We are running in a testing phase — please be patient and share your feedback.
Setting Up SPF, DKIM and DMARC at Czech Hosting Providers

Setting Up SPF, DKIM and DMARC at Czech Hosting Providers

· 8 min read · Tomas Hojgr · email-security
spf dkim dmarc email-authentication dns

Why Email Authentication Matters at Czech Hosting Providers

Most Czech businesses host their domains with one of three major providers — WEDOS, Forpsi, or Active24. Each has its own admin interface and specific DNS configuration workflow for SPF, DKIM, and DMARC. Generic setup guides often fall short — you need exact DNS record values for your provider.

Since 2024, Google and Yahoo require senders to have email authentication configured. Without it, your emails end up in spam or get rejected. This guide provides exact setup steps for each major Czech hosting provider.

WEDOS

SPF Record

Log in to the WEDOS customer administration and navigate to DNS management for your domain. Create a new TXT record on the root domain:

v=spf1 mx a include:_spf.we.wedos.net -all
  • mx and a — authorize IP addresses from the domain's MX and A records
  • include:_spf.we.wedos.net — authorize WEDOS mail servers
  • -all — reject all other sources (hardfail)

If you also send emails through other services (Google Workspace, Mailchimp, invoicing systems), add their include mechanisms to the same record:

v=spf1 mx a include:_spf.we.wedos.net include:_spf.google.com -all

Important: A domain must have only one SPF record. Two records starting with v=spf1 cause SPF to fail (RFC 7208, section 4.5). Verify with the SPF analyzer that you don't have duplicate records.

DKIM Signing

WEDOS distinguishes two email sending methods, each requiring different DKIM configuration:

Emails sent via PHP mail() (web applications, contact forms)

Add two CNAME records to your DNS:

Name Type Value
key1.wedos-dkim._domainkey CNAME key1.dkim-we.wedos.net
key2.wedos-dkim._domainkey CNAME key2.dkim-we.wedos.net

Emails sent via SMTP (email client — Outlook, Thunderbird)

WEDOS automatically signs emails with a shared DKIM key (shared.dkim-wes1.wedos.net). No configuration needed on your side — signing happens automatically on the SMTP server.

Limitation: A shared DKIM key means the signature is under the WEDOS domain, not yours. This can cause DMARC alignment issues. If you deploy DMARC with a quarantine or reject policy, verify alignment in your DMARC reports.

DMARC Record

Create a TXT record named _dmarc:

v=DMARC1; p=none; rua=mailto:example.com@rua.spfmonitor.com,mailto:dmarc@example.com

If you use the SPF Monitor address (example.com@rua.spfmonitor.com), reports are automatically processed and visualized — no need to parse XML files. Verify with the DMARC analyzer.

DNS changes at WEDOS propagate within 1 hour.

Forpsi

SPF Record

Log in to the Forpsi administration, open your domain management, and navigate to DNS records. Create a TXT record on the root domain:

v=spf1 a mx include:_spf.forpsi.com -all
  • a and mx — authorize IP addresses from A and MX records
  • include:_spf.forpsi.com — authorize Forpsi mail servers

With additional sending services:

v=spf1 a mx include:_spf.forpsi.com include:mailgun.org -all

Verify with the SPF analyzer that you don't have duplicate records.

DKIM Signing

Forpsi supports DKIM signing only for emails sent through smtp.forpsi.com. Emails sent via PHP mail() or other SMTP servers are not DKIM-signed.

Activation steps:

  1. In the Forpsi admin panel, navigate to hosting management
  2. Open the DKIM tab
  3. Click Activate DKIM for your domain

If your domain and hosting are in the same account and you use Forpsi DNS servers, activation is automatic — the TXT record is added to DNS automatically. Confirm by clicking OK.

If your DNS is hosted elsewhere (e.g., Cloudflare), Forpsi displays a TXT record with the hostname and public key value. Manually add this record to your DNS provider. You can choose between 1024-bit or 2048-bit keys — choose 2048 bits for better security.

DNS propagation takes approximately 30 minutes. Verify with the DKIM analyzer.

DMARC Record

Create a TXT record named _dmarc:

v=DMARC1; p=none; rua=mailto:example.com@rua.spfmonitor.com,mailto:dmarc@example.com

Verify with the DMARC analyzer.

Active24

Active24 is now part of the Websupport group. The admin interface and DNS management are gradually being unified, but the setup process remains the same.

SPF Record

Log in to the Active24 customer zone, expand Domains in the left menu, and click DNS Records. Create a TXT record:

  • Name: @ (root domain)
  • TTL: 3600
  • Type: TXT
  • Value:
v=spf1 include:spf.active24.com ~all

The include:spf.active24.com mechanism authorizes Active24 mail servers. With additional services:

v=spf1 include:spf.active24.com include:_spf.google.com ~all

Verify with the SPF analyzer that you don't have duplicate records.

DKIM Signing

Active24 uses a shared DKIM key with the selector a24. If you use Active24 DNS servers and Active24 email services, the DKIM TXT record is usually configured automatically.

If the record is missing, add it manually:

  • Name: a24._domainkey
  • Type: TXT
  • Value: public key found in the Active24 email services administration

Limitation: DKIM signing works only for emails sent through email.active24.com. Numbered variants (email01.active24.com, email02.active24.com) and webmail do not support DKIM.

DKIM record changes at Active24 take effect the following day after server propagation. Verify with the DKIM analyzer.

DMARC Record

Create a TXT record named _dmarc:

v=DMARC1; p=none; rua=mailto:example.com@rua.spfmonitor.com,mailto:dmarc@example.com

Verify with the DMARC analyzer.

Combining a Czech Provider with External Services

A typical scenario: your domain and email are hosted at WEDOS, Forpsi, or Active24, but you also send emails from other services — Google Workspace, Microsoft 365, Mailchimp, an invoicing system, or a helpdesk.

SPF — One Record for All Services

All include mechanisms must be in one SPF record. Example for WEDOS with Google Workspace and Mailchimp:

v=spf1 mx a include:_spf.we.wedos.net include:_spf.google.com include:servers.mcsv.net -all

Watch the 10 DNS lookup limit. Each include consumes at least one lookup. Exceeding the limit causes a PermError and SPF failure. Check your lookup count with the SPF analyzer.

DKIM — Each Service Gets Its Own Key

Each sending service needs its own DKIM configuration. For example, if you send through both Google Workspace and WEDOS, you'll have DKIM records from both services in your DNS — each with a different selector. This is correct; a domain can have multiple DKIM records.

Detailed DKIM setup for Google Workspace and Microsoft 365 is covered in separate articles.

Provider Comparison

WEDOS Forpsi Active24
SPF include _spf.we.wedos.net _spf.forpsi.com spf.active24.com
DKIM type CNAME (PHP mail) / automatic (SMTP) TXT (automatic or manual) TXT (shared key a24)
DKIM key length depends on configuration 1024 or 2048 bits 1024 bits
DKIM selector key1.wedos-dkim / key2.wedos-dkim from admin panel a24
DNS propagation within 1 hour ~30 minutes next day (DKIM)
DKIM limitation shared key for SMTP only for smtp.forpsi.com only for email.active24.com

Common Mistakes and Solutions

Two SPF Records on the Domain

The most common mistake across all providers. An administrator adds a new SPF record for an external service instead of editing the existing one. Result: both records become invalid.

Solution: Check the DNS records for your domain. If you have two TXT records starting with v=spf1, merge them into one.

DKIM Stops Working After DNS Provider Migration

After migrating a domain to different DNS servers (e.g., from the hosting provider to Cloudflare), automatically configured records including DKIM are lost.

Solution: After DNS migration, manually add DKIM records following your email provider's instructions. Verify with the DKIM analyzer.

DMARC Alignment Fails with Shared DKIM

Czech providers often use shared DKIM keys. The email is signed with the provider's domain, not yours — DKIM alignment fails. If SPF is correctly configured, DMARC passes through SPF alignment. Problems arise when SPF also fails (e.g., during email forwarding).

Solution: Deploy DMARC with p=none, monitor DMARC reports, and evaluate whether alignment works. If not, consider migrating to an email service with full custom DKIM support (Google Workspace, Microsoft 365).

Contact Form Emails Not Authenticated

A website contact form sends emails via PHP mail() without a DKIM signature (Forpsi, Active24) or with a shared signature (WEDOS).

Solution: Configure the form to send emails through your provider's SMTP server, or use a transactional email service (SendGrid, Mailgun, Amazon SES) with custom DKIM configuration.

Checklist

  • SPF record added with the correct include for your provider
  • SPF verified with the analyzer — one record, correct syntax, under 10 lookups
  • DKIM activated following your provider's procedure
  • DKIM verified with the analyzer
  • DMARC deployed with p=none and reporting address
  • DMARC verified with the analyzer
  • Test email sent — checked headers for spf=pass and dkim=pass
  • All external sending services included in SPF record
  • Plan for gradual DMARC policy enforcement established
Read in another language: Čeština

Related articles

What Is an SPF Record and Why Do You Need One
spf

What Is an SPF Record and Why Do You Need One

An SPF record protects your domain from being used to send fraudulent emails. Learn how SPF works, how to set it up, and why it's essential for…

· 5 min read
How to Set Up a DKIM Record Step by Step
dkim

How to Set Up a DKIM Record Step by Step

A practical guide to setting up DKIM for your domain. From key generation and DNS publishing to configuring Google Workspace, Microsoft 365, and self…

· 8 min read
How to Set Up a DMARC Record for Your Domain
dmarc

How to Set Up a DMARC Record for Your Domain

Step-by-step guide to setting up a DMARC record. From your first p=none record through report analysis to full protection with p=reject.

· 8 min read