Email Deliverability: SPF, DKIM and DMARC

When you send an email to someone, the recipient's email server (if it is well-run) will run a number of checks to help validate the sender. Whoever you get your domain and email facilities from, it's vital to make sure you have set everything up correctly so that genuine emails from you or your business are less likely to be rejected at the receiving end.

In this article we will look at three important things you must have as part of your domain setup. Email providers are regularly tightening their checks - Gmail and Yahoo have much stricter inbound email validation rules from early 2024 - so you should check your domain and take action now if you don't have all three in place.

 

What is an SPF record?

Put simply, a Sender Policy Framework (SPF) record lists the various providers and server IP addresses which are authorised to send emails on behalf of your domain.  This could include your main email provider, your website, your customer relationship management platform and your bulk marketing email platform.

There is usually only one SPF record per main domain.  Subdomains can have their own record.

Look at the documentation for each of the platforms you use and check whether they recommend adding anything to your SPF record to help authenticate emails via that platform.

 

What is a DKIM record?

a DomainKeys Identified Mail (DKIM) record allows emails to have a digital signature attached to them, to help confirm that an email supposedly from your domain is genuine.  The record effectively says "if an email is digitally signed this way, accept it".

There is usually a separate DKIM record for each provider.  Again, look at the documentation for each of the platforms you use and check what they say about DKIM.  DKIM should be switched on in each platform you use, but only if the correct DKIM record is set up on your domain.

 

What is a DMARC record?

Having a Domain-based Message Authentication, Reporting & Conformance (DMARC) record in your domain ties SPF and DKIM together by saying to a receiving end server "this is what should happen if the email fails the other checks".

The options are:

  • none, i.e. let the email in
  • quarantine, i.e. put it in a spam box
  • reject, i.e. don't let the email in at all

Receiving end servers don't have to pay any attention what your DMARC record says, so don't expect all your emails to arrive in recipients' inboxes just because you specify the "none" option, when you have poor or missing SPF or DKIM records.

A useful benefit of DMARC is that some receiving end mail servers send reports on what happened to emails purporting to be from your domain, with statistics on acceptances and rejections.  As part of your DMARC record, you need to specify an email address to receive the reports.  This can be an email address on your domain, or the email address of a DMARC reporting provider you have signed up for.  The reports themselves are technical in their layout, which is why there are DMARC reporting providers who can gather all of the technical reports and produce easy-to-read graphs and tables.  These providers can be relatively expensive (although sometimes it is bundled with domain control) but the statistics are only useful if you intend to do anything with them.  The easiest option if you are short on time is to have the reports emailed to a mailbox on your domain and then you can go through them when you do have time.

There is usually one DMARC record per main domain.

 

How can I give the receiving end more confidence about my genuine emails?

There are a lot of things which affect email deliverability from your domain, some of which take time to influence, such as the reputation of your IP address and hosting company, the amount of spam reported from your domain and whether you are only sending marketing emails to people who have specifically opted in to your emails (and not generic mailing lists).  These are outside the scope of this article; there is plenty of reading material on the web about them.

There are things you can do with the records mentioned above, which might help give the receiving end more confidence in your emails:

With an SPF record you can specify, in basic terms, whether you want the other end to "possibly reject" or "definitely reject" emails which don't come from the IPs in your record.  It's best to say "definitely reject" - but only if you're absolutely sure that you have all of your outbound email providers covered in your record.

With a DMARC record, start with "none" or "quarantine", run it for a while and make sure that you're not having any genuine emails rejected outright.  Once you are sure that everything is working as it should, consider moving to "quarantine" or "reject".

 

How do I check whether I have SPF, DKIM and DMARC in place already?

A website such as MXToolbox can check existing records.  Here are some links to their checkers:

This is an external site which we do not provide support or take responsibility for.

 

How do I set up SPF, DKIM and DMARC?

If you have your email facilities AND domain management with Enbecom

Go to your web hosting control panel (cPanel) - there's a guide to logging in here - and choose the Email Deliverability icon.  This will help you check whether you have SPF and DKIM set up.  However, before you switch them on or change them, make sure you (a) have details of all your outbound email providers' SPF records (if any) and (b) know the implications of DKIM not being set up correctly.

A DMARC record can be added through cPanel using the DNS Zone Editor.  You need to work out the exact code for your DMARC record and enter it manually; you might find this external page useful.

Your other outbound email providers might have their own DKIM records - add them with the DNS Zone Editor.

If you have domain management (DNS) BUT NOT email facilities with Enbecom

Gather all of the SPF and DKIM record information you need from your email providers. Log in to your domain control panel (log in details were provided when you first ordered DNS management) and use the DNS Zone Editor to add the records, bearing in mind you might need to think about combining multiple SPF records into one.

A DMARC record can be added through cPanel using the DNS Zone Editor.  You need to work out the exact code for your DMARC record and enter it manually; you might find this external page useful.

If you have email facilities BUT NOT domain management (DNS) with Enbecom

Go to your web hosting control panel (cPanel) - there's a guide to logging in here - and choose the Email Deliverability icon.  This will give you some useful advice about SPF and DKIM but you must make the changes using your DNS provider's control panel.  However, before you add or change the records, make sure you (a) have details of all your outbound email providers' SPF records (if any) and (b) know the implications of DKIM not being set up correctly.

If you don't have any services through Enbecom

Our advice is to find out all of the SPF and DKIM information you need from your email providers, then log in to your domain provider's DNS panel to carefully add or change the records.  Follow providers' advice and make sure you know the implications of not getting it quite right.

 

Can Enbecom help me set up and/or check SPF, DKIM and DMARC?

We have helped many clients, who between them have email and domain services with us and many other providers, to sort out SPF, DKIM and DMARC.  Let us know if we can help.  If you are an existing client, log in to your Enbecom Account and open a Work Request ticket.  If you're not currently a client, use this form.  All work in this area is chargeable; the estimate will depend partly on how complex your setup is and how many outbound email providers you use.

Was this answer helpful?

0 Users Found This Useful