Kapsule CloudAtlas

SPF, DKIM, and DMARC Explained

Updated 3 June 2026·spf, dkim, dmarc

SPF, DKIM, and DMARC Explained

SPF, DKIM, and DMARC are three DNS-based email authentication standards that help protect your domain from being used in phishing attacks and improve the deliverability of your legitimate emails. Kapsule configures all three automatically for domains hosted with us.

SPF (Sender Policy Framework)

SPF is a DNS record that tells receiving mail servers which servers are authorised to send email on behalf of your domain. If a server not on the list tries to send mail as @yourdomain.com, the receiving server can reject or quarantine it.

How Kapsule handles it: When you add your domain to Kapsule, we automatically publish an SPF record in your DNS. You do not need to do anything.

A typical SPF record looks like:

v=spf1 include:kapsulecloud.com ~all

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to every email your mailbox sends. Receiving servers can verify this signature against a public key published in your DNS, confirming the message has not been tampered with in transit.

How Kapsule handles it: DKIM keys are generated and published automatically when you create a mailbox. The signing happens invisibly on the server.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC builds on SPF and DKIM by defining a policy for what receiving servers should do when authentication fails.

A DMARC policy can be set to:

  • none, monitor only, take no action
  • quarantine, place failing messages in spam
  • reject, block failing messages outright

How Kapsule handles it: Kapsule publishes a p=none DMARC policy by default, which is appropriate for new domains. This lets you receive reports without risk of legitimate email being blocked.

Once you have been sending email for a few weeks and your SPF and DKIM are confirming clean, you can tighten your DMARC policy to quarantine or reject. Contact support if you would like help with this.

Checking Your Records

You can verify your domain's authentication records using a free tool such as MXToolbox. Search for your domain and look at the SPF, DKIM, and DMARC results.

What If My Domain is at Another Registrar?

If your domain's DNS is managed outside Kapsule, you will need to add the SPF, DKIM, and DMARC records manually. KPanel will display the exact record values to add:

  1. Go to Mailboxes in KPanel
  2. Open your mailbox and click DNS Records
  3. Copy the SPF, DKIM, and DMARC values shown
  4. Add them to your external DNS provider

If you are using Kapsule email but your DNS is hosted elsewhere and these records are missing, your emails may be marked as spam or rejected by major providers like Gmail and Outlook.

Was this article helpful?

Related articles

Setting Up Your Email Mailbox

How to create an email mailbox at your domain, set quota, verify it is working, and understand how MX records are handled.

Why Are My Emails Going to Spam?

Accessing Your Email via Webmail

IMAP vs POP3: which should I use?

When setting up your Kapsule email in an email client, you'll be asked to choose between IMAP and POP3. Use IMAP.

Still need help?

Our support team is here on business days, NZT.

Open a ticketEmail support
Back to Help Centre