SPF and DKIM are email authentication mechanisms that help mail servers verify that an email actually comes from the domain it claims to be from. Without them, your emails are much more likely to be marked as spam or rejected.

SPF – Sender Policy Framework.

Lets mail servers check which servers are allowed to send emails on behalf of your domain. To make it work, publish a TXT record in your domain’s DNS that lists the IP addresses or services allowed to send email for your domain.

v=spf1 include:_spf.google.com include:mx.ovh.com ~all

• v=spf1 – SPF version, mandatory
• include:_spf.google.com – authorize Google Workspace servers to send email on behalf of my domain
• include:mx.ovh.com – authorize OVH’s mail servers to send emails for my domain
• ~all – soft fail, any other not listed servers will be marked suspicious, but delivered (-all is hard fail)

DKIM – Domain Keys Identified Mail

It uses a pair of cryptographic keys:

• Private key: stored on the mail server, used to sign outgoing emails.

• Public key: published in DNS, used by receiving servers (like Gmail) to verify the signature.

When Gmail receives an email from your domain:

• It reads the DKIM signature in the email header.

• It fetches the public key from your DNS.

• If the signature matches, DKIM passes. If it doesn’t → DKIM fails, and Gmail may block or mark the email as spam.

to configure, set up mail server, and configure 2 CNAME records:

CNAME 1: ovhmo2899381-selector1._domainkey.piasecki.it  ovhmo2899381-selector1._domainkey.2779185.op.dkim.mail.ovh.net. 
CNAME 2: ovhmo2899381-selector2._domainkey.piasecki.it  ovhmo2899381-selector2._domainkey.2779184.op.dkim.mail.ovh.net.

CNAME is an alias, or in other words: “when someone looks up this name, go check another domain instead”.

to wrap everything up: SPF verifies which servers are allowed to send emails for your domain. DKIM verifies that email content is authentic and was not tampered.