Skip to main content

Email authentication (SPF, DKIM, DMARC)

Why authentication matters

SPF, DKIM and DMARC are technical steps that help prove to other mail services that Clearbox is allowed to send email for your domain. If this sounds technical, don't worry — you can copy/paste the records we show here into your DNS, or contact Alfrolia support and we will set them up for you.

If your domain is managed by Dotsync and linked to your Clearbox account, Clearbox can automatically publish the necessary SPF, DKIM, and DMARC records on your behalf (we generate DKIM keys and publish the TXT records). If you use an external DNS provider, you'll need to copy/paste the records shown in the dashboard or ask support to assist.

SPF, DKIM and DMARC together reduce spoofing and improve deliverability.

SPF (Sender Policy Framework)

  • Add a TXT record to your DNS for your sending domain. Example:
example.com.  TXT  "v=spf1 include:spf.clearbox.email -all"
  • The include: value should reference the provider's SPF records. Avoid long or multiple includes; if needed, use SPF flattening services.

DKIM (DomainKeys Identified Mail)

  • DKIM signs outgoing messages with a private key; publish the public key in DNS using a selector.
  • Example DKIM TXT record (selector cb1):
cb1._domainkey.example.com.  TXT  "v=DKIM1; k=rsa; p=MIIBIjANB..."
  • Verify headers in delivered messages include DKIM-Signature and that verification shows pass.

DMARC (Domain-based Message Authentication)

  • DMARC tells receivers how to handle mail failing SPF/DKIM and provides reporting.

Example DMARC record (monitoring):

_dmarc.example.com. TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com; ruf=mailto:forensics@example.com; pct=100"
  • Steps:
    1. Start with p=none to monitor reports
    2. Review aggregate reports and fix failures
    3. Move to p=quarantine or p=reject when confident

Troubleshooting tips

  • If SPF fails: check for typos, ensure includes are correct, and that the sending IPs are covered.
  • If DKIM fails: verify selector matches, DNS record correctly published, and no whitespace/newline corruption in the key.
  • If DMARC aggregate reports show alignment failures, ensure your SPF/DKIM are aligned with the header-from domain.

Tools and verification

  • Use online SPF/DKIM/DMARC checkers to validate records.
  • Send test messages to mailbox providers and inspect headers for Authentication-Results.

If you'd like, we can provide the exact include: and DKIM selector values for your Clearbox account — contact support with your domain name and we'll provide the values.