How to configure SPF and DKIM in Plesk Mail Server

This tutorial guides you through configuring Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records directly within the Plesk control panel. These steps apply to Plesk Obsidian 18.x running on Linux distributions like AlmaLinux 9 or Ubuntu 24.04. By completing these steps, you ensure that emails sent from your domain are authenticated by receiving servers, significantly reducing the risk of being marked as spam.

Prerequisites

• Plesk Obsidian 18.x or later installed on a Linux server.
• Root or sudo access to the server to manage DNS zones.
• A valid domain name registered with your DNS provider.
• Knowledge of your domain's current DNS records (MX, A, TXT).
• An active mail service installed within Plesk (usually Postfix or Exim).

Step 1: Generate DKIM Keys

Before adding records to your DNS, you must generate the cryptographic keys required for DKIM authentication. Plesk provides a built-in tool to handle this process automatically for all hosted domains. You will use the Mail Server settings to create the public key that will be published in your DNS.

1. Log in to your Plesk panel as an administrator or reseller.
2. Navigate to Domains and click on the domain you want to configure.
3. Click on the Mail Server icon on the left-hand side.
4. Locate the DKIM section in the main interface.
5. Click the Generate button next to the DKIM key status.

You will see a confirmation message stating that the keys have been generated successfully. Plesk automatically creates a TXT record containing the public key and a CNAME record pointing to the mail server's selector. The system prepares these records for import into your DNS zone.

Step 2: Configure SPF Records

SPF records define which IP addresses and mail servers are authorized to send email on behalf of your domain. Plesk automatically generates the necessary SPF TXT record based on your mail server configuration. You must ensure this record exists in your DNS zone to pass authentication checks.

1. Stay in the Mail Server page in Plesk.
2. Look for the SPF section near the top of the page.
3. Ensure the Enable SPF checkbox is ticked.
4. Review the generated TXT record string provided by Plesk.

The default SPF record generated by Plesk usually looks like this: default: v=spf1 include:psmta.com ?all. This record allows Plesk's mail transfer agents to send mail. If you use additional third-party services like Google Workspace or Microsoft 365, you must append their specific include directives to this string before saving.

To modify the record, click the Edit link next to the SPF record. Append the necessary include directives (e.g., include:_spf.google.com) to the existing string. Ensure you do not exceed the 254-character limit for SPF records. Click Save to apply the changes.

Step 3: Import DKIM Records to DNS

After generating the keys in Step 1, the next step is to push these records into your DNS management system. Plesk can automate this by directly updating the DNS zone file or by generating a CSV file for import. The method depends on your DNS provider and Plesk's integration capabilities.

1. Navigate to Domains and select your domain.
2. Click on the Web Hosting icon, then select Manage DNS.
3. Look for the section labeled DKIM or Mail Server records.
4. Click Import from Mail Server or Apply Changes.

If your DNS provider does not allow automatic updates, Plesk will generate a text file containing the new TXT and CNAME records. Download this file and upload it to your DNS hosting provider's control panel. Ensure the selector name (usually mail) matches the value in the CNAME record exactly.

Verify the installation

Once the records are in place, you must verify that they are correctly configured and active. Use a DNS lookup tool to confirm the presence of the TXT records for both SPF and DKIM. This step ensures that external mail servers can retrieve the authentication data.

Run the following command in your terminal to check the DNS records:

dig TXT your-domain.com | grep -E "v=spf|s=mail"

You should see output similar to the following:

your-domain.com.      3600      IN      TXT      "default: v=spf1 include:psmta.com ?all"

mail._domainkey.your-domain.com.  3600  IN  CNAME  mail.your-domain.com

mail._domainkey.your-domain.com.  3600  IN  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."

Next, use a dedicated verification tool like MXToolbox or a command-line tool to test the actual authentication status. Run this check to see if your domain passes SPF and DKIM validation:

mxtoolbox.com/spf-check?domain=your-domain.com

Ensure the results show "PASS" for both SPF and DKIM. If any checks fail, review the DNS zone for typos or conflicting records.

Troubleshooting

If email delivery issues persist or authentication checks fail, follow these steps to diagnose and resolve the problem.

1. Check for Multiple SPF Records: A domain must have exactly one SPF record. If you have added records manually and also enabled Plesk's automatic generation, you may have duplicate records. Delete any manual TXT records that duplicate the Plesk-generated one.
2. Verify DKIM Selector: Ensure the CNAME record for the DKIM selector points to the correct mail server hostname. A mismatch here will cause DKIM failures.
3. Inspect Mail Server Logs: Check the mail server logs for specific rejection messages. Look for "SPF fail" or "DKIM signature verification failed" errors in the Postfix or Exim logs.
4. Regenerate Keys: If you suspect the keys are corrupted, go back to the Mail Server settings in Plesk, click Generate again, and re-import the new records into your DNS.
5. Propagation Delay: DNS changes can take up to 48 hours to propagate globally. If you recently updated records, wait before running verification tools.

After resolving any issues, re-run the verification commands to confirm that the status is now "PASS". Ensure that all outgoing mail is signed correctly and that receiving servers accept the messages.