How to set up your SPF, DKIM & DMARC for Inbox Success

Disclaimer: This post may contain affiliate links to products or services that I recommend. I may receive a commission should you sign up through my link (but at no additional cost to you). I only suggest products and services that I wholeheartedly support and believe in and have either used myself or have used on behalf of a private client.

 
 

In this post you will find out how to easily set these up for your email service provider to ensure they get the greenlight on the receiving end! 

If you are still scratching your head about what SPF, DKIM & DMARC actually are, then I have a story that will help you understand these email authentication protocols in simple terms! Understanding Email SPF, DKIM & DMARC

Why You must set up Email SPF, DKIM and DMARC Today.

SPF, DKIM, and DMARC are essential tools in the fight against email fraud and abuse. By implementing these protocols, domain owners can ensure that their emails are authenticated, their brand is protected, and their communications are secure. In today’s digital landscape, where email threats are ever-present, adopting these email authentication measures is not just advisable—it’s necessary.

Now let's look at HOW you set up these critical components to ensure inbox success.

How to set up your email SPF, DKIM and DMARC records.

Right, there is an order in which you must do this to make sure each step is successful and approved.

The order you set them up is:

  1. SPF

  2. DKIM

  3. DMARC

IMPORTANT: Please note you will need to do this for your own email sending account, plus any email service providers you use as well. So, for example, I email my clients using my Google Workspace email address within the Google email app, but I also use Convertkit to send emails to people in my community who have signed up to hear from me. Therefore I have to do these steps for both Google and Convertkit.

Setting Up an SPF Record for Your Domain: A Step-by-Step Guide

Setting up an SPF record for your domain is a crucial step in securing your email communications and ensuring that your emails are authenticated correctly. Here’s a detailed, step-by-step guide to help you add an SPF record to your registered domain name account.

Before diving in, it’s important to understand that the SPF record will be added to your domain’s DNS (Domain Name System) settings. Your domain registrar (where you have registered your URL – eg. Namecheap or GoDaddy) typically provides a DNS management interface where you can make these changes.

Step 1: Log in to Your Domain Registrar Account & Access DNS Settings

Login and locate the DNS management section. Select the domain you want to set up SPF record for and then go to DNS Settings.

Step 2: Add a New TXT Record

SPF records are added as TXT records in your DNS settings. Find the option to Add a New Record and from the options provided, choose “TXT Record.”

Step 3: Enter the SPF Record Details

Now, you need to configure the TXT record with the correct SPF information.

  1. Name/Host: This field might be labeled as “Name” or “Host.” For the SPF record, you typically leave this field blank or enter “@” to indicate the root domain.

  2. Value: This is where you input the actual SPF record. The format usually looks something like this:

    v=spf1 include:example.com ~all

    Here’s a breakdown of what each part means:

    • v=spf1: Specifies the version of SPF being used.

    • include:example.com: Authorises servers from example.com to send emails on behalf of your domain. Replace example.com with the appropriate mail server domain.

    • ~all: Indicates how to handle emails that fail the SPF check. ~all means to accept but mark such emails, while -all would reject them outright.

Step 4: Save Your Changes

Step 5: Verify Your SPF Record

Once you’ve added the SPF record, it’s a good idea to verify that it’s correctly configured. There are various online tools available to check your SPF record, I use Easy DMARC. Simply enter your domain name, and the tool will fetch and validate your SPF record. https://easydmarc.com/tools/spf-lookup

Remember, DNS changes can take some time to propagate. It might take a few minutes to several hours for the new SPF record to be recognised across the internet.

Setting Up DKIM for Your Domain: A Step-by-Step Guide

Setting up DKIM (DomainKeys Identified Mail) for your domain is essential for ensuring the authenticity of your email messages and protecting against email spoofing. Here’s a detailed, step-by-step guide to help you set up DKIM within your registered domain name account.

Before you start, it’s important to understand that DKIM involves generating a pair of cryptographic keys—a private key that’s used to sign your emails and a public key that’s published in your DNS records. Your email provider will typically provide the necessary keys and instructions for setting up DKIM.

Step 1: Access Your Email Provider’s DKIM Settings

Your email provider will usually have a section in their settings where you can generate DKIM keys or obtain DKIM records.

  1. Log in to Your Email Provider Account: This could be services like Google Workspace, Microsoft 365, or another email service provider.

  2. Navigate to DKIM Settings: Look for sections labeled “Security,” “Authentication,” “Email Authentication,” or specifically “DKIM.”

  3. Generate DKIM Keys: Follow the instructions to generate your DKIM keys. The email provider will generate a public key (to be added to your DNS) and a private key (used to sign your emails).

Step 2: Copy the DKIM TXT Record

Once you have generated your DKIM keys, you will be provided with a TXT record that needs to be added to your domain’s DNS settings.

  1. Selector and Public Key: The TXT record typically includes a selector (a unique identifier for the DKIM key) and the public key itself. It will look something like this:

    Name: selector._domainkey.yourdomain.com Value: v=DKIM1; k=rsa; p=public_key

Step 3: Log in to Your Domain Registrar Account & Access DNS Settings

Now, log into your domain registrar account to add the DKIM TXT record. Select your domain you want to add the DKIM record to and go to DNS settings.

Step 4: Add the DKIM TXT Record

Add the TXT record provided by your email provider to your domain’s DNS settings.

  1. Find the Option to Add a New Record: Look for a button or link that says “Add Record,” “Add TXT Record,” or similar.

  2. Select TXT Record: From the options provided, choose “TXT Record.”

  3. Enter the Details:

    • Name/Host: Enter the selector and domain as provided, e.g., selector._domainkey.yourdomain.com.

    • Value: Paste the entire DKIM TXT record value provided by your email provider.

Step 5: Save Your Changes

Step 6: Enable DKIM Signing on Your Email Provider

Once the DKIM record is added to your DNS settings, go back to your email provider to enable DKIM signing for your domain.

  1. Return to DKIM Settings: Go back to the DKIM section in your email provider’s settings.

  2. Enable DKIM: There should be an option to enable or activate DKIM signing. This will instruct your email provider to start signing outgoing emails with the private key.

Step 7: Verify Your DKIM Setup

It’s important to verify that your DKIM setup is working correctly.

  1. Use DKIM Check Tools: There are various online tools available to check your DKIM record. Enter your domain name and selector to fetch and validate your DKIM record. I've used EasyDMARC in the past. https://easydmarc.com/tools/spf-lookup 

  2. Check Propagation: DNS changes can take some time to propagate. It might take a few minutes to several hours for the new DKIM record to be recognised across the internet.

Setting Up DMARC for Your Domain: A Step-by-Step Guide

Setting up DMARC (Domain-based Message Authentication, Reporting & Conformance) is a vital step in protecting your email domain from misuse. DMARC builds on SPF and DKIM to provide instructions on how to handle emails that fail authentication checks. Here’s a detailed, step-by-step guide to help you set up DMARC within your registered domain name account.

Before you begin, it’s important to understand that DMARC helps prevent phishing, spoofing, and other email-based attacks by specifying how unauthenticated emails should be handled. It also provides reporting mechanisms to monitor your email traffic.

Step 1: Log in to Your Domain Registrar Account & Access DNS Settings

Login and locate the DNS management section. Select your domain and go to DNS settings.

Step 2: Create Your DMARC Record

You need to create a DMARC TXT record that specifies your DMARC policy. The policy will include details about how to handle emails that fail SPF and DKIM checks and where to send reports.

Determine Your DMARC Policy: Decide on the policy you want to implement. A basic DMARC record might look something like this:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-failures@yourdomain.com; sp=none; adkim=s; aspf=s

Here’s a breakdown of what each part means:

  • v=DMARC1: Specifies the DMARC version.

  • p=none: Policy for handling emails that fail (none, quarantine, or reject).

  • rua=mailto:dmarc-reports@yourdomain.com: Address for aggregate reports.

  • ruf=mailto:dmarc-failures@yourdomain.com: Address for forensic reports (optional).

  • sp=none: Subdomain policy (optional, can be none, quarantine, or reject).

  • adkim=s: Alignment mode for DKIM (s for strict, r for relaxed).

  • aspf=s: Alignment mode for SPF (s for strict, r for relaxed).

Step 3: Add the DMARC TXT Record

Add the TXT record to your domain’s DNS settings.

  1. Find the Option to Add a New Record: Look for a button or link that says “Add Record,” “Add TXT Record,” or similar.

  2. Select TXT Record: From the options provided, choose “TXT Record.”

  3. Enter the Details:

    • Name/Host: Enter _dmarc.yourdomain.com.

    • Value: Paste the DMARC record you created, for example:
       
      v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-failures@yourdomain.com; sp=none; adkim=s; aspf=s

Step 4: Save Your Changes

Step 5: Monitor Your DMARC Reports

Once you’ve set up your DMARC record, start monitoring the reports sent to the email addresses you specified.

  1. Check Aggregate Reports (rua): These reports provide an overview of your email traffic and how many messages passed or failed authentication.

  2. Check Forensic Reports (ruf): These reports (if you opted for them) provide detailed information about specific messages that failed authentication checks.

Step 6: Adjust Your DMARC Policy

Based on the reports, you can adjust your DMARC policy to be more stringent.

  1. Move to Quarantine or Reject: After analysing the reports and ensuring that legitimate emails are not failing authentication, you can change the policy (p=quarantine or p=reject) to better protect your domain.

  2. Update the DNS Record: Modify the DMARC TXT record in your DNS settings to reflect the new policy.

Need specific instructions for your own email provider?

I've included some links below with specific instructions for various email providers so you can find even more detailed guides on what to do to get your SPF, DKIM and DMARC set up properly.

Google

Microsoft 365

Convertkit  

Active Campaign

Mailchimp

If you don't see your ESP listed above, please try a google of "how to set up spf, dkim and dmarc for [add your ESP name]"

Remember if you encounter any issues when setting up SPF, DKIM or DMARC, don’t hesitate to reach out to your domain registrar’s support team for assistance.

And there you have it, you should be all set to go. Happy emailing!

 
Previous
Previous

How to Improve Email Deliverability: 8 Best Practices for 2024

Next
Next

Understanding Email SPF, DKIM & DMARC