Why Email Authentication Matters
Without authentication records, any server on the internet can send mail claiming to be from your domain. Receiving servers have no way to distinguish your legitimate messages from spoofed ones, which leads to deliverability problems, blocklist entries, and the risk of your domain being used in phishing attacks against your own users and partners. SPF, DKIM, and DMARC give receivers the tools to verify your mail and reject everything else.SPF (Sender Policy Framework)
SPF authorizes specific mail servers to send email on behalf of your domain. You publish a TXT record in your domain’s DNS listing the servers — by IP range, hostname, or include reference — that are permitted to send as your domain. When a receiving server gets a message from your domain, it checks whether the sending server is on that list.Get Your SPF Record
Retrieve your domain’s recommended DNS configuration from the UGMail Management API:Add the SPF TXT Record
At your domain registrar or DNS provider, create a TXT record on your root domain (@ or example.com) with the following value:
A domain can have only one SPF record. If you already have an SPF record for another sending service, merge UGMail into the existing record rather than creating a second one. For example:
v=spf1 include:sendgrid.net include:ugmail.co ~all. Multiple SPF records cause authentication failures.DKIM (DomainKeys Identified Mail)
DKIM attaches a cryptographic signature to every outgoing message. UGMail signs your mail with a private key it holds for your domain; the corresponding public key is published in your DNS. Receiving servers fetch that public key and use it to verify the signature, confirming that the message genuinely originated from a system authorized by your domain and was not altered in transit.Get Your DKIM Record
UGMail generates a unique DKIM key pair for each domain you add. Retrieve the public key record to publish from the Management API:Add the DKIM TXT Record
Create a TXT record in your DNS at the following hostname:selector with the selector name returned by the API (for example, ugmail1) and example.com with your actual domain.
The record value follows this format:
<public_key> with the full Base64 public key string provided by the API response.
DMARC (Domain-based Message Authentication, Reporting & Conformance)
DMARC builds on SPF and DKIM by letting you declare a policy for what receiving servers should do when a message fails both checks — monitor it, quarantine it, or reject it outright. It also enables aggregate reporting, so you receive periodic digests showing authentication pass and fail rates across all mail claiming to be from your domain.Add the DMARC TXT Record
Create a TXT record at_dmarc.example.com (replace example.com with your domain):
DMARC Policy Options
Thep= tag controls what happens to mail that fails DMARC evaluation:
Recommended Rollout
Start with a monitoring-only policy and graduate to enforcement once you have confirmed that all your legitimate mail streams are passing authentication:- Start with
p=none— collect aggregate reports for at least two weeks. Review theruareport data to identify any legitimate sending sources that are not yet covered by your SPF record or signing with DKIM. - Move to
p=quarantine— failing mail goes to spam instead of being rejected. Monitor for false positives. - Advance to
p=reject— full enforcement. Unauthenticated mail is blocked at the receiving server.
Full Setup Flow
1
Retrieve your DNS records
Call
GET /api/dns/{domain} to get the SPF value, DKIM selector, and DKIM public key for your domain.2
Add the SPF record
Create or update the TXT record at your root domain with
v=spf1 include:ugmail.co ~all. If an SPF record already exists, merge the include:ugmail.co mechanism into it.3
Add the DKIM record
Create a TXT record at
selector._domainkey.yourdomain.com with the v=DKIM1; k=rsa; p=<public_key> value from the API response.4
Add the DMARC record
Create a TXT record at
_dmarc.yourdomain.com. Start with p=none and a rua address you control to begin collecting reports.5
Verify your records
Wait for DNS propagation (typically a few minutes to one hour). Use MXToolbox to check each record, and send a test message via mail-tester.com to confirm end-to-end authentication.
6
Graduate your DMARC policy
After reviewing your aggregate reports and confirming all legitimate mail passes, update your DMARC policy from
p=none to p=quarantine, then to p=reject.DNS Records Summary
Cloudflare Proxy Guidance
If your domain’s DNS is managed through Cloudflare, you must set your mail-related records to DNS-only mode (gray cloud icon) — not proxied (orange cloud). Cloudflare’s proxy handles HTTP/HTTPS traffic only and will interfere with SMTP connections and DNS lookups for mail authentication records. Set the following record types to DNS-only in your Cloudflare dashboard:- MX records — all mail exchanger records for your domain
- SPF TXT record — the TXT record at your root domain containing
v=spf1 - DKIM TXT record — the TXT record at
selector._domainkey.yourdomain.com

