HOW TO SET UP SPF DKIM AND DMARC
If you are looking to preserve your reputation while also increasing your deliverability, then you definitely need DKIM, SPF, and DMARC set-ups. As a matter of fact, we highly encourage you to configure them as soon as possible!
Before we go any further, it’s important to know that DKIM, SPF, and DMARC records are part of your DNS settings that you can find in your domain provider (e.g., Squarespace, GoDaddy, Namecheap, etc.).
We know that it can be a bit tricky and overwhelming, but do not fret! We are here to help you out, every step of the way. Here’s how to set up SPF DKIM and DMARC.
What do all these terms stand for?
DKIM is short for DomainKeys Identified Mail. This is a security standard that must be followed to avoid email messages from being tampered with while in transit between sending and receiving servers. A private key is used to sign an email using public-key cryptography as it leaves the transmitting server.
This email authentication technique, known as DKIM signature, helps email senders identify forgeries by associating a domain name with each message, thus verifying its validity in the process.
No, this is not the stuff you see on sunscreens. SPF stands for Sender Policy Framework. It is specifically helpful during email delivery. SPF is a technique of email authentication that can identify forged sender addresses.
Only a fraudulent sender claim in the email’s envelope may be detected by SPF alone, and this claim is utilized when emails bounce. Forging the visible sender in emails, a method often employed in phishing and spam, can only be detected in conjunction with DMARC.
While an email is being sent, SPF enables the receiving server to verify that an email claiming to be from a certain domain is really being sent from an IP address approved by the domain’s administrators. The DNS records for a domain publish a list of permitted transmitting hosts and IP addresses.
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is the mechanism used to authenticate sent and received emails. In order to prevent email spoofing, it gives domain owners the option to restrict their email addresses from being used without their permission.
Implementing DMARC has the primary goal of preventing a domain from being exploited in cyber threat activities such as business email compromise attacks, phishing emails, email scams, and other cyber threats.
Anyone with an email server may authenticate incoming email using the instructions provided by the domain owner inside the DMARC DNS entry after it has been published. Once authentication is complete, the email will be delivered and it can be trusted. If the email does not pass the test, the recipient may receive it, quarantine it, or reject it based on the DMARC record’s instructions.
For example, one email forwarding service delivers the mail, but as “From: [email protected]<forwarding service>”.
The Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) email authentication technologies are extended by DMARC (DKIM). To define whichever method (DKIM, SPF, or both) is used when sending email from a domain, the administrative owner of the domain could publish a policy in their DNS records. It also specifies how to verify the “From:” field displayed to end-users, and how the receiver should deal with failures.
RFC 7489, issued in March 2015 by the Internet Engineering Task Force, defines DMARC as “Informational”.
So why exactly do you need DMARC, SPF, and DKIM?
Usually, a hackers’ main entry points are via phishing and spam email. An entire company may be compromised with ransomware, crypto jacking scripts, data leakages, or privilege escalation exploits if a single person opens on any malicious email attachment on their work computer.
A fact that is not known to many people is that most businesses need all three of these measures (DMARC, SPF, and DKIM) to safeguard their email infrastructures. Many things in the realm of information technology don’t always overlap. They’re very complementary, and the typical company will likely need all three. You may create your domain key by following the steps provided by Google if you use their email service. If you administer your domain via cPanel, you may find instructions on how to set up different DNS entries there. You may also use an online tool to verify that the necessary DKIM keys are present in your email headers after you think you are done.
Steps on how to set them up:
- Log in to Google Admin: admin.google.com
- In the navigation menu on the left-hand side menu > Apps > GSuite > Gmail
- Generate a DKIM Key
- Create a DNS TXT Record with the DKIM key generated in the previous step.
For this, you will need to go to your domain provider. (e.g. GoDaddy, Squarespace, Namecheap, etc.)
- After creating the DNS TXT record in your domain with the DKIM Key, you can start Authenticating.
- Sign in to your domain account on your domain host’s site (not your Google Admin Console). This can be GoDaddy, Squarespace, Namecheap, etc.
- Go to the page for updating your domain’s DNS records.
DNS Management, Name Server Management, or Advanced Settings.
- Find your TXT records and check if your domain has an existing SPF record. The SPF record starts with “v=spf1…”.
- If your domain already has an SPF record, remove it.
- Create a TXT record with these values:
- Name/Host/Alias – Enter @ or leave blank
- Other DNS records for your domain might indicate the correct entry.
- Time to Live (TTL) – Enter 3600 or leave the default.
- Value/Answer/Destination – Enter v=spf1 include:_spf.google.com ~all.
This can take up to 48 hours to take effect.
- Go to your domain administrator’s site. Find DNS Management or Settings.
- Add this TXT record to your DNS:
- Host Name: _dmarc
- VALUE (with email): v=DMARC1; p=quarantine; rua=mailto:[email protected];pct=90; sp=none
- The minimum is “v=DMARC1; p=none; rua=mailto:*[email protected]*” (you need to change the one inside the asterisks)
The email report will be sent to the email address you provide. This is totally optional. Here is the value without the email:
VALUE (no email): v=DMARC1; p=quarantine; pct=90; sp=none
We sure hope that these steps were helpful and easy to follow. Last but not the least, we highly encourage you to try to set up your DKIM, SPF, and DMARC as soon as possible because it will help you get the finest marketing outcomes!