SPF and DKIM for your email

Messages sent from your HolyCloud web hosting (webmail, PHP forms, CMS) are better accepted by Gmail, Outlook, and other providers if you publish SPF, DKIM, and ideally DMARC records in your domain's DNS zone.

Prerequisites

• Domain managed at HolyCloud or access to the domain DNS zone
• Mailboxes or SMTP sending created on shared hosting
• Panel access (cPanel / DirectAdmin) to retrieve DKIM values

Understanding SPF, DKIM, and DMARC

| Mechanism | Role |

|-----------|------|

| SPF | Lists servers authorized to send for your domain |

| DKIM | Cryptographic signature proving the message was not altered |

| DMARC | Handling policy when SPF/DKIM fail + reports |

Without SPF/DKIM, mail may land in spam or be rejected (550 5.7.1).

Step 1: identify the sending server

In the hosting panel:

1. Client area → Web hosting → Access panel.
2. Mail accounts / Email Accounts: note the SMTP server (e.g. mail.votredomaine.fr or HolyCloud cluster hostname).
3. Email Deliverability or Authentication (cPanel): the panel often shows recommended records.

The SMTP hostname in your mail client must match what SPF authorizes.

Step 2: SPF record (DNS TXT)

In the domain DNS zone (HolyCloud client area → Domains → DNS Zone, or registrar panel):

• Type: TXT
• Name / Host: @ (or domain root)
• Value (example — adapt per panel):

v=spf1 a mx include:_spf.holycloud.fr ~all

Common variants:

• v=spf1 mx a ~all — if only the domain's MX and A records send
• v=spf1 include:spf.protection.outlook.com ~all — if you also use Microsoft 365 in parallel (one SPF record per domain — combine include entries)

Rule: one SPF record per domain (one v=spf1 only).

Qualifiers:

• ~all: soft fail (often used during transition)
• -all: hard fail (stricter, once SPF is validated)

Verification:

dig TXT votredomaine.fr +short

Step 3: enable DKIM in the panel

cPanel:

1. Email → Email Deliverability.
2. Select the domain → Repair / Install the suggested records.
3. Copy the proposed DKIM record (often a TXT on default._domainkey).

Example DKIM value (truncated):

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...

In the DNS zone:

• Type: TXT
• Name: default._domainkey (or as indicated by the panel)
• Value: full string provided by cPanel

DirectAdmin: E-Mail Accounts → DKIM / DNS Management depending on version.

Step 4: DMARC (recommended)

TXT record on _dmarc:

v=DMARC1; p=none; rua=mailto:[email protected]; pct=100; adkim=r; aspf=r

Progression:

• p=none: monitoring without blocking
• p=quarantine then p=reject once SPF/DKIM are stable

Step 5: send test

1. Send a test email from webmail to a Gmail address.
2. In Gmail: Show original → look for spf=pass, dkim=pass, dmarc=pass.

Online tools (enter your domain): public SPF/DKIM validators.

PHP forms and mail() sending

mail() scripts use the local server; domain SPF/DKIM must include that server. For high volume, use authenticated SMTP (domain mail account) rather than raw mail().

PHPMailer example (SMTP) — host and ports from the panel:

$mail->Host = 'mail.votredomaine.fr';
$mail->Port = 587;
$mail->SMTPSecure = PHPMailer::ENCRYPTION_STARTTLS;
$mail->Username = '[email protected]';

Troubleshooting

| Symptom | Action |

|----------|--------|

| SPF perm fail | Too many include; merge; single SPF TXT |

| DKIM fail | Missing DKIM key or wrong hostname |

| Mail received but spam | Add DMARC; content; shared IP reputation |

| Double SPF | Remove duplicate TXT v=spf1 |

| Common error | Fix |

|-----------------|------------|

| 550 5.7.26 (Microsoft) | SPF + DKIM required — rerun Email Deliverability |

| Record too long | DKIM split across multiple TXT strings (cPanel auto-split) |

This guide does not cover

• Dedicated mail server on VPS (see VPS documentation)
• Full Microsoft 365 / Google Workspace hybrid setup

Need help?

Open a ticket with the domain name, Email Deliverability screenshot, and full headers of a test message (SPF/DKIM failing).