How to Set Up SPF, DKIM, and DMARC on DreamHost

Your domain is on DreamHost, emails are going out, but client replies land in spam, your WordPress contact form submissions vanish, and Google Workspace emails bounce back with authentication errors.

The root cause is almost always email authentication, specifically, an SPF record that’s missing, incomplete, or misconfigured after adding a third-party email service.

DreamHost handles SPF better than most hosting providers. It auto-generates a working SPF record for every domain

However, the moment you customize the record, to add Google Workspace, Mailchimp, or any other sending service, DreamHost silently removes its default record. If you don’t include DreamHost’s own mechanisms in the replacement, your DreamHost-hosted email stops authenticating abruptly. 

This guide walks through how DreamHost handles SPF, DKIM, and DMARC by default, how to configure each for single-sender and multi-sender setups, the DreamHost-specific behaviors that break email silently, and how to verify and monitor everything continuously.

What Is the Default DreamHost SPF Record?

SPF (Sender Policy Framework) is a DNS TXT record that specifies which mail servers are permitted to send email from your domain. Receiving servers check this record to decide whether incoming email is legitimate or potentially spoofed.

DreamHost automatically adds the following SPF record to every domain using DreamHost email:

v=spf1 mx include:netblocks.dreamhost.com include:relay.mailchannels.net -all

Here’s what each part of the SPF record does:

If you only send email through DreamHost and don’t use any third-party email services, this default record is complete. You don’t need to change anything.

Use the free PowerDMARC SPF Checker to verify your DreamHost default record is live. Enter your domain, it shows the record, syntax validation, DNS lookup count, and every mechanism listed, in seconds.

The DreamHost behavior you need to know before making any changes:

Adding a custom SPF record in DreamHost automatically removes the default record. This is one of the most common causes of email authentication failures on DreamHost. If you add a custom record containing only include:_spf.google.com -all, you’ve just de-authorized DreamHost’s own mail servers, and every email sent through DreamHost will fail SPF from that moment forward.

If you delete your custom SPF record, DreamHost restores the default automatically. This is useful as a fallback if something breaks.

How to Add or Edit an SPF Record in DreamHost

You only need to modify the SPF record if you send email through services besides DreamHost, Google Workspace, Mailchimp, SendGrid, HubSpot, or any other third-party sender.

Step 1: Identify All Your Sending Sources

List every system that sends email as your domain. Common sources for DreamHost users:

• DreamHost email → include:netblocks.dreamhost.com include:relay.mailchannels.net
• Google Workspace → include:_spf.google.com
• Mailchimp → include:servers.mcsv.net
• SendGrid → include:sendgrid.net
• HubSpot → include:_spf.hubspot.com
• Zoho Mail → include:zoho.com
• Other providers → check the vendor’s SPF documentation for their include: value

Not sure which services send email as your domain? 

PowerDMARC’s DMARC aggregate reports reveal every sending source, including legitimate and unauthorized, within 72 hours of deployment. This is the most reliable discovery method, especially for domains with shadow IT senders that marketing or sales adopted without telling anyone.

Step 2: Build One Combined SPF Record

Merge all sending sources into a single SPF record. You can only have one SPF TXT record per domain because multiple records cause PermError and break authentication for all senders.

Monitor the lookup count. Every include: mechanism triggers one or more DNS lookups (including nested includes), but SPF is capped at 10 total lookups per RFC 7208. DreamHost’s default mechanisms already consume 3–4 lookups. Add Google (2–3), Mailchimp (1–2), and SendGrid (1–2) and you’re at 8–11, potentially over the limit.

Use the PowerDMARC SPF Generator to build the combined record correctly. It validates syntax, counts lookups including nested includes, and warns you before you hit the 10-lookup limits. If you’re already over 10, PowerSPF auto-flattens include: chains into ip4: entries and keeps the record updated when vendors change IPs with no manual DNS edits required.

Step 3: Add the Record in DreamHost Panel

These steps assume your nameservers are pointing to DreamHost. If they’re pointing to Cloudflare or another provider, add the TXT record there instead because DreamHost panel DNS is ignored when nameservers point elsewhere.

• Navigate to Manage Websites.
• Click the vertical 3 dots button under your domain → select DNS Settings.
• Click Add Record → hover over TXT Record → click ADD.
• Host: leave blank for the root domain (or enter a subdomain if needed).
• TXT Value: paste your combined SPF string.
• Click Add Record to save.

This action removes DreamHost’s default SPF record. Your combined record MUST include DreamHost’s mechanisms (netblocks.dreamhost.com and relay.mailchannels.net) if you still send any email through DreamHost. Double-check before saving.

Step 4: Verify the Record

• Wait 15 minutes to 6 hours for DreamHost DNS propagation (DreamHost’s KB says to allow up to 6 hours).
• Re-run the PowerDMARC SPF Checker to confirm the record resolves correctly and the lookup count is under 10.
• Send a test email to a personal Gmail account. Open the message → click “Show original” → look for spf=pass in the Authentication-Results header.

Google Workspace Edge Case

DreamHost’s panel makes the SPF field uneditable when Google Workspace is configured through DreamHost’s integration. However, you can use DreamHost’s custom DNS record path (Add Record → TXT) instead of the auto-configured field. If your nameservers are on Cloudflare, add the TXT record directly in Cloudflare’s DNS dashboard so that it bypasses DreamHost’s restriction entirely.

How to Verify and Set Up DKIM on DreamHost

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails, allowing receiving servers to verify the message wasn’t altered in transit.

DreamHost Auto-Generates DKIM

If you’re using DreamHost-hosted email, DKIM is already configured:

• DreamHost automatically creates DKIM DNS records for all domains and subdomains using DreamHost email.
• The records are visible in your DNS Settings, identifiable by _domainkey in the record name (type: TXT).
• DreamHost supports 2048-bit DKIM keys.
• Every email sent via SMTP through DreamHost’s mail server is automatically signed.

Use the PowerDMARC DKIM Checker to verify the key is published and valid. Enter your domain and selector (typically yourdomain.com._domainkey for DreamHost-hosted email) to confirm.

When DKIM Is NOT Applied (Critical Gap)

Emails sent via Sendmail or PHP Mail are NOT DKIM signed. This includes WordPress contact forms that use PHP’s mail() function, which is the default for most WordPress form plugins. These emails bypass DreamHost’s SMTP server entirely, so the DKIM private key is never applied to the message.

This is the most common reason WordPress site owners on DreamHost find their contact form emails landing in spam. The form works, and sends the email, but without DKIM (and often without proper SPF alignment), receiving servers flag it as suspicious.

Fix: Install the WP Mail SMTP plugin (or similar). Configure it to send all site-generated email through DreamHost’s SMTP server (mail.yourdomain.com, port 465 with SSL or port 587 with TLS). This routes email through the mail server, which applies the DKIM signature automatically.

If Your Nameservers Are NOT on DreamHost

If you’re using Cloudflare, Route 53, or another DNS provider but DreamHost handles your email, you need to copy the DKIM DNS records from DreamHost’s panel and add them manually at your DNS provider.

Copy the DKIM key carefully without any spaces anywhere in the key string. DreamHost’s panel will accept records with spaces, but the emails will fail DKIM verification if the published key contains any whitespace. 

If You Use a Third-Party Mail Provider

If Google Workspace, Zoho, or another service handles your email (not DreamHost), that provider manages DKIM signing. Get their DKIM public key and selector, then add the corresponding TXT record in DreamHost’s DNS Settings (or your external DNS provider). Follow the provider’s documentation for the exact selector format and key value.

How to Set Up a DMARC Record on DreamHost

DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together. It checks that at least one of them passes AND aligns with the visible From: domain, then tells receiving servers what to do when authentication fails. Without DMARC, SPF and DKIM exist but nobody enforces them.

Use the PowerDMARC DMARC Generator to create your record. Select your policy level, add reporting email addresses, and copy the generated TXT value. 

Step-by-Step in DreamHost Panel

Before adding DMARC, make sure SPF and DKIM are already configured and working. DreamHost’s own blog recommends waiting 48 hours after SPF and DKIM setup before publishing the DMARC record.

• Navigate to Manage Websites → DNS Settings → click Add Record → TXT.
• Host: _dmarc
• TXT Value:

v=DMARC1; p=none; rua=mailto:[email protected];ruf=mailto:[email protected]; pct=100

• Click Add Record to save.

DreamHost recommends creating two separate email addresses for DMARC reports (aggregate and forensic), since you may receive a large volume. Alternatively, point rua= to PowerDMARC’s ingestion address and skip the email noise entirely so that the reports go directly to a visual dashboard.

The Phased Rollout Plan

DMARC should not be deployed at p=reject on day one. A staged approach prevents you from accidentally blocking legitimate email:

Phase	Policy	What Happens
Weeks 1–4	p=none	Monitor only. Collect DMARC aggregate reports. Identify all legitimate senders and fix any authentication failures.
Weeks 5–8	p=quarantine	Unauthenticated email goes to spam. Verify that all legitimate senders now pass. Watch reports for false positives.
Week 9+	p=reject	Full enforcement. Unauthorized email is rejected outright. Your domain is now protected from spoofing.

To update the policy, edit the _dmarc TXT record in the DreamHost panel (click the pencil icon next to the record) and change p=none to p=quarantine, then eventually to p=reject.

Raw DMARC XML reports are unreadable without tooling. PowerDMARC ingests them automatically and surfaces visual analytics per-source pass/fail rates, SPF and DKIM alignment status, unauthorized sender detection, and trend lines. 

Common DreamHost Email Authentication Issues (and Fixes)

Every scenario below follows the same diagnostic flow: Symptom → Cause → Fix.

DreamHost Emails Go to Spam After Adding Google Workspace SPF

• Symptom: Emails sent from DreamHost-hosted mailboxes land in spam or bounce. Google Workspace emails work fine.
• Cause: The custom SPF record was added with only Google’s include (include:_spf.google.com -all), which auto-removed DreamHost’s default record. DreamHost mail servers are no longer authorized.
• Fix: Merge into one record that includes both DreamHost and Google mechanisms:
• v=spf1 mx include:netblocks.dreamhost.com include:relay.mailchannels.net include:_spf.google.com -all

WordPress Contact Form Emails Fail SPF/DKIM

• Symptom: Contact form submissions never arrive, or land in the recipient’s spam folder. Direct emails from the same domain work fine.
• Cause: WordPress is using PHP’s mail() function instead of SMTP. PHP mail doesn’t route through DreamHost’s mail server, so SPF alignment fails and DKIM is never applied.
• Fix: Install WP Mail SMTP plugin. Configure it to send via DreamHost’s SMTP server (mail.yourdomain.com, port 465 SSL or 587 TLS, with your DreamHost email credentials). This ensures every site-generated email is authenticated.

SPF PermError: Too Many DNS Lookups

• Symptom: SPF checker returns PermError. Some or all email fails authentication.
• Cause: The combined SPF record with DreamHost + Google + Mailchimp + SendGrid + other services exceeds the 10 DNS lookup limit. DreamHost’s default mechanisms alone use 3–4 lookups, so adding 3–4 third-party includes pushes you over.
• Fix: Audit the lookup count with an SPF checker that counts nested includes. Remove stale includes for services you no longer use. Replace include: with direct ip4: entries where vendor IPs are stable. Route high-volume senders through subdomains (each gets its own 10-lookup budget). Or use PowerSPF for automated flattening.

Emails Bounce From Gmail With “Unauthenticated” Error

• Symptom: Gmail rejects your emails with a “message not authenticated” bounce. SPF and DKIM records look correct in the DreamHost panel.
• Cause: Your nameservers are pointing to Cloudflare (or another provider), but your SPF and DKIM records were only added in DreamHost’s panel. When nameservers don’t point to DreamHost, DreamHost’s DNS is invisible to the rest of the internet.
• Fix: Add all email authentication DNS records (SPF TXT, DKIM TXT, DMARC TXT) in Cloudflare’s DNS dashboard, not in the DreamHost panel. Copy the records from DreamHost and publish them where your nameservers actually point.

DMARC Fails Even Though SPF and DKIM Pass Individually

• Symptom: Message headers show spf=pass and dkim=pass, but dmarc=fail.
• Cause: Alignment failure. DMARC requires that the domain in the SPF check (envelope sender / Return-Path) OR the DKIM signature (d= tag) matches the visible From: header domain. If your envelope sender is [email protected] but your From: header is [email protected], SPF passes for dreamhost.com but doesn’t align with yourdomain.com.
• Fix: Ensure the envelope sender domain and DKIM signing domain both match the From: address domain. For DreamHost-hosted email, this typically works automatically. For third-party senders, configure them to use your domain as the envelope sender (most ESPs offer custom return-path configuration).

Stop guessing which source is failing and why. PowerDMARC’s aggregate report dashboard shows per-IP, per-source authentication results across every receiver that processes your mail. Identify the exact failure, fix it, and confirm the fix, all from one screen. Start your 15-day free trial

How to Verify Your DreamHost Email Authentication Is Working

After setting up SPF, DKIM, and DMARC, run through this checklist to confirm everything is live and passing:

• Send a test email to a personal Gmail account. Open the email → click “Show original” → confirm SPF: PASS, DKIM: PASS, and DMARC: PASS all appear in the header.
• Run the PowerDMARC SPF Checker to verify that the record resolves, syntax is valid, and lookup count is under 10.
• Run the PowerDMARC DKIM Checker with your selector (yourdomain.com._domainkey for DreamHost, or whatever selector your third-party provider uses), confirm the key is published and the signature length is 2048-bit.
• Run the PowerDMARC DMARC Checker to confirm that the _dmarc TXT record is live, the policy is set correctly, and the rua/ruf addresses are valid.
• After 72 hours, check DMARC aggregate reports. These show real-world pass/fail rates across all receivers (Gmail, Yahoo, Microsoft, etc.), not just one test message. This is where you’ll see if any sending source is failing that your test didn’t catch.

Run PowerDMARC’s free Domain Analyzer scan. It checks SPF, DKIM, DMARC, BIMI, MTA-STS, and overall email security posture in a single scan. Get an instant A+ to F grade for your DreamHost domain.

DreamHost Email Authentication Best Practices

Setting up SPF, DKIM, and DMARC is only the starting point. Long-term email deliverability on DreamHost depends on maintaining clean authentication records, monitoring for configuration drift, and aligning your sending practices with evolving mailbox provider requirements.

• Always include DreamHost’s mechanisms (netblocks.dreamhost.com and relay.mailchannels.net) when adding custom SPF. The auto-removal behavior catches most users off guard.
• Use SMTP for all site-generated email. WordPress contact forms, WooCommerce order notifications, and membership confirmations should route through SMTP to ensure DKIM signing.
• SPF treats subdomains separately. If blog.yourdomain.com or shop.yourdomain.com sends email, each needs its own SPF record. Subdomain records don’t inherit from the parent domain.
• Deploy DMARC in phases: p=none first, monitor reports via PowerDMARC, then enforce. Going straight to p=reject without monitoring risks blocks legitimate email.
• Audit your SPF record quarterly and immediately after adding any new email-sending service. Vendors change IP ranges, marketing teams adopt new tools, and records drift.
• If nameservers are on Cloudflare or another external provider, all email DNS records (SPF, DKIM, DMARC) must be added there, not in the DreamHost panel. DreamHost’s DNS is ignored when nameservers point elsewhere.

Stop troubleshooting DreamHost email authentication blindly. PowerDMARC helps you monitor SPF, DKIM, and DMARC in real time, detect silent failures before deliverability drops, and keep your records compliant as you add new sending services. 

Start your 15-day free trial

Frequently Asked Questions

What is the default SPF record for DreamHost?

v=spf1 mx include:netblocks.dreamhost.com include:relay.mailchannels.net -all. DreamHost adds this automatically for all domains using DreamHost email. No manual setup is needed if DreamHost is your only email sender.

How do I combine DreamHost SPF with Google Workspace?

Create one merged record that includes both sets of mechanisms:

v=spf1 mx include:netblocks.dreamhost.com include:relay.mailchannels.net include:_spf.google.com -all

Adding only Google’s SPF removes DreamHost’s default record, which breaks DreamHost email. Always include both.

Does DreamHost set up DKIM automatically?

Yes, for domains using DreamHost-hosted email with SMTP. The DKIM record is created automatically and emails are signed when sent through DreamHost’s mail server. However, emails sent via PHP mail (WordPress contact forms without SMTP) are NOT DKIM signed. Install WP Mail SMTP to fix this.

Why are my DreamHost emails going to spam?

The most common causes include missing or incorrect SPF record (especially after adding a third-party sender, which removes DreamHost’s default), DKIM not applied because email is sent via PHP mail instead of SMTP, no DMARC record published, or nameservers pointing to Cloudflare while DNS records exist only in DreamHost panel. Run a free scan with PowerDMARC’s Domain Analyzer to identify exactly what’s failing.

Can I have two SPF records on DreamHost?

No. RFC 7208 mandates a single SPF TXT record per domain. If two records starting with v=spf1 exist, SPF returns PermError and all authentication fails. Merge all authorized senders into one record.