Skip to main content

Email Authentication (DKIM, SPF, DMARC) + MX Records

Written by WMWL Support on . Posted in SMTP.

DKIM – proof the email message wasn’t messed around with, digital signature key
SPF – where can my letters come from, anti-spam rule
DMARC – what big G should do if someone tries to pull a sneaky one, boss policy
MX – where to deliver mail (don’t send it to my house, send it to Google Workspace)
A – “address” where does the house live?  it points to the IP address (like hosting nation) (e.g. 123 maple street)
CNAME –  instead of following an IP, it follows a different name (e.g. your buddy calls your house “the dragon lair” but its still 123 maple street) like a nickname. www.domain.com -> domain.com
TXT – proof, rules, or verification codes. like a sticky note on the mailbox.  (only family can send me mail). includes spf, dkim, dmarc, google verification

Your Full DNS “Mailbox” (Hosting Nation cPanel) – Like a House with Signs

Sign on Mailbox
Meaning
A yourdomain.com → 142.44.215.123
“House is here”
CNAME www → yourdomain.com
“www is just a nickname”
MX → aspmx.l.google.com (1)
“Send all mail to Google”
TXT “v=spf1 include:_spf.google.com ~all”
“Only Google can send from here”
TXT google._domainkey → [long code]
“Here’s the key to prove it’s us”
TXT _dmarc → p=quarantine
“Fake mail? Spam folder, please”

 

Record
TL;DR
A
Tells the internet the IP address of your website
CNAME
Says “this name is just an alias for another name”
MX

Tells mail servers where to deliver email (@yourdomain.com)
TXT
Holds text notes like SPF, DKIM, DMARC, or Google verification

 

  • Website → Hosting Nation
  • Email → Google Workspace
  • No spoofing → SPF/DKIM/DMARC
  • WordPress mail → WP Mail SMTP → Google
Think of sending email like mailing a physical letter.
Your domain (yourname.com) is the return address on the envelope.
Criminals love forging that return address to send spam or phishing emails that look like they came from you.The whole point of SPF + DKIM + DMARC is to make it impossible (or extremely hard) for someone to fake your return address without getting caught.

1. MX Records – “Where do I deliver mail addressed to @yourname.com?”

  • This is just the postal address for incoming mail.
  • You put MX records in your domain’s DNS that say:
    Send all email for @yourname.com to Google’s mail servers.
  • Google Workspace gives you exactly what to put: 
    Priority 1: aspmx.l.google.com
Priority 5: alt1.aspmx.l.google.com
Priority 5: alt2.aspmx.l.google.com
etc.
  • Once you add these, all incoming mail goes to Google, not your cheap shared hosting’s crappy mail server.

Super important: If you’re using Google Workspace, you usually delete any old MX records from your hosting company, otherwise mail still goes to the wrong place.

2. SPF – “Who is allowed to send mail FROM @yourname .com?”

  • This is a TXT record in your DNS that lists the “approved senders”.
  • It’s literally a list that says:
    “Only these servers are allowed to send email that claims to be from @yourname.com”
  • For Google Workspace the record is usually: 
    v=spf1 include:_spf.google.com ~all

    Translation in retard-speak:

    • include:_spf.google.com = “Google’s mail servers are allowed”
    • ~all = “anything else is sketchy, treat it as soft-fail (put it in spam, don’t reject yet)”

If someone in Nigeria tries to send an email to your customers pretending to be you@gmail.com without going through Google’s servers → SPF fails → big red flag.

3. DKIM – “Proof the email actually came from you and wasn’t changed”

  • Google signs every outgoing email with a secret key.
  • They publish the matching public key in your DNS as a special TXT record (looks like google._domainkey.yourname.com).
  • When someone receives your email, their server grabs that public key from your DNS and checks the signature.
  • If it matches → “Yep, this really came from Google’s servers and wasn’t tampered with on the way.”

Google Workspace does this automatically once you add the DKIM record they give you in the admin console. You just copy-paste the TXT record into your DNS.

4. DMARC – “What should Gmail/Yahoo/etc do when someone fails SPF or DKIM?”

  • This is the boss policy. It’s another TXT record: _dmarc.yourname.com
  • Example of a good, safe-but-effective policy: 
    v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourname.com; ruf=mailto:dmarc-failures@yourname.com; pct=100; fo=1

    Translation:

    • p=quarantine = “If SPF or DKIM fails, put it in spam (or reject if you change to p=reject later)”
    • rua= = “Send me daily reports of who is trying to fake my domain”
    • pct=100 = apply this policy to 100% of emails
    • fo=1 = tell me if both SPF and DKIM failed

DMARC is what actually stops the spoofing. Without it, even if SPF/DKIM fail, many servers will still deliver the mail. With DMARC, you force them to spam or reject it.

How It All Works Together in Real Life (Google Workspace Example)

  1. You send an email from Gmail/Google Workspace → Google adds DKIM signature + sends from their servers (which pass SPF).
  2. Someone tries to spoof you → their mail fails either:
    • Comes from wrong server → SPF fail
    • Has no DKIM signature or wrong one → DKIM fail
  3. Receiving server sees your DMARC policy that says “quarantine or reject if either fails” → message goes to spam or gets bounced.
  4. You get beautiful reports showing exactly who is trying to impersonate you.

Where Do You Actually Put These Records?

  • Whoever controls your domain’s DNS:
    • GoDaddy, Namecheap, Cloudflare, Google Domains, your hosting provider (cPanel, Plesk, etc.)
  • If your domain points to shitty shared hosting (Bluehost, HostGator, etc.), they usually have a DNS editor.
  • If you use Cloudflare → even better, super easy.

Typical setup order when moving to Google Workspace:

  1. Add Google’s MX records (and delete old ones)
  2. Wait 1–48 hours for propagation
  3. Turn on DKIM in Google Workspace admin → add the TXT record they give you
  4. Add SPF record (include:_spf.google.com ~all)
  5. Add DMARC record (start with p=none to monitor, then p=quarantine, then p=reject after a week or two when you’re sure it’s working)

That’s literally it. Once all three (SPF + DKIM + DMARC) are set up properly, almost no one can successfully spoof your domain anymore. Your emails also get better delivery rates because Gmail, Outlook, etc. trust you more.You’re now basically un-spoofable. Congrats.

Your Exact Setup: Domain @ GoDaddy + Hosting @ HostingNation.ca + Email @ Google Workspace

This is an extremely common Canadian setup — tons of people do exactly this. Hosting Nation is a solid little BC-based cPanel host, domain at GoDaddy, email on Google. It works perfectly.There are two possible ways this is actually configured in the real world. One is way more common with Hosting Nation customers.

The Way 99% of Hosting Nation Customers Do It (Nameservers pointed to Hosting Nation)

You (or they) changed the nameservers at GoDaddy to Hosting Nation’s nameservers.In GoDaddy → your domain → Nameservers → it says:

  • ns1.hostingnation.ca
  • ns2.hostingnation.ca

(or whatever their current ones are — they sometimes change, but it’s always their own).This is the easiest way for them because when you add the domain to your Hosting Nation cPanel account, everything “just works” for the website without you touching any A records.What your DNS records look like inside Hosting Nation’s cPanel → Zone Editor:

Type    Name              Value / Points to                          Priority   TTL
A       yourdomain.com.   192.168.XXX.XXX   (their shared server IP)          -        14400
A       cpanel            same IP
A       webmail           same IP
A       whm               same IP
CNAME   www               yourdomain.com.
CNAME   mail              yourdomain.com.   (usually left but doesn't matter)

MX      yourdomain.com.   aspmx.l.google.com.                        1        14400
MX      yourdomain.com.   alt1.aspmx.l.google.com.                   5
MX      yourdomain.com.   alt2.aspmx.l.google.com.                   5
MX      yourdomain.com.   alt3.aspmx.l.google.com.                   10
MX      yourdomain.com.   alt4.aspmx.l.google.com.                   10

TXT     yourdomain.com.   "v=spf1 include:_spf.google.com ~all"               14400
TXT     google._domainkey "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCA..." (super long string from Google)
TXT     _dmarc            "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; fof=1" (or whatever policy you set)

(Optionally) TXT  yourdomain.com.   "google-site-verification=xxxxxxxxxxxx"   (if Google asked for it during setup)
That’s literally it. You deleted the default local MX record that pointed to mail.yourdomain.com or localhost (priority 0) — that’s the only thing you had to change for email to go to Google.Everything else was already there for the website to work.
The Other Way (Less Common, but Totally Works): Nameservers Stay at GoDaddy
You kept GoDaddy nameservers and just pointed the A record to Hosting Nation’s server IP (they give you this IP in your welcome email or in cPanel → “Shared IP Address”).In GoDaddy DNS it looks exactly like my first big explanation, but with their IP:
A       @                 192.168.XXX.XXX   (Hosting Nation server IP)
CNAME   www               yourdomain.com.   (or sometimes directly to a hostname they give like server123.hostingnation.ca)
MX      @                 aspmx.l.google.com.           1
MX      @                 alt1.aspmx.l.google.com.      5
... (same Google MX as above)
TXT     @                 v=spf1 include:_spf.google.com ~all
TXT     google._domainkey (the DKIM one)
TXT     _dmarc            (your DMARC policy)
This way works great too, and some people prefer it because GoDaddy’s DNS editor is actually pretty decent for adding TXT records.
Hosting Nation fully supports both ways — they even offer free DNS service even if you don’t host with them.

Important Real-World Notes for Hosting Nation Specifically

  • They have a help article literally called “Google Suite domain setup” (it’s old, still says G Suite, but same thing) that tells you exactly which MX records to add in their Zone Editor.
  • If your WordPress/site contact forms or cron jobs send email, they will come from Hosting Nation’s server → SPF will soft-fail (~all) and sometimes land in spam. Fix = either:
    • Add the server IP to your SPF:
      v=spf1 ip4:YOUR_SERVER_IP include:_spf.google.com ~all
      (get the IP from cPanel main page)
    • Or install an SMTP plugin (WP Mail SMTP, FluentSMTP, etc.) and make it use your Google Workspace credentials → then everything goes through Google and SPF/DKIM passes perfectly.
for wordpress we use wp smtp plugin so is that extra step needed?
If your WordPress/site contact forms or cron jobs send email, they will come from Hosting Nation’s server → SPF will soft-fail (~all) and sometimes land in spam.
Short answer:
No — you do not need to add Hosting Nation’s IP to your SPF record if you’re using WP Mail SMTP (or any SMTP plugin) and you’ve configured it to send through Google Workspace