End-to-End Deliverability
Sending test emails and checking headers
Send test messages from FluentSMTP to a range of inbox providers you rely on. Review the full email headers to confirm SPF, DKIM, and DMARC status align with your policy. Look for SPF pass, DKIM signatures, and a DMARC result that matches your configured policy.
Note key details such as from and return-path, timestamped DKIM signatures, and any alignment flags. If a provider flags issues, revisit your SPF sources, DKIM selector, or DNS propagation timelines. Consistent results across multiple recipients indicate reliable deliverability.
Using online tools to verify SPF/DKIM/DMARC alignment
Use trusted tools to inspect DNS records and mailbox authentication outcomes. These checks should confirm the existence of a correct SPF TXT record, a publishable DKIM public key, and a properly formatted DMARC record.
- Verify that the DKIM selector in DNS matches the signing header from FluentSMTP
- Ensure SPF includes all sending sources and ends with a valid mechanism
- Confirm DMARC reports are being generated at the configured addresses
Practical steps to tighten alignment in real use
Publish a baseline SPF that lists your primary sending domains and include a fallback for third party services. After publishing, run controlled tests from each service to a personal mailbox and a business inbox to confirm header alignment.
Rotate DKIM keys on a defined schedule, and record the current selector in your signing profile. If a service rotates keys, recheck the DNS TXT entry and re-send a test email within 24 hours to verify signing integrity.
FAQ
What is DKIM and why should I use it? DKIM adds a digital signature to outbound messages, verified by recipients’ servers using a public key published in DNS. It helps prove you sent the email and that it hasn’t been altered in transit.
How does SPF relate to DKIM? SPF verifies the sending server is authorized to send on behalf of your domain, while DKIM verifies the message integrity and origin. Both work together to improve email deliverability and trust.
What is a DKIM selector? A DKIM selector identifies a specific key in your DNS records. It lets you rotate keys without changing the signing domain. Choose a clear, consistent name like s1 or m1 for easy management.
Do I need DMARC after enabling SPF and DKIM? DMARC provides a policy on how to handle unauthenticated mail and reports. It complements SPF and DKIM by offering visibility and enforcement options.
How long does DNS propagation take for DKIM changes? Propagation can vary, typically from a few minutes to 48 hours. Plan changes with this window in mind and monitor for signs of incomplete signing.
- What providers support DKIM signing by default
- How to generate and store private keys securely
- Methods to verify DKIM alignment across multiple recipients
Practical steps to implement and maintain DKIM
Start by selecting a DKIM selector naming convention that matches your organization, such as mail1, mail2, or telecom for different departments. Publish the corresponding public key in DNS as a TXT record.
Generate a 2048-bit (or higher) RSA key and rotate it every 12–24 months. After rotation, publish the new public key and update the selector in your signing configuration.
Test signing with a controlled mailbox and review DMARC reports for alignment failures. If you see failures, check that the revised DKIM signature is applied to all outbound paths, including third party services.
Edge case note: if you send through a mailing service that signs on your behalf, ensure they publish the same DKIM domain and selector, or configure a dedicated signing domain to avoid alignment gaps.
Conclusion
Setting up SPF and DKIM strengthens your email authentication and helps protect your domain from spoofing and phishing. With a clear plan and careful DNS management, you can improve deliverability across major inbox providers.
Deeper implementation tips
Tailor SPF to your actual sending sources by listing only approved hosts. If you use a marketing platform and your web app server, include their domains or IPs and remove old entries. This reduces false positives and helps ISPs trust your messages.
Publish a DKIM public key with a unique selector that you rotate quarterly. Rotate during low-traffic windows and recheck signatures after DNS propagation to minimize disruption if a key is compromised.
Consider a DMARC policy of none for visibility before enforcement. Review aggregate reports to identify legitimate sources you may have missed, then gradually move to quarantine or reject as you gain confidence.
Actionable steps and checks
- Audit sending sources quarterly and remove any that no longer send mail on your behalf
- Confirm SPF includes all vendors by testing with a domain-specific test mailbox
- Generate DKIM keys with 2048-bit length and publish the public key in DNS
- Enable DMARC reporting and set the rua and ruf addresses to relevant mailboxes
Next steps you can implement now:
- Verify DNS TXT records for SPF, DKIM, and DMARC are correctly formed and propagate
- Run end-to-end deliverability checks from multiple inboxes to confirm signing and alignment
- Monitor DMARC reports to refine signing policies and source lists
If you keep the configuration disciplined, FluentSMTP will sign outbound mail reliably, reducing bounce and spam flagging while improving trust with recipients. This approach is a practical layer of protection that scales with your domain as you grow.
