A solid directadmin email deliverability setup is the difference between client emails landing in the inbox and disappearing into spam folders or getting rejected by remote mail servers. If you manage hosting on a DirectAdmin server, configuring all four authentication layers — SPF, DKIM, DMARC, and SpamAssassin — is no longer optional. In 2026, major mailbox providers like Gmail, Yahoo, and Outlook enforce strict sender authentication requirements, and missing even one layer can tank your clients' deliverability overnight. This guide walks you through every step so nothing gets skipped.
Why Email Deliverability Fails on DirectAdmin Servers
Most email deliverability failures on DirectAdmin servers trace back to one of four root causes. Understanding them before you start configuring saves hours of debugging later.
- Missing or incorrect SPF record: The receiving mail server checks DNS to confirm your server is authorised to send on behalf of a domain. No SPF record means an immediate soft-fail or reject.
- DKIM not enabled or misconfigured: DKIM adds a cryptographic signature to every outbound message. If the public key in DNS doesn't match the private key used to sign the message, the check fails and spam scores spike.
- No DMARC policy: Without a DMARC record, rogue actors can spoof your domain with zero consequences. In 2026, Gmail requires at least a
p=noneDMARC policy for bulk senders. - SpamAssassin not tuned: Default SpamAssassin thresholds are often too permissive. Unfiltered inbound spam and outbound spam relayed through compromised accounts damage your server's IP reputation.
Beyond missing records, common DirectAdmin-specific pitfalls include using dkim=1 globally when some domains use external DNS (which causes DKIM signing to fail rather than simply skip), and forgetting to regenerate DKIM keys to meet the 2048-bit minimum that modern mail providers now require.
💡 None of these worked? Skip the guesswork.
Get Expert Help →Step 1: Configure SPF Records in DirectAdmin DNS Manager
Navigate to Admin Level → DNS Administration or log in at user level and go to DNS Management. Select the domain you want to configure.
In the DNS zone editor, look for a TXT record that starts with v=spf1. If one already exists, edit it rather than adding a duplicate — two SPF records cause an immediate SPF permanent error (permerror).
A standard SPF record for a DirectAdmin server that sends all mail from the server's own IP looks like this:
v=spf1 ip4:YOUR.SERVER.IP.ADDRESS a mx ~allFor tighter security (and better DMARC alignment), use a hard fail:
v=spf1 ip4:YOUR.SERVER.IP.ADDRESS a mx -allReplace YOUR.SERVER.IP.ADDRESS with the actual IPv4 (and/or IPv6 with ip6:) of your mail server. If the domain also sends through a third-party ESP such as SendGrid or Mailchimp, include their mechanism: include:sendgrid.net.
A TTL of 300 seconds (5 minutes) is ideal during initial setup so you can iterate quickly. Raise it to 3600 once verified. Click Add / Save and allow up to 15 minutes for DNS propagation on the server itself.
Verify SPF Propagation
Run this from the server command line to confirm the record is live:
dig TXT yourdomain.com +short | grep spfYou should see the v=spf1 string returned. If nothing appears after 15 minutes, double-check that DirectAdmin's nameservers are authoritative for the domain.
Go to Admin Level → E-Mail Manager → DKIM Setup (or via Admin Settings → Mail Settings → Enable DKIM). Set the mode appropriate for your environment and save.
Log in at user level, navigate to E-Mail Manager → E-Mail Accounts, and click the Enable DKIM button (top right in the enhanced skin). DirectAdmin will generate a 2048-bit RSA key pair and display the public key TXT record to add to DNS.
The record will look similar to this (truncated for readability):
Name: default._domainkey.yourdomain.com
Type: TXT
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...If the domain uses DirectAdmin's local DNS, this record is added automatically. If the domain uses external DNS, copy the full key value and add it manually in your DNS provider's control panel. The selector default is the DirectAdmin default — it can be customised in /etc/exim.conf if needed.
In 2026, 1024-bit DKIM keys are considered weak. To confirm you have a 2048-bit key:
openssl rsa -in /etc/exim.dkim/yourdomain.com.private -text -noout | grep "Private-Key"If it returns Private-Key: (1024 bit), regenerate the key pair: delete the existing DKIM entry in DirectAdmin and re-enable it — DirectAdmin will generate a fresh 2048-bit pair.
Send a test email from the domain to a Gmail address, open the message, click "Show original", and confirm dkim=pass in the authentication headers.
DMARC requires at least one of SPF or DKIM to be aligned and passing. Adding a p=reject policy before your records are verified will cause legitimate mail to be rejected. Start with p=none to observe without enforcing.
Create a TXT record at the subdomain _dmarc.yourdomain.com with this value:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-failures@yourdomain.com; sp=none; adkim=r; aspf=rTag breakdown:
p=none— Monitor only, no enforcement. Change top=quarantinethenp=rejectonce you've confirmed clean reports for 30 days.rua— Aggregate report destination. You'll receive daily XML summaries of authentication results.ruf— Forensic (failure) report destination. Contains details of individual failing messages (note: few providers send these now due to privacy concerns).adkim=r— Relaxed DKIM alignment (matches the root domain and subdomains).aspf=r— Relaxed SPF alignment.
After two to four weeks of p=none and clean aggregate reports, move to p=quarantine. After another 30 days of clean reports, move to p=reject. This is the industry-standard ramp-up process.
Go to Admin Level → E-Mail Manager → SpamAssassin Setup. Toggle the global enable switch and save. This activates the spamd daemon that Exim calls to score inbound messages.
At user level, navigate to E-Mail Manager → SpamAssassin Setup. Key settings to configure:
- Spam Score Threshold: Default is 5.0. Consider lowering to 4.0 for stricter filtering on shared hosting servers with high-risk clients.
- Spam Folder / Delete Action: Route spam to a
Junkfolder or delete it. Routing to a folder is safer — it allows false positives to be reviewed. - Whitelist / Blacklist: Add trusted senders to the whitelist so their messages bypass scoring. Add known spammers to the blacklist for instant rejection.
The main config file is at /etc/mail/spamassassin/local.cf. Add or modify these directives:
# Lower the required score for spam flagging
required_score 4.0
# Enable Bayes classifier
use_bayes 1
bayes_auto_learn 1
# Enable RBL checks (Realtime Blackhole Lists)
skip_rbl_checks 0
# Boost score for messages missing both SPF and DKIM
score SPF_NONE 2.0
score DKIM_INVALID 3.0After editing, restart SpamAssassin:
systemctl restart spamassassinConfigure Outbound Spam Prevention in Exim
Navigate to Admin Level → E-Mail Manager → Exim Configuration Manager. Under the Spam Scanning section, enable Scan outgoing messages with SpamAssassin. Set a maximum spam score for outbound mail (e.g., 10.0 — any message scoring above this is rejected before it leaves the server).
In Admin Level → E-Mail Manager → Mail Queue Manager, configure hourly sending limits per domain to cap damage from compromised accounts. A reasonable starting limit for shared hosting is 200–500 emails per hour per domain.
In the Exim configuration manager, enable RBL Check for outbound SMTP connections. This prevents your server from accepting mail from known spam networks that attackers use to relay through compromised accounts.
Visit mail-tester.com, copy the unique test address shown, and send a real email to it from the domain you've configured. Mail Tester analyses SPF, DKIM, DMARC, SpamAssassin score, blacklist status, and HTML content. Aim for a score of 10/10. Common deductions include missing list-unsubscribe headers, low text-to-image ratio in HTML emails, and SpamAssassin content triggers.
Use MXToolbox to verify individual DNS records:
- SPF lookup: Enter
spf:yourdomain.comto confirm the record is valid and resolves within the 10 DNS lookup limit. - DKIM lookup: Enter
default._domainkey.yourdomain.comto confirm the public key is published and parseable. - DMARC lookup: Enter
_dmarc.yourdomain.comto verify the record syntax. - Blacklist check: Run a blacklist check against your server IP to confirm you're not listed on any major RBL.
Use Google's Check MX tool to verify your MX records, SPF, and DKIM from Google's perspective. This is especially useful for diagnosing Gmail-specific deliverability failures.
After 24–48 hours, you should start receiving DMARC aggregate reports at the rua address you configured. Use a free parser like dmarcian.com to read the XML reports and identify any sources sending mail that fails authentication for your domain.
The DirectAdmin mail logs live at /var/log/exim/mainlog. Search for DKIM or SPF failures:
grep -i "dkim\|spf\|dmarc" /var/log/exim/mainlog | tail -50Look for patterns like DKIM: d= signing failed or SPF check failed and trace them to specific domains or users on the server.
FAQs
Why do my emails pass SPF and DKIM but still go to spam?
Authentication passing is necessary but not sufficient for inbox delivery. Spam filters also weigh your server IP reputation, the content of the message (SpamAssassin content scoring), the volume of email sent from the domain, and whether recipients have previously marked your messages as spam. Check your IP against major blacklists using MXToolbox and review Mail Tester's content score recommendations.
What is the difference between dkim=1 and dkim=2 in DirectAdmin?
dkim=1 auto-enables DKIM for every new domain created on the server and is only safe when all domains use DirectAdmin's local DNS. dkim=2 makes DKIM available at user level but doesn't enable it automatically, which is the safer default on shared hosting servers where clients may use external DNS providers like Cloudflare.
Can I use a 1024-bit DKIM key in 2026?
No. In 2026, Gmail and other major mailbox providers reject or heavily penalise 1024-bit DKIM keys. The minimum acceptable standard is 2048 bits. DirectAdmin generates 2048-bit keys when DKIM is enabled fresh. If your existing keys are 1024-bit, disable and re-enable DKIM for each affected domain to regenerate them at the correct length.
How do I stop a compromised account from spamming through my DirectAdmin server?
Enable per-domain hourly sending limits in the Exim Configuration Manager. Enable outbound SpamAssassin scanning with a hard score limit (e.g., reject messages scoring above 10.0). Watch the mail queue in Admin Level → Mail Queue Manager for domains suddenly generating high outbound volume. Disable the compromised email account immediately, reset the password, and notify the domain owner. Check /var/log/exim/mainlog for the originating script or SMTP auth user.
How often should I review DMARC reports?
Review aggregate reports at least weekly during the first 60 days after enabling DMARC. Once you're at p=reject and reports show only legitimate mail passing, monthly reviews are sufficient. Set up email alerts or use a DMARC monitoring service like dmarcian, Postmark's DMARC Digests, or MXToolbox's DMARC report monitoring so you're notified of anomalies without manually parsing XML files.
Configuring a complete directadmin email deliverability setup requires getting SPF, DKIM, DMARC, and SpamAssassin working in concert — not just setting them individually and hoping for the best. Follow the steps in this guide in order, verify each layer before moving to the next, and use Mail Tester and MXToolbox to confirm end-to-end results. If you'd rather have an expert handle the full configuration and ongoing monitoring for you, CloudHouse Technologies provides a dedicated server management service that covers email authentication, spam hardening, and IP reputation management for DirectAdmin, cPanel, and Plesk environments. Don't let a misconfigured DNS record cost your clients their inbox placement.