Improving Email Deliverability with SPF and DKIM
SPF and DKIM are two terms for email authentication mechanisms that many seasoned email marketers don’t understand. While they might sound daunting, they are vital to achieving maximum email deliverability. In fact, many email servers will outright deny your emails if they don’t pass these checks. If you or someone you know has some basic DNS (Domain Name System) knowledge, it shouldn’t be hard to get these configured.
SPF: Sender Policy Framework
Sender Policy Framework is a mechanism that prevents email abusers from forging emails from your sending domain at the delivery level. It works by publishing a DNS record that receiving email servers use to identify who is authorized to send email on your domain’s behalf.
For example, if you send emails with Campaign Monitor, then the receiving email servers would want to see that Campaign Monitor’s servers are listed in your SPF record.
blazeverify.com IN TXT "v=spf1 include:amazonses.com include:_spf.google.com include:_spf.createsend.com include:customeriomail.com ~all"
Here is our SPF record. As you can see, we have authorized the servers of Amazon SES, Google, Campaign Monitor (_spf.createsend.com), and Customer.io to send emails on our behalf.
While SPF sounds great, it isn’t enough by itself, and that is where DKIM takes over.
DKIM: DomainKeys Identified Mail
DomainKeys Identified Mail is another mechanism that prevents email abusers from forging emails from your domain. DKIM represents a significant increase in security from SPF.In the first part of DKIM, outgoing emails are affixed with a digital signature. This signature is generated using the contents of the email. The second part involves publishing a DNS record with the public key used to sign those emails. With both parts in place, receiving email servers can verify that the email was sent by an authorized server. They can also validate that no part of the email (such as attachments) has been modified since the signature was affixed. DKIM is probably the most important of all of the email authentication mechanisms.
Setting them up
It’s best to start by making a list of providers you send email from. This will make it easier to to acquire the necessary information to configure the DNS records.
You’ll need to locate each provider’s include: directives. Usually, a quick Google search for “[provider] SPF record” will get you some help articles with the information you’ll need. Once you’ve assembled your list of records, you should be able to combine them into something like this.
v=spf1 include:amazonses.com include:_spf.google.com include:_spf.createsend.com include:customeriomail.com ~all
You can string together as many providers as you have between the “v=spf1” and the “~all”. The last step is to create a TXT record for the root / apex zone using that text.
This part will require a bit more effort. You’re going to have to find provider specific help articles that show you how to generate the DKIM record. Unfortunately, the process varies from provider to provider. Here is an example of what our DKIM records look like for G Suite.
google._domainkey.blazeverify.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxA/bUwpLveAmBmVuYjyrSAc3aJJnW6ye489gA7T9LhIK46G6gX5wY9vBXJB8O+k2Qvk3vF2CWYYBY53P5IR7Rus5Ji0vvF+groYrkgdFpeX5mNffy62jD69PtnOmh5c94Mh0sXE21skcasZxtDyZAko2rEK7gehCp3wUSeN+84QIDAQAB"
Checking that it works
Usually the provider you are configuring will validate the DNS records. This is almost always the case with DKIM. Sometimes, they’ll also check the SPF record. I would recommend validating the DNS records manually if the provider doesn’t do it. You can use any DNS tool, but I prefer the G Suite Toolbox.
Hopefully you now have a better understanding of SPF and DKIM. While these aren’t the only email authentication mechanisms, they are the two most important. If you’re looking to get a more detailed understanding, you can check out the links below.