Improve Email Deliverability with SPF, DKIM and DMARC

I recently completed a post about buying a domain name, setting up hosting and email, and it quickly was apparent that I didn't know enough about email setup. More importantly, how to ensure the email is set up correctly to ensure the best chances of your email actually being delivered!

After doing a little research I kept seeing SPF, DKIM, and DMARC popping up as important factors for helping to improve email deliverability. I knew little about these and have certainly never set these up.

One of best friends, David, is pretty hot on this topic, so I reached out to him to see if he could write a little article on what SPF, DKIM, and DMARC are and how to best set them up. He kindly obliged and here is his article (using a nice example with his domain www.2fluffyducks.com!).

There are a few certain and constant things on the Internet, one is SPAM.

If you want to ensure your email doesn't arrive in your recipient's junk or spam folder, you need to ensure you have SPF, DKIM and DMARC set up properly.

The rest of the article has been written by David Brookfield, you can reach out to him via his LinkedIn profile.

Why Email Deliverability is An Issue

In this age of instant messaging and permanent contact, we’re used to messages arriving and we’re used to everything just working, but if you don’t work with email, you probably wouldn’t know just how tricky it is to get an email from your account to someone else’s.

There are many different ways an email can get screwed up. Have a look at this link it's well worth noting this is just for the email server there are many other reasons an email may not get to its destination.

With all this in mind here’s a quick “how-to” on giving yourself the best chance of getting an email to someone’s mailbox.

We all know about spam and in some way email deliverability is all about how not to be confused with a spammer.

10 Ways You Can Increase Email Deliverability

Below are 10 ways that you can increase the number of emails getting to someone’s mailbox.the last 3 SPF, DKIM and DMARC and am going to talk about in detail.

Build an email reputation
Make sure your content isn’t spammy
Build your own lists DO NOT BUY THEM
Ensure your email lists are squeaky clean
Even if you built your own list constantly update your lists
pare down your lists
make sure your unsubscribe button is easy to see
SPF (Sender Policy Framework)
DKIM
DMARC

Before I go through SPF, DKIM, and DMARC a very quick explanation about DNS, where SPF, DMARC, and DKIM are published.

What is DNS?

Here’s a quick non-techie explanation of DNS. DNS stands for Domain Name System, but that doesn’t really tell you what it is.

In this context think of DNS as an addressing system. Very much like where I live, I have an address that also corresponds to a set of co-ordinates. Because the world needs to know where www.2fluffyducks.com is right?

In DNS you have a name www.2fluffyducks.com (The address) and an IP address a set of numbers 185.43.78.144 (The co-ordinates). The address is translated into the co-ordinates.

You should also know that there are DNS servers that keep all of this, whilst they each don’t keep all the records, they do keep information about where the addresses can be found. A bit like knowing a friend of a friend that knows how to contact someone.

You can create different types of records but for this purpose the ones you need to know about below:

A Records

A hostname for a domain. www is a hostname, so too would be mail. To explain a little more the hostname where this is concerned is the bit before 2fluffyducks.com so the bit in red is the hostname www.2fluffyducks.com or mail.2fluffyducks.com

MX Records

MX Records is the mail exchange record is where your mail is.

CNames

CNames are aliases they map a name to another name – It’s probably best I give you an example, you see them more often now with the rise of SaaS software.

Let’s say 2fluffyducks.com uses the email services of city-support.com and the mail server is mail.city-support.com but I don’t want my employees going to mail.city-support.com I could create a cname for mail.2fluffyducks.com to go to mail.city-support.com ie when you type mail.2fluffyducks.com you are actually going to mail.city-support.com.

Enough on this before you die of boredom.

TXT Records

As it says in the name. txt records are exactly that text and SPF, DMARC and DKIM are examples.

That’s a quick breakdown, but generally, just tell your hosting company what you are trying to do, and they’ll do it for you albeit at a cost.

SPF (Sender Policy Framework)

SPF stands for Sender Policy Framework and is an email authentication method that is designed to detect forged sender addresses in emails, this a technique often used in spamming and phishing. An SPF record is published to your DNS as a txt record and as such allows the receiving mail server to check that an email claiming to come from a specific domain comes from an authorized IP address.

Typically, your mail admin (If you have one) will create the record for you. But in this time of solopreneurs, your probable mail admin, webmaster, receptionist as well as CEO, CFO, and any other role that comes along.

So, it's important to get on and create an SPF record yourself – it really can help with your email deliverability!

Anatomy of a SPF record

Here is an example SPF record for the domain 2fluffyducks.com what can I say, it’s a real domain, as memory serves me I bought it when I was drunk and I kept the domain.

v=spf1 a mx a:mail.city-support.co.uk ip4:185.43.78.144/24 ~all v=spf1 = the start of all spf records

a mx = this means please accept email from any domain 2fluffyducks.com mx records
a mail.city-support.co.uk = this is the name of the mail server I use, I use another mail server, it sends about a million a month (Which isn’t a lot) but has a great reputation. This is normal and if you used Office 365 or Google Apps then you would include them here.
ip4:185.43.78.144/24 = this is the IP range of where to also expect email might come from.
~all = means softfail all email, which means it’s up to you what to do if email does not conform to all of the above.

DKIM

DKIM stands for DomainKeys Identified Mail, again the name doesn’t really tell you much.

DKIM is complicated, so first off, it’s important to know that this is only beneficial if your email server supports DKIM, or whoever you send through supports DKIM. Publishing a DKIM record and not using DKIM doesn’t make sense. Especially if you use the wrong type of policy.

Before I launch into an explanation of DKIM, I have provided an example of how to create a key and what you need. At the end of my how-to I have added additional information about DKIM, it’s a bit dry but will hopefully provide you with some context if you want it.

First off, you create a DKIM Record in your DNS.

I’ll break this down and give you an example using the domain campaign-mail.co.uk using a DKIM Generator you can find here

There are several parts to you DKIM.

You have a selector (the name), the domain public key, domain private key, and your policy record.

Look at the screenshot below, you can see where you enter your domain name and the name of your selector default is as good a name as any. If you will use several then try key1, key2, etc, if you need more than one record I assume you know what you are doing and you won’t need help creating your records.

Now when you click generate, you’ll see some information.

Below is the Public Key and Private Keys you should only save them in a text file. Also note you should keep your Private Key, Safe, Secure and Private if anyone gets their hands on your Private key they can send email as you.

-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvxiTxuEbBH7TtTXQpKq1AfYc6rYfd0aRLRF3k0PffuhL37ejY9Hp9675tYmF1oZnOSfirSNS4NSajdcAhKyRxzgfS/x7YAzZCUgG+ofNH1nErmpJiBpNmiQ6Gkr9lnL2dVkIjU3qAjhnJI1PObBTYWkwhb2lh0I4u5NPFah3SCQIDAQAB -----END PUBLIC KEY-----

So now you have generated this information you need to publish this to your DNS. Most likely you will be using a txt record to do this.

There are many, many different systems so I am going to give you an example that is pretty generic.

Login to your hosting control panel and navigate to where you can edit your DNS. In my example, I am using internetbs.net but you will probably have a similar look. You need to create 2 records:

for your DKIM Public Key
For your Policy Record (Remember your policy record tells the world what to do if the email does not match the policy)

Your DKIM Key notice is says:

default._domainkey and to the right, you see “v=DKIM1;

your public key goes directly after

v=DKIM1; k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvxiTxuEbBH7TtTXQpKq1AfYc6rYfd0aRLRF3k0PffuhL37ejY9Hp9675tYmF1oZnOSfirSNS4NSajdcAhKyRxzgfS/x7YAzZCUgG+ofNH1nErmpJiBpNmiQ6Gkr9lnL2dVkIjU3qAjhnJI1PObBTYWkwhb2lh0I4u5NPFah3SCQIDAQAB

Now create your policy record

_domainkey.campaign-mail.co.uk IN TXT “o=~”

Don’t forget to save your DNS changes!

So, what do you do now?

Well, that all depends on your email system. But with all email systems that use DKIM, you will need your private key, which you have stored safely in a .txt file.

All above is the practical use/creation of a DKIM key nowhere is an explanation.

DKIM is cryptographic authentication that is designed to detect forged sender addresses in an email (Actually it can detect any change to an email) and thus prevent spoofing. How it works is by using Public Key Private Key encryption.

The sender (The domain owner) is the only person that has the Private Key, but your Public Key is published in DNS. You can see the syntax in the examples above.

The methodology is, an email message sent from your server by you, and a string known as a HASH is encrypted using your PrivateKey and then added to the header of your email.

The receiving mail server reads the header DKIM key and runs a DNS query against your DKIM record, once it has retrieved this it then goes through a validation process whereby it creates its own HASH and this is compared for a match with the original. Then depending on your policy record the mail transport agent (MTA/MAIL Server) will either forward the mail drop or mark it.

DMARC

DMARC stands for “Domain-based Message Authentication, Reporting & Conformance” which is a bit of a mouthful. Just like SPF, it’s another way of a mail server confirming this email is legitimate and not forged.

How does DMARC work, briefly, and in non-technical terms?

A DMARC policy allows a sender to indicate that their messages are protected by SPF and/or DKIM and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message.

DMARC removes guesswork from the receiver’s handling of these failed messages, limiting or eliminating the user’s exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.

Outcome – Emails Received!

So, this article is a little technical in places, especially if you've not dealt with DNS in the past. Hopefully, the steps outlined above mean you can walk through them, otherwise pass them to your technical person to get them set up.

In this day and age of growing spam, it's incredibly important to do what you can to ensure your emails are delivered. Having undelivered emails is a headache at best but at worse could mean you're wasting money marketing to potential or existing customers who simply aren't getting your message!

The thing to remember about SPF, DKIM, and DMARC is they are now a fundamental component to successful marketing campaigns. They increase your deliverability, every email delivered is an additional chance to get your message over or to make a sale and in this day and age, ignore them at your peril, because you can bet your competitor won’t.

We hope this helps. Please enter any comments below.