How to Set Up DKIM, SPF and DMARC in Plesk (Complete 2026 Guide)

Priya

Content Writer & Researcher

Last Updated: 30 June 2026

How to Set Up DKIM, SPF and DMARC in Plesk (Complete 2026 Guide)

🖥️

Fix Your Plesk Email Deliverability Today

Misconfigured DKIM, SPF, or DMARC records are the leading cause of Plesk emails landing in spam — our team diagnoses and fixes your full email authentication stack fast. Don't let another legitimate email get rejected.

🔧 Book Free Diagnosis Call Now WhatsApp

🖥️12,400+PCs Fixed

⭐4.9★Google Rating

⚡<15 minAvg. Response

🛡️ISO 27001Certified

If emails sent from your Plesk server keep landing in spam or getting outright rejected, the root cause is almost always missing or misconfigured plesk dkim spf dmarc setup. These three DNS-based authentication standards — DKIM, SPF, and DMARC — work together to prove your server is a legitimate sender. This guide covers all three in a single place, with actual Plesk UI steps, DNS verification commands, and troubleshooting for common failure scenarios.

Why DKIM, SPF, and DMARC Matter for Email Deliverability

Email authentication has gone from a best practice to a hard requirement. In 2024 Google and Yahoo began rejecting bulk mail that lacked SPF and DKIM alignment, and that standard has now spread to most major inbox providers. Here is what each record does:

SPF (Sender Policy Framework) — A DNS TXT record that lists the IP addresses and hostnames authorised to send mail for your domain. Receiving servers compare the sending IP against this list.
DKIM (DomainKeys Identified Mail) — A cryptographic signature added to every outgoing email. The public key is published in DNS; the receiving server uses it to verify the signature and confirm the message was not tampered with in transit.
DMARC (Domain-based Message Authentication, Reporting and Conformance) — A policy layer on top of SPF and DMARC. It tells receiving servers what to do when a message fails authentication (none, quarantine, or reject) and where to send aggregate reports.

Without all three, even a clean IP reputation can result in spam folder placement. With them correctly configured, you gain a measurable deliverability advantage and receive daily XML reports showing who is sending mail on behalf of your domain.

💡 None of these worked? Skip the guesswork.

Get Expert Help →

How to Enable DKIM in Plesk

Plesk uses its built-in mail server (Postfix on Linux or MailEnable on Windows) to sign outgoing messages. DKIM signing is managed per-domain from the Plesk admin panel.

1Open the Plesk Mail Settings panel

Log in to Plesk as administrator. Navigate to Tools & Settings → Mail Server Settings. Scroll to the DKIM spam protection section. Enable the checkbox labelled Allow signing outgoing mail and click OK.

2Enable DKIM per domain

Go to Domains → [your domain] → Mail Settings. Tick Use DKIM spam protection system to sign outgoing email messages and save. Plesk automatically generates a 2048-bit RSA key pair and publishes the public key to the domain's DNS zone if Plesk manages DNS for that domain.

3Retrieve the DKIM DNS record for external DNS

If your DNS is managed externally (Cloudflare, Route 53, etc.), Plesk will not auto-publish the record. You need to add it manually. Find the public key by running:

amavisd-new showkeys

Or check the Plesk DNS zone editor under Domains → [your domain] → DNS Settings and look for a TXT record on the hostname mail._domainkey. It will look like:

mail._domainkey.yourdomain.com.  IN TXT  "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ..."

Copy this entire value and add it as a TXT record in your external DNS provider under the hostname mail._domainkey.

4Verify the DKIM record is live

dig TXT mail._domainkey.yourdomain.com +short

You should see the v=DKIM1; k=rsa; p=... string returned. If it is empty, DNS propagation may still be in progress — allow up to 30 minutes.

1Enable SPF in Plesk Mail Settings

Navigate to Tools & Settings → Mail Server Settings → SPF spam protection. Enable Switch on SPF mail sending policy checking. Select the policy action — for most servers, start with v=spf1 +a +mx ~all (softfail) and tighten to -all (hardfail) once you have confirmed all sending sources are listed.

2Add the SPF TXT record to DNS

In your DNS provider, add a TXT record on your root domain with a value such as:

v=spf1 ip4:YOUR.SERVER.IP.ADDRESS include:relay.example.com ~all

Replace YOUR.SERVER.IP.ADDRESS with your Plesk server's IPv4 address. If you send through a third-party relay (Mailgun, SendGrid, etc.), add an include: mechanism for their domain. Keep the total number of DNS lookups in the SPF record below 10 — exceeding this causes a permanent failure (PermError).

3Verify the SPF record

dig TXT yourdomain.com +short | grep spf

Or using nslookup:

nslookup -type=TXT yourdomain.com 8.8.8.8

The response should contain your v=spf1 record. You can also use an online SPF checker (MXToolbox, dmarcanalyzer.com) to count DNS lookups and validate the syntax.

Important: never have two SPF TXT records on the same domain. If one already exists, merge them into a single record.

1Create a basic DMARC record

Add a TXT record on _dmarc.yourdomain.com with a monitoring-only policy to start:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-reports@yourdomain.com; fo=1

Tag breakdown:

p=none — monitor mode; no action taken on failing messages
rua= — address for aggregate XML reports (received daily)
ruf= — address for forensic failure reports (individual failed messages)
fo=1 — generate a failure report when either SPF or DKIM fails

2Tighten the DMARC policy over time

After one to two weeks of receiving aggregate reports and confirming all legitimate sending sources pass, move to quarantine, then reject:

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc-reports@yourdomain.com; fo=1

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; fo=1

The pct=25 tag applies the policy to only 25% of failing messages during rollout — a useful safety valve before going to full enforcement.

3Verify the DMARC record

dig TXT _dmarc.yourdomain.com +short

Expected output:

"v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; fo=1"

1Retrieve the current public key from Plesk

amavisd-new showkeys

2. Update the DNS TXT record for mail._domainkey.yourdomain.com with the new key value and wait for propagation.

SPF returns PermError (too many DNS lookups)

Each include:, a, mx, and redirect mechanism counts as one lookup. The limit is 10. Check your count:

dig TXT yourdomain.com +short | python3 -c "import sys; rec=sys.stdin.read(); print('includes:', rec.count('include:'))"

If you exceed 10, use SPF flattening (replace include: chains with raw IP ranges) or a service like dmarcian's SPF Surveyor.

DMARC fails despite SPF and DKIM passing

DMARC requires alignment — the domain in the From: header must match the domain used in DKIM or SPF. If your mail is sent from user@yourdomain.com but signed under a different domain (common with mailing lists and forwarding), DMARC alignment will fail even if SPF and DKIM individually pass. Check the aggregate reports for the disposition and reason fields to identify the misaligned source.

Plesk DKIM option is greyed out

This happens when the Plesk mail server is set to relay all mail through a smarthost. When a smarthost is configured, Plesk does not sign mail locally. Either disable the smarthost and send directly, or configure DKIM signing on the smarthost provider's side.

Emails still going to spam after all three records pass

Authentication is necessary but not sufficient. Additional factors: IP blacklist inclusion (check via MXToolbox Blacklist Check), a low domain reputation (new domains take weeks to warm up), spam-triggering content, or missing rDNS (PTR record) for your server IP. For managed help getting your Plesk server fully deliverability-optimised, CloudHouse server management provides hands-on email configuration and ongoing monitoring.

FAQs

See the FAQ section below for answers to the most common questions about Plesk DKIM, SPF, and DMARC configuration.

Getting DKIM, SPF, and DMARC right in Plesk takes roughly an hour — but the deliverability gains are permanent. Start with p=none on DMARC, monitor the aggregate reports for two weeks, then enforce p=reject once all legitimate sending sources are confirmed. If you inherit a server with broken authentication or are migrating to Plesk and need every record verified from scratch, the CloudHouse server management team can audit and fix your full email stack.

Get the Free Linux Server Admin Cheatsheet (PDF)

Essential commands for server management, networking, and troubleshooting — all on one printable page.

Running Linux servers? Let us manage them for you.

Our Managed Linux Server plans cover updates, security hardening, monitoring, and 24/7 incident response — so your servers stay up and your team stays focused.

Proactive OS patching and security updates
24×7 monitoring with instant alerting
Backup configuration and disaster recovery
Dedicated Linux engineers on call

See Pricing Plans →

What our customers say

“Our production server went down at 2 AM. CloudHouse had it back online in under 20 minutes. Incredible response time.”

Arun S.

CTO, SaaS Startup

“They migrated our entire infrastructure from Ubuntu 18 to 22 with zero downtime. Couldn't have asked for better.”

Deepak N.

DevOps Lead

Frequently Asked Questions

Plesk can auto-create SPF and DKIM records if it manages DNS for the domain and DKIM signing is enabled in Mail Server Settings. DMARC is never created automatically — you must add the _dmarc TXT record manually regardless of your DNS setup. If your DNS is managed externally (Cloudflare, Route 53), Plesk will not publish any records to external DNS, so all three must be added manually.

Book your free 15-minute diagnosis

A certified technician will call you back within 15 minutes during business hours.

Share this article

Comments (0)

Loading comments...