Correct email authentication is essential to make sure outgoing messages are accepted by receiving mail servers and not marked as spam. Plesk allows you to manage key deliverability mechanisms directly through DNS settings so your domain can send email reliably.
These settings are typically configured on environments managed through Plesk hosting where mail services are controlled at the domain level.
Why Email Deliverability Matters
Without proper authentication, messages sent from your domain may be rejected, delayed, or placed in spam folders. Modern mail providers rely heavily on DNS-based checks to verify the legitimacy of email senders.
The most important mechanisms are:
- DKIM for message integrity and sender validation
- SPF for defining authorized sending servers
- DMARC for policy enforcement and reporting
Using all three together provides the best results.
DomainKeys Identified Mail (DKIM)
DKIM ensures that messages sent from your domain are digitally signed and have not been altered during delivery. The receiving server verifies the signature using a public key published in DNS.
When DKIM is enabled:
- Messages are cryptographically signed by the sending server
- Receiving servers can verify the sender’s authenticity
- Spoofed or modified messages are more likely to be rejected
On some managed environments, DKIM may not be enabled by default and must be activated at the server level. Once active, the required DNS records are generated automatically.
Sender Policy Framework (Spf)
SPF defines which servers are allowed to send email on behalf of your domain. This prevents unauthorized systems from forging messages using your domain name.
Adding an SPF record
Log in to the Plesk control panel.
Aus Websites & Domänen, open DNS Settings for the domain.
Add a new TXT record and leave the domain name field empty.
Enter an SPF policy that includes all authorized sending sources. A basic example allows mail from the domain’s own servers and declared MX records.
Save the record and allow time for DNS propagation.
SPF reduces spoofing and helps prevent bounce messages caused by forged sender addresses.
Domain-based Message Authentication, Berichterstattung, and Conformance (Dmarc)
DMARC builds on SPF and DKIM by defining how receiving servers should handle messages that fail authentication checks.
It also enables reporting, which provides visibility into how your domain is being used or abused.
Adding a DMARC record
In DNS Settings, add a new TXT record.
Set the domain name to _dmarc.
Enter a DMARC policy based on your desired enforcement level.
Common approaches include:
- Monitoring only, where no messages are blocked
- Quarantining messages that fail authentication
- Rejecting messages that clearly fail policy checks
Start with monitoring mode and review reports before moving to stricter enforcement.
After DNS Changes
DNS updates do not apply instantly. Allow up to 24 hours for changes to propagate globally.
After propagation:
- Send test messages to major providers
- Review headers to confirm SPF, DKIM, and DMARC pass
- Monitor reports if DMARC reporting is enabled
For higher accuracy and inbound filtering, these settings are often combined with services like Spam -Experten.
Practical Notes
- Avoid multiple conflicting SPF records
- Do not enable strict DMARC policies before DKIM is active
- Review reports regularly to detect misconfiguration
Strong email authentication is especially important for domains hosted on Cloud-Server where multiple services may send mail on behalf of the same domain.