If emails sent from your Plesk server keep landing in spam or getting outright rejected, the root cause is almost always missing or misconfigured plesk dkim spf dmarc setup. These three DNS-based authentication standards — DKIM, SPF, and DMARC — work together to prove your server is a legitimate sender. This guide covers all three in a single place, with actual Plesk UI steps, DNS verification commands, and troubleshooting for common failure scenarios.
Why DKIM, SPF, and DMARC Matter for Email Deliverability
Email authentication has gone from a best practice to a hard requirement. In 2024 Google and Yahoo began rejecting bulk mail that lacked SPF and DKIM alignment, and that standard has now spread to most major inbox providers. Here is what each record does:
- SPF (Sender Policy Framework) — A DNS TXT record that lists the IP addresses and hostnames authorised to send mail for your domain. Receiving servers compare the sending IP against this list.
- DKIM (DomainKeys Identified Mail) — A cryptographic signature added to every outgoing email. The public key is published in DNS; the receiving server uses it to verify the signature and confirm the message was not tampered with in transit.
- DMARC (Domain-based Message Authentication, Reporting and Conformance) — A policy layer on top of SPF and DMARC. It tells receiving servers what to do when a message fails authentication (
none,quarantine, orreject) and where to send aggregate reports.
Without all three, even a clean IP reputation can result in spam folder placement. With them correctly configured, you gain a measurable deliverability advantage and receive daily XML reports showing who is sending mail on behalf of your domain.
💡 None of these worked? Skip the guesswork.
Get Expert Help →How to Enable DKIM in Plesk
Plesk uses its built-in mail server (Postfix on Linux or MailEnable on Windows) to sign outgoing messages. DKIM signing is managed per-domain from the Plesk admin panel.
Log in to Plesk as administrator. Navigate to Tools & Settings → Mail Server Settings. Scroll to the DKIM spam protection section. Enable the checkbox labelled Allow signing outgoing mail and click OK.
Go to Domains → [your domain] → Mail Settings. Tick Use DKIM spam protection system to sign outgoing email messages and save. Plesk automatically generates a 2048-bit RSA key pair and publishes the public key to the domain's DNS zone if Plesk manages DNS for that domain.
If your DNS is managed externally (Cloudflare, Route 53, etc.), Plesk will not auto-publish the record. You need to add it manually. Find the public key by running:
amavisd-new showkeys
Or check the Plesk DNS zone editor under Domains → [your domain] → DNS Settings and look for a TXT record on the hostname mail._domainkey. It will look like:
mail._domainkey.yourdomain.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ..."
Copy this entire value and add it as a TXT record in your external DNS provider under the hostname mail._domainkey.
dig TXT mail._domainkey.yourdomain.com +short
You should see the v=DKIM1; k=rsa; p=... string returned. If it is empty, DNS propagation may still be in progress — allow up to 30 minutes.
Navigate to Tools & Settings → Mail Server Settings → SPF spam protection. Enable Switch on SPF mail sending policy checking. Select the policy action — for most servers, start with v=spf1 +a +mx ~all (softfail) and tighten to -all (hardfail) once you have confirmed all sending sources are listed.
In your DNS provider, add a TXT record on your root domain with a value such as:
v=spf1 ip4:YOUR.SERVER.IP.ADDRESS include:relay.example.com ~all
Replace YOUR.SERVER.IP.ADDRESS with your Plesk server's IPv4 address. If you send through a third-party relay (Mailgun, SendGrid, etc.), add an include: mechanism for their domain. Keep the total number of DNS lookups in the SPF record below 10 — exceeding this causes a permanent failure (PermError).
dig TXT yourdomain.com +short | grep spf
Or using nslookup:
nslookup -type=TXT yourdomain.com 8.8.8.8
The response should contain your v=spf1 record. You can also use an online SPF checker (MXToolbox, dmarcanalyzer.com) to count DNS lookups and validate the syntax.
Important: never have two SPF TXT records on the same domain. If one already exists, merge them into a single record.
Add a TXT record on _dmarc.yourdomain.com with a monitoring-only policy to start:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-reports@yourdomain.com; fo=1
Tag breakdown:
p=none— monitor mode; no action taken on failing messagesrua=— address for aggregate XML reports (received daily)ruf=— address for forensic failure reports (individual failed messages)fo=1— generate a failure report when either SPF or DKIM fails
After one to two weeks of receiving aggregate reports and confirming all legitimate sending sources pass, move to quarantine, then reject:
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc-reports@yourdomain.com; fo=1
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; fo=1
The pct=25 tag applies the policy to only 25% of failing messages during rollout — a useful safety valve before going to full enforcement.
dig TXT _dmarc.yourdomain.com +short
Expected output:
"v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; fo=1"
amavisd-new showkeys
2. Update the DNS TXT record for mail._domainkey.yourdomain.com with the new key value and wait for propagation.
SPF returns PermError (too many DNS lookups)
Each include:, a, mx, and redirect mechanism counts as one lookup. The limit is 10. Check your count:
dig TXT yourdomain.com +short | python3 -c "import sys; rec=sys.stdin.read(); print('includes:', rec.count('include:'))"
If you exceed 10, use SPF flattening (replace include: chains with raw IP ranges) or a service like dmarcian's SPF Surveyor.
DMARC fails despite SPF and DKIM passing
DMARC requires alignment — the domain in the From: header must match the domain used in DKIM or SPF. If your mail is sent from user@yourdomain.com but signed under a different domain (common with mailing lists and forwarding), DMARC alignment will fail even if SPF and DKIM individually pass. Check the aggregate reports for the disposition and reason fields to identify the misaligned source.
Plesk DKIM option is greyed out
This happens when the Plesk mail server is set to relay all mail through a smarthost. When a smarthost is configured, Plesk does not sign mail locally. Either disable the smarthost and send directly, or configure DKIM signing on the smarthost provider's side.
Emails still going to spam after all three records pass
Authentication is necessary but not sufficient. Additional factors: IP blacklist inclusion (check via MXToolbox Blacklist Check), a low domain reputation (new domains take weeks to warm up), spam-triggering content, or missing rDNS (PTR record) for your server IP. For managed help getting your Plesk server fully deliverability-optimised, CloudHouse server management provides hands-on email configuration and ongoing monitoring.
FAQs
See the FAQ section below for answers to the most common questions about Plesk DKIM, SPF, and DMARC configuration.
Getting DKIM, SPF, and DMARC right in Plesk takes roughly an hour — but the deliverability gains are permanent. Start with p=none on DMARC, monitor the aggregate reports for two weeks, then enforce p=reject once all legitimate sending sources are confirmed. If you inherit a server with broken authentication or are migrating to Plesk and need every record verified from scratch, the CloudHouse server management team can audit and fix your full email stack.
