Namecheap Email Authentication Guide

How to set up SPF, DKIM, DMARC, and List-Unsubscribe for Namecheap. Provider-specific DNS records, step-by-step instructions, and the mistakes to avoid.

Check your domain while following this guide

Run a free SPF, DKIM, and DMARC check to see what is passing and what still needs fixing.

No signup required. Works on any domain.

search Run a Free Domain Check notifications_active Monitor my domain

Jump to section

SPF DKIM DMARC List-Unsubscribe Verify Common mistakes

Before you start

  • You need access to the DNS settings for your domain. This is usually at your domain registrar or DNS provider (Cloudflare, Namecheap, GoDaddy, etc.).
  • You need to know which email service sends your mail (Google Workspace, Microsoft 365, etc.) so you can look up the correct SPF and DKIM values for that service.
  • DNS changes take time to propagate. After saving a record, wait at least 15-30 minutes before testing.

SPF Setup for Namecheap

SPF (Sender Policy Framework) is a DNS TXT record that lists which mail servers are allowed to send email on behalf of your domain. Receiving servers check it to decide whether to accept or flag your mail.

Namecheap is a domain registrar and DNS host, not an email sender. The SPF value you need depends entirely on which email service sends your mail. Use @ as the host value in Namecheap's Advanced DNS.

SPF record for Namecheap

Type: TXT    Host/Name: @    Value: v=spf1 include:YOUR-EMAIL-PROVIDER ~all

Steps

  1. Open your DNS provider and look for an existing TXT record at host @ that starts with v=spf1.
  2. If one exists, edit it and add the new include. Never create a second SPF record. If none exists, create a new TXT record at @ with the value above.
  3. For Google Workspace via Namecheap DNS, use v=spf1 include:_spf.google.com ~all. For Namecheap cPanel email (Private Email), use v=spf1 include:namecheap.com ~all.
  4. Use ~all (softfail) while testing. Move to -all (hardfail) only after confirming all legitimate senders are covered.
  5. Save and wait for DNS propagation.
Watch out: Namecheap uses @ for the root domain in the Host field. Entering the full domain name creates the record at the wrong place.

DKIM Setup for Namecheap

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing email. Receiving servers verify the signature against a public key you publish as a DNS TXT record. A valid DKIM signature proves the message was not altered in transit and that it came from an authorized sender.

Selector for Namecheap: provided by your email service (for example, google for Google Workspace)

Steps

  1. Log in to Namecheap → Domain List → Manage → Advanced DNS.
  2. Click "Add New Record" and select TXT.
  3. In the Host field, enter the full selector subdomain your email provider specifies (for example, google._domainkey for Google Workspace). In the Value field, paste the full key value.
  4. Save and wait 15-30 minutes for propagation, then verify with dig.
Watch out: Namecheap sometimes splits long TXT values at 255 characters in the UI. Verify the published record with dig TXT selector._domainkey.yourdomain.com +short to confirm it resolved as one complete value.

Verify DKIM

  • Send a test email to a Gmail address and open it. Click the three-dot menu → "Show original". Look for dkim=pass in the authentication results.
  • From the command line:
    dig TXT selector._domainkey.yourdomain.com +short
  • Or use the InboxGreen DKIM checker.

DMARC Setup for Namecheap

DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together. It tells receiving servers what to do with mail that fails both checks, and sends you reports about who is sending email on behalf of your domain. DMARC also requires alignment: the domain in your visible From header must match the domain authenticated by SPF or DKIM.

Add DMARC at host _dmarc in Namecheap Advanced DNS. The DMARC record applies to all email from your domain regardless of which provider sends it.

The three-stage approach

StageDNS valueWhen to use it
Monitor v=DMARC1; p=none; rua=mailto:[email protected]; fo=1 Start here. Collects reports without blocking any mail.
Quarantine v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]; fo=1 After 2-4 weeks at p=none with clean reports. Sends some failing mail to spam.
Reject v=DMARC1; p=reject; pct=100; rua=mailto:[email protected]; fo=1 Full protection once SPF and DKIM alignment is verified.

Publish the DMARC record

  1. Create a TXT record at host _dmarc (not @) with the p=none value above.
  2. Replace [email protected] with a real inbox that can receive XML report emails.
  3. Wait for DNS propagation, then verify with dig TXT _dmarc.yourdomain.com +short.
  4. After 2-4 weeks, review the reports and tighten the policy when alignment looks healthy.
Why DMARC fails even when SPF and DKIM pass: DMARC cares about alignment. The domain in the visible From header must match the domain SPF or DKIM authenticated. Forwarded mail and mailing list services often break alignment.

List-Unsubscribe for Namecheap

The List-Unsubscribe header gives inbox providers like Gmail and Outlook a machine-readable way to offer a one-click unsubscribe button. When it is present and valid, Gmail shows an "Unsubscribe" link next to the sender name without the recipient needing to scroll to the bottom of the email. This reduces spam complaints and protects your sender reputation.

How to enable it

  1. In your sending platform or email template, enable the List-Unsubscribe header option. Most platforms (SendGrid, Mailgun, Brevo, Shopify Email) have a toggle or a macro for this.
  2. Use a one-click HTTPS unsubscribe URL as the primary method. Include a mailto: address as fallback.
  3. Add the List-Unsubscribe-Post header to declare one-click support (required by Gmail's February 2024 guidelines for senders above 5,000 messages/day).

Example headers

List-Unsubscribe: <https://yourdomain.com/unsubscribe/TOKEN>, <mailto:[email protected]?subject=unsubscribe>
List-Unsubscribe-Post: List-Unsubscribe=One-Click

Common mistakes

  • Using a broken or expired token in the unsubscribe URL. Inbox providers test the link periodically.
  • Only providing a mailto: link without a one-click HTTPS URL. Gmail and Outlook prefer the HTTPS method.
  • Not honoring the unsubscribe request immediately. Gmail requires that one-click unsubscribes are processed within two business days.

To verify, send a test email to a Gmail address and look at "Show original". You should see the List-Unsubscribe header in the raw message headers.

Verify All Four Records

After publishing all records, run these checks:

RecordCommandWhat to look for
SPF dig TXT yourdomain.com +short One TXT record starting with v=spf1
DKIM dig TXT selector._domainkey.yourdomain.com +short A TXT record starting with v=DKIM1
DMARC dig TXT _dmarc.yourdomain.com +short A TXT record starting with v=DMARC1
All three InboxGreen Free Check Green pass on SPF, DKIM, and DMARC

Common Mistakes with Namecheap

  • Entering the full domain name in the Host field instead of just <code>@</code> for root records or the subdomain for others.
  • Not verifying that Namecheap published the full TXT value without truncation. Check with <code>dig</code> after saving.
  • Testing too quickly. Wait at least 15-30 minutes after saving before verifying DNS changes.

Free Deliverability Scan

Check SPF, DKIM, DMARC and List-Unsubscribe for your domain in seconds.

Useful tools

tune SPF Generator tune DMARC Generator verified Badges