DMARC, DKIM, SPF...oh my!!

Quick Summary

  • Add at least the bare minimum DMARC record to your domain (Host: "_dmarc" | Value: "v=DMARC1; p=none;").
  • Have an email address with your domain name (eg info@yourdomain.com).
  • Confirm that all services that send an email as you (Shopify, Klaviyo/Mailchimp/Flodesk, etc) are setup to use the above email address (involves extra authentication, like DKIM and/or SPF updates to your domain).
  • Consider using a DMARC service to help understand how well your setup is working.
DMARC-DKIM-SPF-What-To-Know

You have likely received emails about changes that services like Google and Yahoo made that will affect the messages you send from your business. Here’s our summary of frequently asked questions about this topic.


What is this all about?

It can cause irreparable reputational damage if a spoofer imitates a brand's domain to scam recipients. Newly enforced security will cull the number of spam emails and will reduce spoofing attempts too. Though these changes can be confusing to understand (especially in terms of what you need to do…which hopefully this article will help with!), this is good news overall.

Like physical mail sent via the post office, someone could send you a letter and forge the sender's name on the envelope and the letter itself. The same is possible for email. We've seen stats that say most network attacks originate through email. To better protect against fraud, SPF, DKIM, and DMARC were introduced. Starting in 2024, companies like Gmail and Yahoo will be helping to reduce these issues, and spam in general, by enforcing email requirements.

This affects every business and every person who receives emails.


Do I need to make any changes?

If you don’t already have things setup, then yes. Though this is primarily a measure that affects bulk senders, you might be amazed to hear who is considered a bulk sender. Any emailer who sends over 5,000 emails per day to a specific service (like Google Mail) is considered a bulk sender. Some of our clients fit this classification with each marketing email they send, so it's a no-brainer for them to review their setup and make changes. However, the transactional emails you send also count. So, order and shipping notifications, customer service emails, etc. also count toward your 5.000 emails per day. Others, however, should also make changes since these guidelines are now considered a best practice for email sending

From what we have heard, you could still see emails blocked/filtered as spam if you don’t have the requirements implemented. Based on our research, all businesses that send any emails are affected in some way.

  • If you send less than 5,000 emails per day (newsletters, order notifications, etc), you should be using email from your domain (avoid sending from @gmail.com or @yahoo.com accounts) and you're required to authenticate your domain via DKIM;

  • If you send more than 5,000 emails per day, you must start using a custom domain and you're required to have DKIM, SPF and DMARC records in place.

Additionally, if you send newsletters to your email subscribers, they are requiring that your emails include a one-click unsubscribe option. From what we have seen, newsletter platforms like Klaviyo, Flodesk, Shopify and Squarespace are taking care of this for you. We highly recommend reviewing your platform and what they implemented (so that you know what your email subscribers will be experiencing).

Important note: Mistakes to your setup (like an errant space or making something too strict) can result in messages being rejected or sent to spam too, so it’s important to get things as right as possible and make corrections quickly should you find issues.


What should everyone be doing?

  1. Set up a branded sending domain and align your 'from' address with your branded domain (don't use generic emails like mybusinessname@gmail.com)

  2. Verify your domain via DKIM and SPF

  3. Have A DMARC record set up and at least set it up to p=none

  4. Make it easy to unsubscribe (one-click unsubscribe button is the requirement)...some bulk email sending companies are doing this automatically

  5. Keep spam complaints low (below 0.3%)

The importance of the spam complaint percentage is relative! If you send 1,000 emails and over 30 are marked as spam, then you have a problem beyond the blocking of your emails from service providers.


What things should I know before starting?

  • Know your domain registrar and make sure you have access to make updates to your DNS there. If you don’t remember where you purchased your domain, you can look this up here.

  • Know which services send email on your behalf, the most obvious being your email marketing provider but also consider other services, like your billing provider. Some common ones we have seen with our clients include Google Workspace, Shopify, Klaviyo, and Flodesk.

  • Know a few definitions that will come in handy to understand…

    • SPF: Defines a list of authorized servers that are allowed to send emails on behalf of your domain. SPF stands for Sender Policy Framework. These are the servers I send messages from. If it says it's from me but comes from somewhere else, it's likely fake. 

    • DKIM: This adds a digital signature to messages allowing receivers to verify that mail hasn’t been tampered with during transit. DKIM stands for DomainKeys Identified Mail. This is my signature, if it's not on the email, it probably didn't come from my server.

    • DMARC: This trains servers (like Google Mail, Yahoo Mail, etc) with what to do with email that is or isn't authenticated. DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. If I get mail that doesn't match the SPF or DKIM, here's what I should do with it

SPF and DKIM are responsible for spotting potential problems with an email and DMARC can be used to tell email servers what to do with problematic emails.


What should I know about setting up a DMARC?

Setup is relatively easy for this! The most basic version is to sign into your domain registrar and add the following entry to your DNS records:

Type:
TXT

Host or Subdomain: 
_dmarc

Value: 
v=DMARC1; p=none;

Setup of a DMARC record with the policy of 'none' tells the email servers to not take any action. This should suffice for most needs!

With a bit more info added to the DMARC, you can have the email companies send you or a service a report of what it did that day! We tried this at first by having the following DMARC entry:

v=DMARC1; p=none; rua=mailto:ouremail@randrcreativeco.com; pct=100; adkim=r; aspf=r

Unfortunately, the daily reports were sent in a format that isn't human friendly. To make this better, we signed up for a service (valimail.com, which we and Klaviyo recommend…the free version will be enough for most of us). After signing up, we only needed to update a part of the TXT line above (so that the reports were sent to valimail instead of us). Now we are compliant and can also check in on what is happening with our email sends.

If you are curious, here is what all the different parameters in the DMARC entry mean.


Additional information and resources

  • Reviewing DNS Records
    Anyone can review any domain's DNS records online. This can help if you aren't sure what to do! Here is one such service.

  • Reviewing DMARC
    You can see what other services see as your DMARC by using this DMARC Inspector (you can also learn from other DMARC setups this way).

  • Email Address
    If you change your email address, be sure to update your email in all the services you use…and to update this in all the right places. Klaviyo example: You need to change the default email sender AND change all of your flows and campaigns to mention this new default email address.

  • List Cleaning
    To keep your spam complaints to a minimum, practice regular list cleaning. Not only can this reduce your email marketing costs (since most charge based on number of contacts or number of emails sent), you will also reduce unsubscribes and spam complaints by only sending to engaged recipients.

  • More About All Of This
    We have found this Flodesk info page to be the most understandable and it includes several links to help with getting your SPF and DMARC setup on different registrars (like GoDaddy and NameCheap). Klaviyo’s version of this is fairly succinct and helpful too. It’s sometimes helpful to go to the source too, so here is what Google says about all this.


Couldn’t find the answer to your question? Please don't hesitate to reach out. You've got this!


Mark Rippstein

Mark Rippstein is the co-founder of R+R Creative Co.

Before graduating from Santa Clara University with honors in Business Marketing, Mark developed a strong work ethic at his parent’s scientific research company. Starting there in his early teens, he jumped in wherever needed, from sweeping floors and counting inventory to soldering circuit boards and setting up trade show booths...he even launched their first web presence in 1996. After working for a couple dot com companies in Silicon Valley and a Dutch bank in Switzerland, Mark spent over 10 years at Google forming and overseeing diverse and dispersed teams and projects. It was through his travels during that time that his appreciation for travel management, especially for trusted and knowledgeable advisors, grew into something that led him to Casto Travel. As Casto’s Director of Marketing, Mark oversaw their online presence, making sure that those who have an experience with Casto, including those working at Casto, had a clear understanding of their values and services. By leading their marketing efforts, Mark was tasked with keeping everything on brand, accurate, and secure. His primary focus was on their websites and their social ties. Mark also provided oversight when it came to having a clear, consistent and positive brand message, particularly pertaining to customer satisfaction, lead generation, and recruiting.

Mark joined his wife, Carla, to build a different type of marketing consulting company. With R+R Creative Co, their objective is to bring clarity, sustainability, and accountability to their projects.

Throughout his years of working on the web, Mark has become an advocate for clarity, consistency, and security. He believes that we should all strive for excellence and going beyond expectations...especially when it comes to working with others.

Find out more at: linkedin.com/in/markrippstein

https://www.randrcreativeco.com
Previous
Previous

Our Checklist For Your Next Website Launch

Next
Next

Information Alerts For Online Shops