> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mail.ugmail.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure SPF, DKIM, and DMARC for Email Authentication

> Set up SPF, DKIM, and DMARC DNS records for your UGMail domains to authenticate outbound email, prevent spoofing, and improve deliverability.

SPF, DKIM, and DMARC are the three pillars of email authentication. Together, they prove to receiving mail servers that messages sent from your domain are legitimate, that they have not been tampered with in transit, and that your domain has a policy for handling anything that fails those checks. Configuring all three is the most effective technical step you can take to protect your domain's reputation, prevent spoofing and phishing, and maximize deliverability to inboxes.

## Why Email Authentication Matters

Without authentication records, any server on the internet can send mail claiming to be from your domain. Receiving servers have no way to distinguish your legitimate messages from spoofed ones, which leads to deliverability problems, blocklist entries, and the risk of your domain being used in phishing attacks against your own users and partners. SPF, DKIM, and DMARC give receivers the tools to verify your mail and reject everything else.

***

## SPF (Sender Policy Framework)

SPF authorizes specific mail servers to send email on behalf of your domain. You publish a TXT record in your domain's DNS listing the servers — by IP range, hostname, or include reference — that are permitted to send as your domain. When a receiving server gets a message from your domain, it checks whether the sending server is on that list.

### Get Your SPF Record

Retrieve your domain's recommended DNS configuration from the UGMail Management API:

```http theme={null}
GET /api/dns/{domain}
```

The response includes the SPF value to publish.

### Add the SPF TXT Record

At your domain registrar or DNS provider, create a TXT record on your root domain (`@` or `example.com`) with the following value:

```txt theme={null}
v=spf1 include:ugmail.co ~all
```

| Field | Value                           |
| ----- | ------------------------------- |
| Type  | TXT                             |
| Name  | `@` (or your root domain)       |
| Value | `v=spf1 include:ugmail.co ~all` |
| TTL   | 3600 (or your provider default) |

<Note>
  A domain can have **only one SPF record**. If you already have an SPF record for another sending service, merge UGMail into the existing record rather than creating a second one. For example: `v=spf1 include:sendgrid.net include:ugmail.co ~all`. Multiple SPF records cause authentication failures.
</Note>

***

## DKIM (DomainKeys Identified Mail)

DKIM attaches a cryptographic signature to every outgoing message. UGMail signs your mail with a private key it holds for your domain; the corresponding public key is published in your DNS. Receiving servers fetch that public key and use it to verify the signature, confirming that the message genuinely originated from a system authorized by your domain and was not altered in transit.

### Get Your DKIM Record

UGMail generates a unique DKIM key pair for each domain you add. Retrieve the public key record to publish from the Management API:

```http theme={null}
GET /api/dns/{domain}
```

The response includes the full DKIM TXT record value and the selector name.

### Add the DKIM TXT Record

Create a TXT record in your DNS at the following hostname:

```txt theme={null}
selector._domainkey.example.com
```

Replace `selector` with the selector name returned by the API (for example, `ugmail1`) and `example.com` with your actual domain.

The record value follows this format:

```txt theme={null}
v=DKIM1; k=rsa; p=<public_key>
```

Replace `<public_key>` with the full Base64 public key string provided by the API response.

| Field | Value                                             |
| ----- | ------------------------------------------------- |
| Type  | TXT                                               |
| Name  | `selector._domainkey` (e.g. `ugmail1._domainkey`) |
| Value | `v=DKIM1; k=rsa; p=<public_key>`                  |
| TTL   | 3600 (or your provider default)                   |

***

## DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC builds on SPF and DKIM by letting you declare a policy for what receiving servers should do when a message fails both checks — monitor it, quarantine it, or reject it outright. It also enables aggregate reporting, so you receive periodic digests showing authentication pass and fail rates across all mail claiming to be from your domain.

### Add the DMARC TXT Record

Create a TXT record at `_dmarc.example.com` (replace `example.com` with your domain):

```txt theme={null}
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com; pct=100
```

| Field | Value                                                                   |
| ----- | ----------------------------------------------------------------------- |
| Type  | TXT                                                                     |
| Name  | `_dmarc`                                                                |
| Value | `v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com; pct=100` |
| TTL   | 3600 (or your provider default)                                         |

### DMARC Policy Options

The `p=` tag controls what happens to mail that fails DMARC evaluation:

| Policy       | Behavior                                                       | When to Use                             |
| ------------ | -------------------------------------------------------------- | --------------------------------------- |
| `none`       | Take no action; report only. Mail is delivered as normal.      | Initial rollout and monitoring phase    |
| `quarantine` | Route failing messages to the recipient's spam or junk folder. | After confirming legitimate mail passes |
| `reject`     | Block failing messages entirely before delivery.               | Full enforcement once you are confident |

### Recommended Rollout

Start with a monitoring-only policy and graduate to enforcement once you have confirmed that all your legitimate mail streams are passing authentication:

1. **Start with `p=none`** — collect aggregate reports for at least two weeks. Review the `rua` report data to identify any legitimate sending sources that are not yet covered by your SPF record or signing with DKIM.
2. **Move to `p=quarantine`** — failing mail goes to spam instead of being rejected. Monitor for false positives.
3. **Advance to `p=reject`** — full enforcement. Unauthenticated mail is blocked at the receiving server.

***

## Full Setup Flow

<Steps>
  <Step title="Retrieve your DNS records">
    Call `GET /api/dns/{domain}` to get the SPF value, DKIM selector, and DKIM public key for your domain.
  </Step>

  <Step title="Add the SPF record">
    Create or update the TXT record at your root domain with `v=spf1 include:ugmail.co ~all`. If an SPF record already exists, merge the `include:ugmail.co` mechanism into it.
  </Step>

  <Step title="Add the DKIM record">
    Create a TXT record at `selector._domainkey.yourdomain.com` with the `v=DKIM1; k=rsa; p=<public_key>` value from the API response.
  </Step>

  <Step title="Add the DMARC record">
    Create a TXT record at `_dmarc.yourdomain.com`. Start with `p=none` and a `rua` address you control to begin collecting reports.
  </Step>

  <Step title="Verify your records">
    Wait for DNS propagation (typically a few minutes to one hour). Use [MXToolbox](https://mxtoolbox.com) to check each record, and send a test message via [mail-tester.com](https://mail-tester.com) to confirm end-to-end authentication.
  </Step>

  <Step title="Graduate your DMARC policy">
    After reviewing your aggregate reports and confirming all legitimate mail passes, update your DMARC policy from `p=none` to `p=quarantine`, then to `p=reject`.
  </Step>
</Steps>

<Tip>
  Use [MXToolbox](https://mxtoolbox.com/SuperTool.aspx) to look up and validate your SPF, DKIM, and DMARC records at any time. [mail-tester.com](https://mail-tester.com) gives you an end-to-end score by analyzing an actual test message, including authentication results, content checks, and blocklist status.
</Tip>

***

## DNS Records Summary

| Record | Type | Name                  | Value                                                                   |
| ------ | ---- | --------------------- | ----------------------------------------------------------------------- |
| SPF    | TXT  | `@`                   | `v=spf1 include:ugmail.co ~all`                                         |
| DKIM   | TXT  | `selector._domainkey` | `v=DKIM1; k=rsa; p=<public_key>`                                        |
| DMARC  | TXT  | `_dmarc`              | `v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com; pct=100` |

***

## Cloudflare Proxy Guidance

If your domain's DNS is managed through Cloudflare, you must set your mail-related records to **DNS-only** mode (gray cloud icon) — not proxied (orange cloud). Cloudflare's proxy handles HTTP/HTTPS traffic only and will interfere with SMTP connections and DNS lookups for mail authentication records.

Set the following record types to DNS-only in your Cloudflare dashboard:

* **MX records** — all mail exchanger records for your domain
* **SPF TXT record** — the TXT record at your root domain containing `v=spf1`
* **DKIM TXT record** — the TXT record at `selector._domainkey.yourdomain.com`

<Warning>
  **Never proxy MX records through Cloudflare.** Cloudflare explicitly does not support proxying MX records, and attempting to do so will prevent mail delivery entirely. Always use the gray cloud (DNS-only) icon for MX, SPF TXT, and DKIM TXT records in your Cloudflare DNS settings.
</Warning>
