Have you gotten notifications from your email marketing and other services that send email on your behalf recently? Telling you you have to set up a DMARC policy and authenticate your domain?
Google and Yahoo (and other mail providers including corporate mail systems) are looking to reduce the number of spam and email spoofing emails sent to their customers. To that end there are some new requirements in place if you want to make sure your emails are ending up in the inbox, and not in spam.
What Does All This Mean?
Associated with your domain name are a series of DNS (Domain Name System) records. Think of DNS like a phone directory. For example when someone visits your website, typing in the name yourdomain.com in the browser, the browser looks up the DNS record with that name and gets the associated internet address of the server where it is located. The same thing happens with your email. When someone sends you an email message at [email protected], the mail systems looks up the mail record for yourdomain.com in DNS and gets the internet address of the mail server so it can send the mail there.
If you change webhosts or email providers for your domain you update the DNS records to point to the new locations.
Your DNS records are located and updated at the Nameserver (the phonebook) for your domain. This is normally the same place where your domain is registered, but it doesn’t have to be.
In addition to your website and mail records, there are other types of records in DNS that verify your domain with various services for example. This is where DMARC, DKIM and SPF records come in.
SPF
An SPF (Sender Policy Framework) entry in the DNS sets the policy of what’s allowed to send mail on behalf of the domain. For example your SPF entry might say that your website, Constant Contact, and your domain email provider are allowed to send email on behalf of the domain.
DKIM
DKIM (DomainKeys Identified Mail) is an email authentication method that uses a digital signature to let the receiver know that this email came from a valid source. The DKIM entries in DNS are the public keys from a key pair. The recipient of the email looks to the DKIM entry to validate that the encrypted digital signature in the message is authentic and matches the private key sent in the message.
DMARC
The DMARC (Domain-based Message Authentication, Reporting, and Conformance) entry sets the recommendation on what to do with mail that does not meet the SPF policy or the DKIM authentication. Should it be delivered anyway, sent to spam, or outright rejected?
What’s Changing?
Although you have been able to setup up SPF, DKIM, and DMARC for some time, the big change in February 2024 is that you are now required to have a DMARC policy in place (which in turn requires that you have SPF and/or DKIM set up for all the services sending mail on your behalf). You also have to have low spam rates. You want less than 0.3% spam reports, although ideally you should target 0.1% which is 1 in 1000 emails.
There are other requirements if you send out more than 5,000 emails at a time. (And you do want to grow your list that large!)
- Both SPF and DKIM must be in place
- Messages must pass DMARC alignment from both
- Message must include one-click unsubscribe links.
Using an email marketing service should take care of the one-click unsbuscribe for you.
One other note about DMARC enforcement: If you want your email delivered, you should stop using gmail, yahoo, aol, comcast or other emails that are not associated with your domain as the From address in any services that you use.
In addition to your email, what are these other services? You may use more than you think.
- Do you use an email marketing service like Mailchimp, ActiveCampaign, Constant Contact or many others?
- Do you have a CRM that sends out emails to your clients?
- Does your website send out contact forms or password reset emails?
- Does your shopping cart send receipts and shipping notifications?
- Do you use landing page software like ClickFunnels?
- Do you have a member site like Kajabi?
- Do you use webinar software that sends out reminders and confirmations?
- Do you use software that sends out invoices, proposals, appointment reminders and other transactions for your business?
What Do I Have to Do?
To get in compliance, you need access to your domain’s DNS records in order to update them. Normally this would be at the same account where you renew your domain name registration.
Set up SPF and DKIM for your Domain
For your domain email and each of the services that send email on your behalf, you’ll need to create DNS records. Follow the instructions at each service to set up SPF and DKIM records.
SPF
The SPF record is a TXT entry in your DNS. For Google Workspace for example, your would create a TXT record that looks like this:
Host: @
Type: TXT
Value: v=spf1 include:_spf.google.com ~all
The include statement authorizes Google Workspace to send email on behalf of your domain. ~all means that if some other server sends mail on your behalf consider it a soft fail. (The other option -all will outright reject mail from any servers not on the list, but can result in legitimate email being rejected especially as you start to implement these policies).
You are only allowed one SPF record per domain, so if you want to include an additional service, you would edit the record to add an additional include statement. For example, if you wanted to add Mailchimp in addition to Google Workspace, the SPF TXT record would look like this:
Hostname: @
Type: TXT
Value: v=spf1 include:_spf.google.com include:servers.mcsv.net ~all
Note that the SPF record can contain a maximum of 10 DNS lookups, so if you are sending mail from more than 10 services, you’ll need to add some of them to a subdomain and create an SPF record for that.
DKIM
The DKIM records will be either TXT or CNAME records you add to your DNS depending on the service. The service will give you the values.
For Google Workspace, you must log in as a superadmin and turn on DKIM in addition to adding the records. Read more about how to get your DKIM keys and turn it on for Google Workspace here.
Each service you use that sends emails on your behalf will need to have SPF and DKIM records added to your DNS records.
Set up DMARC with No Enforcement
Before you set up DMARC, you should have SPF and DKIM records in place for at least 48-72 hours so the records can propagate across the various routers on the internet.
To create a DMARC record, you will create a TXT record in your domain.
Hostname: _dmarc
Type: TXT
Value: v=DMARC1; p=none;
These are the only two required fields, the version of DMARC (v=) and the policy to use if authentication fails(p=). Policy options are 1) none 2) quarantine (send to spam) or 3) reject.
Monitor Your DMARC reports
You should initially set your policy in DMARC to “none” so that legitimate mail does not get rejected or sent to spam while you determine what services are sending mail on your behalf.
There is an additional parameter in the DMARC record that lets you specify an email address to send reports to so you can monitor emails being sent from your domain. This version of the DMARC record would send reports to the email address [email protected] for example.
Hostname: _dmarc
Type: TXT
Value: v=DMARC1; p=none; [email protected]
The DMARC reports are very valuable, but they can be difficult to interpret as they are raw logs in an XML format. Also, whatever email address you add to the DNS record is available publicly and you might not want that visible.
There are a number of services out there that let you sign up with them to monitor your DMARC reports in an easy to use dashboard that aggregates the services that are sending on your behalf. That way you can see which services are passing, which are failing and need SPF and DKIM records, and which ones might be spoofing your domain and damaging your sender reputation.
Many of these services are paid services, however you can sign up for a free 14-day trial to check which services are sending mail on your behalf, or if your volume is low use their free versions.
When you sign up with a monitoring service, the rua (aggregate) reports will go to an email address speficied by the service.
Move to Quarantine and Reject Policies Over Time
Once you know that all your legitimate senders are authenticating properly, you can modify your DMARC policy for stricter enforcement.
Start with quarantining some of your messages, review what is being sent to spam, then you can progress to rejecting all messages that don’t pass DMARC.
You can find more info at Google Workspace’s recommended DMARC rollout.
Monitor Your Spam Rate
In order to monitor your spam rate at Gmail accounts in order to remain in compliance, you should set up an account for your domain at Google’s Postmaster Tools. You’ll sign up with a Google account.
You’ll add your domain, and you will also need to verify your domain by adding a TXT record to your DNS.
Once setup, you can then use the data from the different dashboards to monitor your spam rate and reputation to ensure you remain below the 0.3% spam rate.
The Bottom Line
If you are like me, this is more than you ever wanted to know about this process! However, it is crucial to make sure that your messages are being delivered to your customers and potential customers! If we are managing your website and/or email marketing know that we will be working with you to take care of getting this set up for you.