If your business sends emails of any kind (and I can’t imagine why it wouldn’t) then you need to be aware of these basics. Otherwise your emails will just end up in the spam/promotions folder and nobody will ever see them.
These are all pretty much ‘set and forget’ things that need to be done at your domain level (in the DNS settings).
NOTE: this is NOT a technical guide on how to set them up. This is an introduction to what they are and why you need them. You can absolutely break your email and even your website by getting these settings wrong.
That said, let’s get into what SPF, DKIM and DMARC are for.
Why Should I Care About SPF, DKIM and DMARC?
You should care because you want your emails to be seen.
Whether it’s a direct reply to a customer enquiry or an email newsletter going out to thousands. If it gets filtered directly to the spam folder, there’s a strong chance nobody will ever know you sent it.
There’s a good reason a lot of businesses get terrible open rates (here’s why) when they send out a promotion.
So What Are SPF, DKIM and DMARC?
SPF, DKIM and DMARC are all simply methods to help prevent spam/junk email.
Nobody wants spam email. Genuine, ethical businesses don’t send spam. So we have to take some extra steps to help the email service providers (Gmail, Yahoo, Outlook, Zoho, iCloud etc) understand that our emails are genuine.
The 3 methods are all quite different, and have been introduced gradually over the last 20 years. So they are not new things, and it’s long been best practice to use them. They have however become a lot more necessary in recent years with the dramatic rise in actual spam email. Email providers like Gmail have had to apply rules much more rigidly to stop their servers collapsing under the load.
Google and Yahoo announced that from 1st February 2024 emails sent to their services without valid SPF/DKIM records will go to spam folders. Same for senders of larger volumes of email (5,000+) that don’t also have valid DMARC records. This is a very deliberate shove by the providers to force businesses to finally get this stuff done.
SPF, DKIM and DMARC are all set up in a similar way, by adding extra DNS records for your domain. It’s not particularly difficult but it is technical. And the records will be different depending on what services you use. You can make things worse by getting this wrong.
How Do SPF, DKIM and DMARC Work (in Simple Terms)?
Let’s just briefly cover how SPF, DKIM and DMARC work in easy non-technical terms:-
SPF
- What does it stand for: Sender Policy Framework
- What it is: A security measure to prevent spammers from sending messages with forged email addresses (that look like they come from your domain when they don’t really).
- How it works: SPF allows you to publish a list of servers that are allowed to send email on behalf of your domain.
- Benefit: Helps email providers know if an incoming email claiming to be from your domain is actually from an authorised server.
DKIM
- What does it stand for: DomainKeys Identified Mail
- What it is: A way to add a ‘digital signature’ to emails sent from your domain.
- How it works: When you send an email, it’s signed with a digital signature. The receiving server can use this signature to verify that the email hasn’t been tampered with and actually comes from your domain.
- Benefit: Increases trust in your emails, as recipients can be sure the content is genuine and hasn’t been altered.
DMARC
- What does it stand for: Domain-based Message Authentication, Reporting, and Conformance
- What it is: A policy and reporting protocol that helps you protect your domain from unauthorized use, like phishing or spam.
- How it works: DMARC uses SPF and DKIM to determine the authenticity of an email. If an email fails these checks, DMARC policy tells the recipient server what to do with the email (like reject it or put it in spam).
- Benefit: Gives you control over what happens to emails that fail authentication checks and provides reports on who is sending emails from your domain.
How Do I Set Up SPF, DKIM and DMARC?
Setting up SPF, DKIM and DMARC is technical, and can break things. So only tackle this yourself if you know what you’re doing with DNS records. Worst case, you take your website down and/or break your email service. It happens. 🙂
So get in touch if you need technical assistance setting these up. We’ll need to know about what services you use to send emails for your website as these will all need to covered by the records we set up. Regular emails such as via Google Workspace. Email marketing and automation platforms like Mailchimp, Constant Contact or AWeber. CRM applications or transactional email services you may use. Bascially anything that sends emails using your business domain as the sender needs to be taken into account.
See also What Is Email Marketing? & How Can Your Business Use It?
If you want to set these up yourself then the best approach is to follow the help guides published by your service providers. As these will contain records specific to those services – there aren’t any general ‘one size fits all’ settings you can use. Also be careful to combine records where necessary, e.g. only publish one SPF record but adjust it to include all the sending servers from the different services that you use.
What if I Just Send Email From a Regular gmail.com?
If you send emails from bob.smith@gmail.com then it really is time to consider upgrading to proper business email. The difference in the level of trust associated with a free email service versus a proper me@mybusiness.co.nz is significant. The cost is only around NZ$10 a month so there’s no real excuse not to.
Technically you don’t need to create any SPF, DKIM and DMARC records if you use a free email service of course. Because the service itself will have those records (i.e. Google will have created them for the gmail.com domain name etc).
But if you use any kind of email marketing platform, sending from a free email is rapidly being phased out – those services are now requiring you to use a proper email from your own domain name as the sender. Because they need to ensure the quality and deliverability of their services.