This morning a bug-bounty hunter emailed me with a finding: unboxd.ai had no DMARC record. He was right. I had set up SPF when I first launched, never published DKIM, never published DMARC. Classic founder oversight. The kind of thing you mean to fix and then ship features instead.
I fixed it before lunch. Total cost: zero. Total time: about forty minutes, most of it spent learning that the Namecheap and DigitalOcean docs assume you bought DNS where you bought your domain, which I did not.
This is the walkthrough I wish I had this morning. If your stack is the same as mine (Namecheap Private Email for the mailbox, DigitalOcean for DNS), you can skip the false starts and copy the exact records below.
The 30-second version
- SPF goes in DigitalOcean (wherever your nameservers actually point), value:
v=spf1 include:spf.privateemail.com ~all - DKIM is generated in the Namecheap Private Email panel, then the TXT record gets published in DigitalOcean
- DMARC goes in DigitalOcean, value:
v=DMARC1; p=none; rua=mailto:[email protected]; fo=1; adkim=r; aspf=r; pct=100 - Catch-all warning: DMARC aggregate reports will pile up wherever your catch-all routes. Use Postmark's free parser or an explicit alias.
- Total cost: zero. Total time: under an hour.
Why this combination is confusing
Most deliverability guides assume one of two clean stacks: Google Workspace (where everything is in the Google admin console) or a single registrar that also runs your DNS (where everything is in one panel). Namecheap as registrar plus DigitalOcean as nameservers is a developer-flavored combination, common but undocumented. The Namecheap support articles tell you to add records "in your DNS panel" without mentioning that the panel you log into might be the wrong one. DigitalOcean's docs assume you already know which records you need.
The first move, before publishing anything, is to confirm which platform actually controls your DNS. The registrar and the nameserver provider can be different companies. Records only take effect at the nameserver provider; records added at the registrar are ignored if you delegated DNS elsewhere.
For a primer on what SPF, DKIM, and DMARC actually do, see the email authentication explained guide. This post assumes you know they are three DNS records that prove your outgoing mail is legitimately yours, and you just need to publish them.
Step 1: Find out which platform runs your DNS
Open a terminal and run:
dig NS yourdomain.com +shortYou will see three or four nameserver hostnames. The pattern tells you who runs DNS:
ns1.digitalocean.com,ns2.digitalocean.com,ns3.digitalocean.com→ DNS lives in DigitalOcean. All records below go there.dns1.registrar-servers.com,dns2.registrar-servers.com→ DNS lives in Namecheap's default DNS. Records go in Namecheap's Advanced DNS panel.*.cloudflare.com→ DNS lives in Cloudflare. Records go there.*.awsdns-*.net/.com/.org/.co.uk→ AWS Route 53. Records go there.
For the rest of this guide I will assume DigitalOcean, since that is the case I just walked through. If your nameservers point somewhere else, the panel changes but the record values are identical.
Step 2: Publish the SPF record
SPF lists the IP addresses and services allowed to send email on behalf of your domain. For a domain that sends only through Namecheap Private Email, the record is one line.
In DigitalOcean: Networking → Domains → yourdomain.com
Add a new record:
- Type: TXT
- Hostname:
@(this means the root of the domain) - Value:
v=spf1 include:spf.privateemail.com ~all - TTL: 3600
Click Create Record.
The ~all at the end is a soft fail. It tells receivers: "anything not from Private Email is suspicious, treat it as such, but do not reject outright." Use this for the first week or two. Once you are confident no other service sends mail as your domain (CRM, contact form on a marketing site, Stripe receipts with a custom From, transactional ESP), you can tighten to -all for a hard fail.
One SPF record. Only one.
A domain can have at most one v=spf1 TXT record. Two records is a configuration error that breaks SPF entirely on most receivers. Before publishing, run dig TXT yourdomain.com +short | grep spf1. If something already exists, edit that one to add include:spf.privateemail.com rather than creating a second. For the full SPF syntax (mechanisms, qualifiers, the 10 DNS lookup limit), see the SPF setup guide.
Verify it published:
dig TXT yourdomain.com +short | grep spf1
"v=spf1 include:spf.privateemail.com ~all"Step 3: Enable DKIM in Namecheap, publish the record in DigitalOcean
DKIM is a cryptographic signature attached to every outbound email. Receivers verify the signature against a public key you publish in DNS. If the signature matches, the message has not been altered in transit and was sent by someone who controls the private key.
Namecheap generates the key pair. You publish the public half.
Part A: get the key from Namecheap
- Log into Namecheap.
- Go to Domain List. Find your domain. Click Manage next to the Private Email product (not the domain itself).
- Scroll to the Email Security section. Under DKIM, click Show DKIM (or enable DKIM if you have not before). Namecheap displays a TXT record with:
- Hostname:
default._domainkey - Value:
v=DKIM1;k=rsa;p=MIIBIjANBgkqhki...(a long string)
- Hostname:
Part B: publish the key in DigitalOcean
- Open DigitalOcean → Networking → Domains → yourdomain.com.
- Add a TXT record:
- Hostname:
default._domainkey - Value: the full
v=DKIM1;k=rsa;p=...string from Namecheap, verbatim - TTL: 3600
- Hostname:
- Save. Wait about ten minutes for propagation.
Verify the key resolved:
dig TXT default._domainkey.yourdomain.com +short
"v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."
"...continuation of the key..."If the value comes back as two quoted strings, do not panic. DNS TXT records cap individual strings at 255 characters, so 2048-bit DKIM keys get split into chunks. Receivers concatenate them automatically. The split is a quirk of the wire format, not a bug.
Namecheap does not have a separate "verify" step. The presence of the Remove DKIM button in their panel means it is enabled and they are signing outbound mail. As soon as the key is reachable in DNS, signatures start validating. For more on selectors, key rotation, and provider-specific quirks, see the DKIM setup guide.
Step 4: Publish DMARC at p=none
DMARC ties SPF and DKIM together with two things they do not provide alone: alignment (does the authenticated domain match the visible From: header?) and policy (what should receivers do when alignment fails?). It also opens a reporting channel so you can see who is sending as your domain.
Start in monitor mode. Always.
In DigitalOcean: add another TXT record
- Type: TXT
- Hostname:
_dmarc - Value:
v=DMARC1; p=none; rua=mailto:[email protected]; fo=1; adkim=r; aspf=r; pct=100 - TTL: 3600
What this record says, tag by tag:
| Tag | What it does |
|---|---|
v=DMARC1 | Protocol version. Required. |
p=none | Monitor mode. Do nothing to failing mail, just report. |
rua=mailto:... | Where to send the daily aggregate reports. |
fo=1 | Send a failure report if SPF or DKIM fails individually (not just when both fail). |
adkim=r, aspf=r | Relaxed alignment for both. Subdomains count as the same organization. |
pct=100 | Apply the policy to 100% of failing messages. Only meaningful once p= moves off none. |
For a full breakdown of every DMARC tag and the difference between p=none, p=quarantine, and p=reject, see the DMARC setup guide.
The catch-all gotcha
Here is the part nobody warns you about. Namecheap Private Email runs a catch-all by default. If you have one mailbox (mine is [email protected]), every address at your domain forwards there. Send an email to [email protected] and it shows up in the catch-all inbox.
That means the moment you publish rua=mailto:[email protected], every DMARC aggregate report from Google, Yahoo, Microsoft, Apple, and the long tail of smaller providers starts piling up in your support inbox. Daily XML attachments. Unreadable without tooling. Annoying within a week.
Two clean ways out:
- Point
rua=at a free DMARC parser. Postmark runs one at dmarc.postmarkapp.com. Sign up, they give you a unique inbound address, you put that address in your DMARC record. They parse the XML into a clean dashboard. Free. No credit card. Most founders pick this. - Override the catch-all. In Namecheap's Private Email panel, you can create explicit routes that win over the catch-all. Route
[email protected]to your personal email or to/dev/null. Keeps reports out of the support inbox.
Either way, the only change is the rua= address inside the DMARC record. Everything else stays the same.
Step 5: Verify with a real email
The dig commands prove the DNS records are reachable. They do not prove your outbound mail is actually authenticated. For that, send a test.
- From your mailbox (say,
[email protected]), send a message to a Gmail account you control. - In Gmail, open the message. Click the three-dot menu → Show original.
- Look at the top of the page. You want all three lines green:
SPF: PASS with IP 198.54.122.105
DKIM: 'PASS' with domain yourdomain.com
DMARC: 'PASS'Or in the raw headers:
Authentication-Results: mx.google.com;
dkim=pass [email protected] header.s=default
spf=pass (google.com: domain of [email protected] designates
198.54.122.105 as permitted sender)
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yourdomain.comIf DKIM says none or fail, the DNS key has not propagated yet, or the value in DigitalOcean does not match what Namecheap displayed. Click Show DKIM in the Namecheap panel and compare character by character.
For a deeper read on Authentication-Results and what every header field means, see the email headers guide. For a one-shot deliverability score (including blacklist checks, content red flags, and reverse DNS), send a test to mail-tester.com. Aim for 9 or 10 out of 10.
What to do over the next month
You have closed the spoofing window with p=none. You are not yet protected. p=none only collects data, it does not stop anyone. The next month is for hardening.
Weeks 1-2: read the reports
Daily XML reports start arriving within 24 hours. Skim them (or let Postmark do it). What you are looking for: source IPs that pass SPF but not DKIM, or DKIM but not SPF, or neither. Most failures will be from forwarding services (people forwarding your mail to other accounts) or from your own legitimate senders that you missed. If a real sender is failing, fix that first.
Week 3: tighten SPF to -all
If the reports are clean (only Private Email IPs passing, no unknown legitimate senders), change ~all to -all in your SPF record. This tells receivers to hard-fail any message claiming to be from your domain that does not come from Private Email.
Week 4: move DMARC to p=quarantine
Update the DMARC record. Change p=none to p=quarantine. Receivers now route failing messages to the spam folder instead of delivering them.
Watch reports for two more weeks. If nothing legitimate is being quarantined, move to p=reject. At that point your domain is effectively un-spoofable: anyone trying to send mail claiming to be from you, who is not authenticated, gets blocked outright.
Common gotchas
1. You added records in Namecheap's DNS panel instead of DigitalOcean's
If you delegated DNS to DigitalOcean (you saw ns1.digitalocean.com in step 1), Namecheap's Advanced DNS panel is dead weight. Records added there have no effect. Always confirm with dig NS yourdomain.com +short before assuming anything is "published."
2. Two SPF records
A common failure mode: you add the Private Email SPF, but a Google site-verification TXT or another service silently created its own v=spf1 record earlier. Two SPF records is the same as zero. Merge them: one record, with both include: clauses concatenated.
3. DKIM key copied with a line break
Some DNS panels insert a newline or trim trailing characters when you paste a long DKIM value. After publishing, always re-run the dig command. If the returned value does not exactly match what Namecheap shows in Show DKIM, redo the paste.
4. Forgetting that DMARC reports flood the catch-all
Already covered above. Worth repeating because it is the single most common founder annoyance after publishing DMARC. Use Postmark's parser from day one.
5. Adding DMARC before SPF and DKIM both pass
If you publish DMARC at p=quarantine or p=reject before SPF and DKIM are working, your legitimate mail starts landing in spam folders within hours. Always start at p=none. Always verify SPF and DKIM pass on a real test email first. The order is: SPF, DKIM, test, DMARC.
The bigger picture
Email authentication is not optional anymore. Google, Yahoo, and Microsoft enforce SPF, DKIM, and DMARC for bulk senders (over 5,000 messages per day), and even low-volume senders without these records get aggressively filtered. If your transactional mail is landing in spam, missing authentication is the most likely cause before anything else. See the fixing emails going to spam guide for the full diagnostic checklist.
The whole stack costs nothing and takes under an hour. The reason most founders skip it is that the docs are scattered across three companies (registrar, mailbox provider, DNS provider) that do not coordinate. That is the gap this post is trying to close, for the next person doing this on a Namecheap and DigitalOcean stack.
If you run a domain and have not done this yet, the bug-bounty hunter who emailed me is probably going to email you eventually. Better to ship it before he does.
Frequently asked questions
I bought my domain from Namecheap but my DNS is in DigitalOcean. Where do SPF, DKIM, and DMARC records go?
They go wherever your nameservers point. Run dig NS yourdomain.com +short. If you see ns1.digitalocean.com, ns2.digitalocean.com, and ns3.digitalocean.com, DNS is managed in DigitalOcean and that is where all TXT records must be published. The Namecheap DNS panel is ignored. The only thing you do in Namecheap is enable DKIM signing in the Private Email product panel, copy the DKIM key it generates, and paste that into a TXT record in DigitalOcean.
What is the correct SPF record for Namecheap Private Email?
The minimal SPF record for a domain that sends only through Namecheap Private Email is: v=spf1 include:spf.privateemail.com ~all. Publish it as a TXT record on the root domain (hostname @). Use ~all (soft fail) for the first week or two while you confirm there are no other services sending mail as your domain. Once verified, tighten to -all (hard fail). Only one SPF record is allowed per domain. If a v=spf1 record already exists, edit that one to add the include rather than creating a second.
How do I set up DKIM with Namecheap Private Email when DNS lives elsewhere?
Namecheap generates the DKIM key in the Private Email product dashboard. Two steps. First, in the Private Email panel for your domain, enable DKIM. It will display a TXT record with hostname default._domainkey and a v=DKIM1; k=rsa; p=... value. Second, copy that record into your DNS provider (DigitalOcean, Cloudflare, Route53, etc.) verbatim. Wait ten minutes for propagation, then verify with dig TXT default._domainkey.yourdomain.com +short. Namecheap starts signing outbound mail as soon as the key is published.
I have a catch-all mailbox on Namecheap Private Email. Where should my DMARC reports go?
If you point rua= at an address on your own domain, the daily XML reports will flood your catch-all inbox. Two clean options. One: point rua= at a free DMARC parser like Postmark's dmarc.postmarkapp.com. They give you a unique inbound address; reports get parsed into a clean dashboard and your support inbox stays quiet. Two: in your mail provider, create an explicit route for [email protected] that overrides the catch-all and forwards to a different mailbox. Most founders pick option one because raw DMARC XML is hostile to read by hand.
For definitions of every term used in this article (alignment, selector, relaxed vs. strict, ARC, and more), check the email glossary.
