There's good news and bad news. The good news is, this will fix your issues in 90% of the cases. The bad news is, it might sound like geek-gibberish and there are a lot of steps that have to be implemented properly for it to work. We'll try to explain below, and by the end (if you don’t die of boredom first) you will have some better understanding of what SPF & DKIM is and how it can help you.
What is SPF & How does SPF work?
SPF (Sender Policy Framework) is a security protocol that is used to prevent your email being used without your permission. It basically creates a secure connection between your email server and any other programs you approve to send email on your behalf, like your web forms.
If your webform is set up to send you an email when someone submits the form, and you are sending from your own email address, then it might look like this…
In this scenario, you are wanting to receive an email from you…to you, containing that form submission. The problem is, the email server knows you did not send that email to yourself. When that email comes from your website, your email server checks its security. It basically asks the email… “Where did you come from?” And because your form is using an email address from your domain, that email says, “from you!” The email server asks to see some proof, but the email has none, so it is bounced out on its rear end.
This is where SPF comes in. SPF defines which IP addresses can be used to send emails from your domain. With SPF you can give your web forms security clearance to send on your behalf. So now when that email comes in and your server asks to see some proof, the email shows its SPF record and the email server lets it into your inbox.
What else should you include in your SPF?
It's a good idea is to make sure all applications that send emails on your behalf are included in your SPF. As we discussed, you should include the IP of your web server. If you’re using Google Apps to send emails from your domain, you should put Google in your SPF. If you use something like MailChimp or Constant Contact, you should add them to the SPF record as well.
How to check if your SPF & DKIM are set up?It is very easy if your SPF and DKIM are setup correctly. You can use a tool like Google Apps Toolbox – just type in your name and it will show you the results! Another benefit of setting SPF and DKIM is that it will help you set and keep a good and healthy reputation of your domain, and that helps improve the deliverability of your emails.
How do you set up an SPF record?
If you see that the SPF record has not been set up, then you can ask your domain host to set it up for you. You can also set this up yourself if you have a little understanding of how it works. Proper structure of the record is key and depending on your domain host, the steps will differ.
For instance, if you are using Google Apps to send all emails from your domain, the line would look like this:
“v=spf1 include:_spf.google.com ~all”
We're going to break this down for our fellow nerds, the rest of you can skip this and just send an email to your domain host to do it for you, which we recommend. And if you want Pixel Perfect to do it for you, just let us know.
- The “v=spf1” identifies the record as an SPF.
- “include:_spf.google.com” this gives security clearance to google to send emails on your behalf.
- “~all” means anything else (besides google, now that you have approved it, and your own email server - duh) gets set as soft fail. Depending on your server settings these will probably get through, but will be flagged as spam or suspicious. This is why they always end up in the spam folder!
You can definitely add more approved applications to that SPF record, but again, the syntax is a bit different from host to host.
Here’s how to set up SPF for the most common domain hosts:
- Google - https://support.google.com/a/answer/33786?hl=en
- Microsoft - https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing?view=o365-worldwide
- GoDaddy - https://www.godaddy.com/help/add-an-spf-record-19218
- Amazon - https://docs.aws.amazon.com/ses/latest/dg/Welcome.html
What is DKIM?
The DKIM (DomainKeys Identified Mail) protocol is the reciprocal DNS security to the SPF. When you set the DKIM on your DNS server, you’re basically “white listing” emails sent to your email server from your DNS.
Essentially there is a digital signature put in the header of your message that then uses both the DKIM and SPF to encrypt and decrypt that message. To make that possible, you need to have two keys:
- Private key – this is unique to your domain and allows you to encrypt your signature in the header of your messages.
- Public key – You add to your DNS records using DKIM so that your recipient’s server can decrypt your digital signature from the header of your message.
Think of it like this. The public key is the address to a speakeasy. Anyone can go to the door and knock. The private key is the password you have to speak in order to be let in.
So, once you have set that up, every email you send will have a hidden private key attached to it. The receiver’s server will ask for the private key (password, if you will). If the password is correct, the email will be approved for delivery AS WELL AS additionally give your server a better reputation, which is becoming more and more important.
How to set up DKIM record on your server.
First, you need to generate the public key. Log in to your email provider’s admin console. The next steps may differ depending on your email provider.
When you have the public key, you take the generated txt record and paste it in the right place into your DNS records.
Finally, you need to turn on email signing to start sending emails including your signature encrypted with your private key.
Here’s how to do it, if you’re using:
- Google https://support.google.com/a/answer/180504
- Microsoft https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide
SPF & DKIM will improve your deliverability and maintain your email reputation.
The reputation of your domain is crucial and should be taken seriously. If your domain were to get on a blacklist, your emails could increasingly end up as spam, or worse, rejected outright. And getting OFF a blacklist can be even more confusing and time consuming that setting SPF and DKIM records in the first place.
For sure this is complicated, and a bit out of some people’s comfort zone, but it’s undoubtedly worth the effort. If you need help understanding or implementing SPF & DKIM, give us a shout and we would be happy to help!