SPF, DKIM, and DMARC: Needed For Email Deliverability

SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DNS (Domain Name System) records play crucial roles in ensuring the successful delivery of emails. Let's delve into what each of these components are, why they are necessary, and how they work:

SPF (Sender Policy Framework): SPF is a list of servers and services that are authorized to send email via your domain.

SPF helps in authenticating the sender of an email by allowing domain owners to specify which mail servers are authorized to send emails on their behalf. This prevents malicious actors from forging the sender's address, reducing the likelihood of phishing attempts and spam. SPF compares the sending mail server's address to the list of authorized sending servers/addresses the sender publishes in the SPF record.

DKIM (DomainKeys Identified Mail): DKIM is a tamper-proof seal that verifies that the content of your email hasn't been altered.

DKIM adds a digital signature to outgoing emails, providing a cryptographic proof of the sender's identity and ensuring the integrity of the message content. Recipients can verify this signature to confirm that the email has not been tampered with during transit, enhancing trust in the sender.

DMARC (Domain-based Message Authentication, Reporting, and Conformance): DMARC is a policy that tells servers how to handle unauthorized emails sent via your domain; the choices being "quarantine", "reject", or "do nothing."

DMARC is an email authentication protocol that enhances the security of email communication by allowing domain owners to specify how email receivers should handle messages that fail authentication checks based on SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).

In summary, SPF, DKIM, DMARC and DNS records collectively contribute to the authentication, integrity, and reliable delivery of emails. By implementing these protocols, businesses can establish a secure and trustworthy communication channel, protect their brand reputation, and reduce the risk of emails being marked as spam or phishing attempts. It's a comprehensive approach to enhancing email deliverability and ensuring that legitimate messages reach their intended recipients.

Key components of DMARC include:

• Domain-based Authentication: DMARC builds on SPF and DKIM to provide a domain-based authentication framework. It allows domain owners to declare their authentication policies and provides a mechanism for email receivers to verify the authenticity of incoming emails.
• Policy Enforcement: DMARC enables domain owners to set policies for how receivers should handle emails that fail SPF or DKIM checks. These policies include "none" (monitor only), "quarantine" (mark as spam), or "reject" (do not deliver). This allows domain owners to control the handling of unauthorized or suspicious emails.
• Reporting Mechanism: DMARC provides a reporting mechanism that allows email receivers to send feedback to domain owners about the results of email authentication checks. These reports include information about legitimate and fraudulent emails, aiding domain owners in monitoring and improving their email authentication practices.
• Phishing Protection: By implementing DMARC, organizations can significantly reduce the risk of phishing attacks and email spoofing. It adds an additional layer of security by ensuring that only authorized senders can use a domain, thereby protecting the brand's reputation.

Overall, DMARC is a valuable tool in the fight against email-based threats, providing a standardized way for organizations to authenticate their emails, set policies for email handling, and receive valuable feedback through reporting mechanisms. It is widely adopted to enhance email security, prevent domain abuse, and build trust in digital communication.

If your business sends more than 5,000 messages per day into either Google or Yahoo inboxes, your email domain must have a DMARC policy in place in your DNS, or your emails will no longer be delivered. This includes messages sent on your behalf by third parties, such as Contact Contact, Active Campaign, or MailChimp. Essentially, Google and Yahoo are turning what has been merely best practices for secured email authentication, into mandatory requirements.

In short, whether you meet the 5K threshold or not, the requirements for everyone are that you must ensure valid forward and reverse DNS records, have a SPAM rate as reported in Postmaster Tools below 0.3%, your email message format must conform to RFC 5322 Standards, you must not impersonate Gmail in your FROM headers, and you must adhere to email forwarding requirements.

For most senders (<5K per day), you will also require SPF OR DKIM email authentication. If you exceed 5K, that "OR" becomes an "AND", and you will have the additional requirements of DMARC authentication, more stringent rules for your FROM headers, and you must provide one-click unsubscribe for subscribed messages.

Sounds confusing, doesn't it! Not to worry - you likely already comply with most or all of these requirements; especially as a non-bulk sender. The key points to remember are:

• Don’t send spam!

Yahoo asks you to only send messages to recipients who have opted in. You honor the stated frequency established at the point of registration, and you don’t buy lists.

Gmail requires you to keep your Spam Complaint Rate below 0.3%. They even offer a free reputation service to help you keep track of your spam rates.

• Properly Format Your Messages

Emails must meet the standards established by RFC 5322. In layman's terms, that means that emails must be formatted to be readable and understandable for both senders and recipients. Don't worry! This is taken care of automatically via practically any email client you're using. 

• Don’t spoof gmail.com or yahoo.com.

Google and Yahoo will begin to ramp their own DMARC policies. If you are using an email service that allows you to send “as your @gmail.com or @yahoo.com address,” you are likely to experience substantial delivery issues. Your best bet is to open a support ticket with your provider to understand more appropriately what exactly is at stake for you.

Source Information for this Section: Dmarcian. More Information: PowerDmarc.

Source: Proofpoint

Installing proper SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) records are recommended and best practices for anyone who sends emails, but especially businesses and organizations that rely on email communication. 

For most senders, having a DMARC record is optional, but everyone should consider adding it as a matter of good policy. You must, however, have either an SPF record or a DKIM record to ensure email deliverability.

Yes! It is highly recommended to add SPF, DKIM, and DMARC records for your CRM (Customer Relationship Management) system. These are your email and other marketing tools such as Active Campaign, UnBounce, MailChimp, and many others. Implementing authentication protocols enhances the security, deliverability, and trustworthiness of emails sent from your CRM platform on your behalf.

By implementing SPF, DKIM, and DMARC records for your CRM, you:

• Enhance Deliverability: Authentication protocols increase the likelihood that your CRM-generated emails will reach recipients' inboxes rather than being filtered as spam.
• Build Trust: Properly authenticated emails contribute to the overall trustworthiness of your communication, as recipients can verify the legitimacy of the sender.
• Mitigate Security Risks: Authentication protocols reduce the risk of phishing attacks and unauthorized use of your domain, safeguarding your brand reputation.

Consult your CRM documentation or support resources for specific instructions on how to configure SPF, DKIM, and DMARC for your platform. Additionally, your IT team or email administrators can provide assistance in implementing these records for your CRM system.

You can start by determining the status of your email domains. Dmarcian has a free domain health checker which will tell you if your email domain is protected against phishing, spoofing, or fraud; or whether it needs some attention on that front:

Oops! Looks like our DMARC record needs attention! (Although in this case, since we do have a DMARC record in place, we are already in compliance with the new regulations.) A look at the details reveals a warning that since we're in learning mode, our failure reporting options are being (purposefully) ignored. In this case, our "p" (policy) tag was set to "none", as opposed to "quarantine" or "reject", which is correct if you simply want to collect feedback and gain visibility into your email streams without impacting existing flows. In essence, this warning meant "are you sure you want your policy set to "none"?" And in our case, yes we do! 

A DMARC monitor-mode policy of p=none will suffice for Google and Yahoo's new regulation policies.

If this tool reveals that your DNS has problems, you can entrust that information with your web developer to resolve on your behalf, or even take care of it on your own in many cases.

Creating SPF, DKIM, and DMARC records involves configuring specific DNS entries for your domain. For SPF, identify authorized mail servers, access your DNS management system, and add a TXT record specifying these servers. DKIM most often involves adding the public half of a matched public/private key pair to your DNS, but can get more complex depending on your needs (see below.) DMARC combines SPF and DKIM, allowing you to set policies for email handling; you'll create a DMARC TXT record in DNS specifying your preferences. Regularly test and monitor these records to ensure optimal email deliverability, security, and trustworthiness. Here's a step-by-step guide for creating or locating each record type:

SPF records specify which mail servers are authorized to send emails on behalf of your domain. These are things like web servers (emails sent automatically from your website), your email service provider's mail server, your in-office mail servers (such as Office 365 or Google Workspace), and any other third-party mail servers used to send email on behalf of your brand (this includes CRMs and other marketing tools like Mailchimp or ActiveCampaign as well!)

Syntax Example:

v=spf1 include:_spf.example.com ~all

Steps:

1. Make a list of your sending domains. You might have quite a few!

2. Access your domain's DNS management system.

3. Add a new TXT record with the SPF syntax, including the authorized servers. Here's what that looks like for Microsoft 365 in CloudFlare:

Note: You can only have one SPF record per domain, not to exceed 255 characters long. To add multiple allowed email servers, add more includes to your existing record. Example syntax:

v=spf1 include:_spf.google.com include:_spf.protection.outlook.com -all

4. Test your records! You can use a tool like this SPF checker offered by Validity.com, which will show you what recipients see: a list of the servers authorized to send email on your behalf. If one or more of your legitimate sending IP addresses is not listed, you can update your record to include it. Click here for a more advanced explanation of how to create SPF records and their syntax.

DKIM involves generating a public and private key pair, where the public key is published in your DNS as a TXT record, and the private key is stored on the mail server. Most third-party services you use for sending emails will provide the public key to you for installation in your DNS, while they take care of the private key.

Steps:

1. Generate a DKIM key pair using a DKIM key generator tool or by checking with your email service provider. If you're sending email directly on behalf of your domain, the generator tool will create a valid DKIM record you can use. If you're sending email via a third party, those services generally have DKIM records already generated for you that you'll find in your account settings. Let's walk through where to find that in MailChimp:

First, click on your profile picture and select "Account & billing." Then, go to the "Domains" tab:

If you haven't already done so, click "add & verify domain." MailChimp will walk you through the process. You will need to know who your domain provider is (that's where you bought your domain name, such as GoDaddy, Bluehost, Network Solutions, Google Domains, et al.) Plug that in, and follow the prompts MailChimp provides in order to create, retrieve and install your DKIM and DMARC records.

2. Access your domain's DNS management system.

3. Add a new TXT record with the DKIM public key, typically named selector._domainkey. Here's what that looks like in Cloudflare for Google (your DKIM record will be different from this example:

Click here for a more advanced explanation on how to create and install DKIM records for your own domain.

DMARC records provide instructions on how to handle emails that fail SPF and DKIM checks and enable reporting. Here's how to create a basic DMARC record, or an easy way to start is by using a generator tool, such as this one from MX Toolbox. Simply fill out the form with your domain name and where you want your reports sent, and the generator will do the rest!

Syntax Example:

v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]

Steps:

1. Decide on a DMARC policy (none, quarantine, or reject).

2. Access your domain's DNS management system.

3. Add a new TXT record with the DMARC syntax, including the policy and reporting addresses. Here's an example of what that looks like in Cloudflare, where [email protected] would be the email address you want your reporting sent to at your company. There are 11 possible DMARC tags, but the only strictly required tags are v (DMARC version, which should always be "DMARC1"; and p (policy). The "rua" tag is also strongly recommended, so you can receive the reports.

• Ensure accurate syntax and avoid typos in your DNS records.
• The changes may take some time to propagate across the DNS system.
• Test your configurations using online tools like DMARC Analyzer or SPF/DKIM validators (tools linked above.)
• Gradually implement these records, starting with a monitoring (none) DMARC policy before moving to enforcement.
• Regularly monitor DMARC reports to identify and address issues.
• For detailed guidance, consult your email service provider's documentation or seek assistance from your IT team or domain hosting provider. Properly configured SPF, DKIM, and DMARC records enhance email deliverability and security, reducing the risk of phishing and unauthorized use of your domain.

If you're unsure about the process or face difficulties, consult the documentation provided by your domain registrar, hosting provider, or email service provider. Many providers offer step-by-step guides or support to assist you in adding and configuring these DNS records correctly. Additionally, your IT team, technical support specialist, or web developer can provide guidance based on your specific DNS management system. Properly configured SPF, DKIM, and DMARC records contribute to a more secure and reliable email communication environment.

The implementation of SPF, DKIM, and DMARC records is a pivotal strategy in securing your email communication channels. As a business owner, challenges posed by phishing attempts, unauthorized use of domains, and potential email spoofing can be largely mitigated by proper application of these protocols.

There are additional benefits, too! You are not merely complying with industry standards, but actively enhancing the trustworthiness of your brand, ensuring that your end-users can confidently engage with your emails, knowing that they're legit. If you're experiencing email deliverability issues, it could be any one of these factors. Let White Whale Web help your business with your email communication security and strategy by contacting us today!