If your emails are landing in spam folders — or worse, someone is sending emails pretending to be you — it is time to set up email authentication. SPF, DKIM, and DMARC are three DNS records that tell receiving mail servers your messages are legitimate. This guide walks you through setting up all three on your HOSTDOG hosting.

What each record does

Record Purpose How it works
SPF Authorizes senders Lists the IP addresses and servers allowed to send email on behalf of your domain
DKIM Digital signature Adds a cryptographic signature to outgoing emails so the recipient can verify the message was not altered in transit
DMARC Policy for failures Tells receiving servers what to do when SPF or DKIM checks fail (e.g., quarantine or reject the message) and where to send reports
Why all three? SPF and DKIM each solve part of the problem. DMARC ties them together and gives you visibility into who is sending email using your domain. For the best protection and deliverability, you should set up all three.

Prerequisites

  • An active HOSTDOG hosting plan with at least one domain
  • Your domain pointed to HOSTDOG nameservers (ns1.hostdog.gr and ns2.hostdog.gr)
  • Access to your hosting control panel

Set up an SPF record

An SPF record is a TXT record in your domain's DNS that specifies which servers are allowed to send email for your domain.

Step 1:
Log in to your control panel

Navigate to the HOSTDOG homepage and click the Log in button in the top right corner. Once in the Client Area, go to Services, select your hosting plan, and click Log in to Control Panel.

Step 2:
Open the DNS Zone Editor

In your control panel, find the Domains section and click Zone Editor (or DNS Zone Editor). Select the domain you want to configure.

Step 3:
Check for an existing SPF record

Look through your existing DNS records for a TXT record that starts with v=spf1. Many hosting accounts already have a default SPF record. If one exists, you will edit it rather than creating a duplicate — having two SPF records will cause authentication to fail.

Step 4:
Add or edit the SPF TXT record

Click Add Record (or edit the existing one) and enter the following:

Field Value
Type TXT
Name yourdomain.com (or @)
Value v=spf1 +a +mx +ip4:YOUR_SERVER_IP ~all

Replace YOUR_SERVER_IP with your hosting server's IP address, which you can find in your control panel's dashboard or server information page.

Important: Your domain must have only one SPF record. If you use additional email services (e.g., a newsletter provider), include them in the same record using include: directives. For example: v=spf1 +a +mx +ip4:YOUR_SERVER_IP include:spf.mailprovider.com ~all

Set up DKIM signing

DKIM adds a cryptographic signature to every outgoing email, allowing recipients to verify it genuinely came from your server and was not tampered with.

Step 1:
Navigate to the email section

In your control panel, find the Email section and look for Email Deliverability or Authentication. The exact name depends on your control panel version.

Step 2:
Enable DKIM for your domain

Select your domain from the list. If DKIM is not yet enabled, click Manage or Repair to generate and install the DKIM key automatically. The control panel will create the necessary DNS record for you.

Step 3:
Verify the DKIM record

After enabling DKIM, the control panel adds a TXT record to your DNS zone. It will look something like this:

Field Value
Type TXT
Name default._domainkey.yourdomain.com
Value v=DKIM1; k=rsa; p=MIIBIjANBg... (your public key)

The control panel handles the key generation and DNS entry automatically. Confirm the status shows as valid or green before moving on.

Set up a DMARC record

DMARC builds on SPF and DKIM by telling receiving servers how to handle emails that fail authentication checks. It also lets you receive reports about unauthorized use of your domain.

Step 1:
Open the DNS Zone Editor

Return to the Zone Editor in the Domains section of your control panel (the same place you added the SPF record).

Step 2:
Add the DMARC TXT record

Click Add Record and enter the following:

Field Value
Type TXT
Name _dmarc.yourdomain.com
Value v=DMARC1; p=quarantine; rua=mailto:you@yourdomain.com

Replace you@yourdomain.com with the email address where you want to receive DMARC aggregate reports.

Tip: Start with p=quarantine rather than p=reject. This sends suspicious emails to spam instead of blocking them entirely. Once you have reviewed the DMARC reports and confirmed only legitimate emails pass, you can tighten the policy to p=reject.

Quick reference

A summary of all three records for easy reference:

Record DNS type Name Example value
SPF TXT yourdomain.com v=spf1 +a +mx +ip4:YOUR_SERVER_IP ~all
DKIM TXT default._domainkey.yourdomain.com v=DKIM1; k=rsa; p=... (auto-generated)
DMARC TXT _dmarc.yourdomain.com v=DMARC1; p=quarantine; rua=mailto:you@yourdomain.com

How to verify your records

After adding all three records, verify they are working correctly:

  1. Wait for DNS propagation — changes can take up to 24-48 hours to propagate worldwide, though most updates take effect within a few minutes.
  2. Use the Email Deliverability tool — your hosting control panel includes an Email Deliverability section that checks SPF, DKIM, and reverse DNS for each domain. Look for green status indicators.
  3. Use online verification tools — free services like MXToolbox let you check SPF, DKIM, and DMARC records by entering your domain name.
  4. Send a test email — send an email to a Gmail or Outlook account and check the message headers. Look for spf=pass, dkim=pass, and dmarc=pass in the Authentication-Results header.

Troubleshooting

SPF check fails even after adding the record
  • Make sure you have only one SPF record. Multiple SPF records cause a PermError and both are ignored.
  • Verify the server IP in your SPF record matches your actual hosting server IP.
  • If you use external email services (newsletter tools, CRM), add their include: directive to your existing SPF record.
  • Check that DNS propagation has completed — use MXToolbox SPF Lookup to verify.
  • Go to the Email Deliverability section in your control panel and check if DKIM shows as valid for your domain.
  • If it shows a warning, click Repair to regenerate the DKIM key and DNS record.
  • Make sure the DKIM TXT record exists in your DNS zone under default._domainkey.yourdomain.com.
  • DKIM keys can be long — ensure the full key was saved without being truncated.

If you use third-party services that send email on behalf of your domain (e.g., newsletter platforms, CRM, or transactional email providers), they need to be authorized in your SPF record and may need their own DKIM setup:

  • Add the service's include: directive to your SPF record.
  • Follow the service's documentation to set up DKIM signing with your domain.
  • Keep your DMARC policy at p=quarantine until all legitimate sending sources pass authentication.
  • Verify all three records pass by checking the email headers of a test message (look for spf=pass, dkim=pass, dmarc=pass).
  • Check your server's IP reputation — if it has been blacklisted, authentication alone will not fix deliverability.
  • Make sure your emails follow best practices: avoid spammy subject lines, include an unsubscribe link in bulk emails, and maintain a clean mailing list.
  • See Why are my emails going to spam? for more solutions.

Frequently asked questions

Do I need all three records (SPF, DKIM, and DMARC)?

Technically, each record works independently, but setting up all three provides the best protection and deliverability. Major email providers like Gmail and Outlook increasingly require all three for full trust. Without DMARC, you also have no visibility into who might be spoofing your domain.

SPF, DKIM, and DMARC protect your domain from being used in spoofing attacks and help your legitimate emails reach the inbox. They do not filter incoming spam to your mailbox — that is handled by your server's spam filters (Imunify360 and ModSecurity WAF on HOSTDOG hosting).

~all (soft fail) marks unauthorized senders as suspicious but still delivers the email, usually to spam. -all (hard fail) tells receiving servers to reject emails from unauthorized senders outright. We recommend starting with ~all and switching to -all once you have confirmed all your legitimate sending sources are listed in the SPF record.

Review your DMARC aggregate reports weekly during the first month after setup. This helps you identify any legitimate sending sources you may have missed. Once everything is stable, a monthly review is sufficient. The reports are sent as XML files to the email address you specified in the rua tag — you can use free online DMARC report analyzers to make them easier to read.

Yes, but you will need to add the DNS records through your external DNS provider's control panel instead of the HOSTDOG control panel. The record values remain the same — you just enter them in a different interface. If your domain uses HOSTDOG nameservers (ns1.hostdog.gr and ns2.hostdog.gr), follow the steps in this guide directly.

Related articles

Need Help? If you need assistance setting up email authentication records, our support team is available 24/7. Navigate to the HOSTDOG homepage and click the Log in button to open a support ticket and we will assist you promptly.
Tags: HOSTDOG Email Hosting Email Authentication DNS Tutorial Step-by-Step Guide