Prerequisites
Before configuring SPF/DKIM/DMARC, make sure you have:
- Access to HestiaCP control panel
- A domain with email service enabled
- SSH access (for DKIM key generation)
What are SPF, DKIM, and DMARC?
- SPF - Specifies which mail servers can send email for your domain
- DKIM - Adds digital signature to emails to verify authenticity
- DMARC - Tells receiving servers what to do with emails that fail SPF/DKIM
Part 1: Configure SPF Record
Step 1: Log in to HestiaCP
https://YOUR_SERVER_IP:8083Step 2: Go to DNS → Your Domain
Step 3: Add SPF TXT Record
Click Add DNS Record:
- Record Name: @ (blank)
- Record Type: TXT
- IP Address:
v=spf1 mx ~all
For HestiaCP with external sending:
v=spf1 mx include:spf.hestiacp.com ~allFor Google Workspace:
v=spf1 include:_spf.google.com ~allPart 2: Enable DKIM in HestiaCP
Step 1: Connect via SSH
ssh hxroot@YOUR_SERVER_IP -p 22Step 2: Enable DKIM for Domain
/usr/local/hestia/bin/v-add-domain-dkim admin example.comReplace admin with username and example.com with your domain.
Step 3: Get DKIM Record
/usr/local/hestia/bin/v-list-domain-dkim admin example.comOutput shows the DKIM TXT record to add to DNS.
Step 4: Add DKIM Record in HestiaCP DNS
- Record Name:
default._domainkey - Record Type: TXT
- IP Address: The DKIM value (starts with
v=DKIM1; k=rsa; p=...)
Part 3: Configure DMARC Record
Step 1: Add DMARC TXT Record
In HestiaCP DNS, add:
- Record Name:
_dmarc - Record Type: TXT
- IP Address:
v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com
DMARC Policy Options
| Policy (p=) | Action |
|---|---|
| none | Monitoring only (no action) |
| quarantine | Mark suspicious emails as spam |
| reject | Reject failed emails entirely |
Part 4: Verify Configuration
Check SPF:
dig example.com TXT | grep spfCheck DKIM:
dig default._domainkey.example.com TXTCheck DMARC:
dig _dmarc.example.com TXTTesting Email Authentication
Send a test email and check headers for:
spf=passdkim=passdmarc=pass
✅ SPF, DKIM, and DMARC have been configured! Your email deliverability should improve.