As a marketer, you're likely familiar with the acronyms SPF, DKIM, and DMARC, but understanding their true impact can significantly enhance your email strategy.
SPF guards against impersonation, DKIM adds an unforgeable seal to your emails, and DMARC is the overarching security strategy.
Now is the ideal moment to dive into these authentication protocols, ensuring your emails land in the inbox and do so securely. This guide will explain the process, empowering you to enhance deliverability, protect your brand, and elevate your email marketing effectiveness.
About SPF Records
SPF (Sender Policy Framework) is an email authentication protocol that allows the owner of a domain to specify which mail servers they use to send emails from that domain. Brands sending their emails using different services need to publish SPF records in the DNS (Domain Name System). These records list which IP addresses are authorized to send emails on behalf of their domains.
During the SPF check, email providers verify the SPF record by looking up the domain name listed in the "envelope from" address in the DNS. If the IP address sending an email on behalf of the "envelope from" domain isn't listed in that SPF record, the message fails SPF authentication.
Reasons to Implement
SPF records authorize which mail servers are allowed to send emails on behalf of your domain. This helps prevent spammers from forging emails that appear to come from your domain, protecting your sender reputation and improving inbox placement.
An SPF-protected domain is less attractive to spammers and phishers and is less likely to be blacklisted by spam filters. As a result, legitimate emails from your domain are more likely to reach your customers’ inboxes.
About DKIM Record
DKIM (DomainKeys Identified Mail) is an authentication protocol that uses cryptographic signatures to verify that an email was sent by an authorized sender and hasn’t been modified in transit. It allows an organization, either the original sender or an intermediary—to take responsibility for the message.
For recipients, DKIM helps confirm which messages are legitimate, making it easier to filter out spam or phishing attempts. A domain protected by DKIM builds a trusted reputation, increasing the chances that its emails reach the inbox.
About DMARC Records
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a protocol that empowers domain owners to enhance email security. It enables you to define policies regarding email authentication and specify actions to be taken when authentication fails.
DMARC Policies:
p=none (Monitoring Mode):
In "none" mode, DMARC functions as an observer. It allows you to receive detailed reports on email authentication results without taking any action. This is akin to a diagnostic phase, where you can assess potential issues without impacting the delivery of emails.
p=quarantine (Quarantine Mode):
When DMARC is configured with a "quarantine" policy, emails that fail authentication may be redirected to a separate folder, often the recipient's spam or quarantine folder. This provides a middle ground between monitoring and strict rejection, allowing you to identify potential threats without outright blocking them.
p=reject (Reject Mode):
The "reject" policy is the most stringent. It instructs email receivers to reject messages that do not pass authentication outright. This level of enforcement ensures a higher degree of protection against unauthorized or malicious emails.
In Omnisend, we advise setting DMARC to p=none with SPF and DKIM alignment=relaxed. The choice of "none" with SPF and DKIM alignment set to "relaxed" is specifically tailored to meet the requirements of major email providers like Gmail and Yahoo. This configuration allows you to monitor authentication without adversely affecting email delivery.
For those seeking a more sophisticated DMARC implementation, third-party tools such as DMARCIAN offer comprehensive features and insights. This tool can provide a deeper understanding of email authentication, allowing for more fine-tuned control and enhanced security measures. For this, you can watch the video below.
In summary, DMARC equips you with the tools to strengthen your email domain against phishing and fraudulent activities. The choice of policies and configurations allows you to balance monitoring, action, and strict enforcement based on your security preferences.
Note: To verify your domain for sending emails, at least one of the following records must be valid: SPF, DKIM, or DMARC. If none of these records are valid, the domain cannot be verified, and you won’t be able to use it for email sending.
💡 If a main domain (for example, shop.com) has a valid DMARC record, then all of its subdomains (such as newsletter.shop.com) will automatically inherit the same valid DMARC record unless you specifically choose to set up a different DMARC record for the subdomain.
Adding SPF & DKIM Records
Below, you will find a list of the most popular DNS providers. By clicking on the DNS provider name, you can find tutorials or basic information on how to add the given records to your provider.
Note: When you search for a tutorial on adding records, remember that you need to look only at the TXT format parts.
Don't know who your DNS provider is? You can easily find it out here.
To check if your records are added correctly, we recommend you follow this link and paste your domain name into both the SPF and DKIM parts. If something is not correct, you will be able to see all errors there.
Important Notes
Domain signature in Omnisend is free for all users.
To add SPF and DKIM records, choose the domain name you’d like to use. We recommend using your store’s domain (e.g.,
yourstore.com). You’ll need to add the provided records to your domain’s DNS.For Automation emails, you can either use the same domain or sign a subdomain (e.g.,
@news.yourstore.com,@email.yourstore.com,@shop.yourstore.com). The process for signing a subdomain is the same.Authentication doesn’t guarantee inbox placement. While domain authentication (SPF, DKIM) is crucial, it's only one part of good deliverability. You still need to follow best practices to maintain a strong sender reputation.
Using authentication protects your brand and gives your emails the best chance of being delivered reliably to your customers’ inboxes.
Troubleshooting
SPF Verification Errors
When verifying your sender domain, Omnisend checks your SPF record and will flag any issues that prevent verification. If an SPF error is found, Omnisend will display the exact error type and provide guided instructions to help you fix it. These errors include:
Multiple SPF Records Found: A domain can only have one SPF record. If your DNS settings contain multiple TXT records starting with
v=spf1, SPF validation will fail.Too Many DNS Lookups: SPF records are limited to 10 DNS lookups. If your SPF record includes too many
include:or similar mechanisms, SPF verification will fail even if the record appears valid.
For full step-by-step troubleshooting, see our dedicated guide: Troubleshoot SPF Errors.
To add SPF for a subdomain, enter only the subdomain name in the Name field (e.g., email instead of email.domain.com). In some cases, using the @ symbol may also be required, as this represents the root domain in DNS settings.
DKIM Verification Errors
If you are using GoDaddy as your DNS provider and, while checking if the records are added correctly, you can not see any information about DKIM, take a better look at the "Name" part. We provide you with a fully-qualified name that ends with your domain name. DO NOT include your domain name in the "Name" field when you add the TXT record. If you are given something._domainkey.yourdomain.com only enter something._domainkey in the "Name" field.
DMARC Verification Errors
If you encounter difficulties verifying DMARC records, follow these steps:
Check if the record's Name value is set to
_dmarc.yourdomain.com.If verification issues persist, try changing the Name value to just
_dmarc.
To receive further assistance, please get in touch with our Support Team via the in-app chat or by emailing [email protected].