Learn how to protect your domain reputation by setting up your DKIM, SPF, and DMARC records.
DKIM, SPF, DMARC are crucial set-ups that will protect your reputation and boost your deliverability to increase your chances of replies.
That's why we highly recommend taking care of it as soon as possible!
Before we deep dive into it, please note that DKIM, SPF and DMARC records are part of your DNS settings that you can find in your domain provider (e.g. GoDaddy, Squarespace, Namecheap, etc.).
Which means it's all on your domain provider end, not lemwarm.
But of course, we're here to help you out with it, since it will help you have the best results with your campaigns. 🔥
This is an email security standard designed to make sure messages aren't altered in transit between the sending and recipient servers. It uses public-key cryptography to sign email with a private key as it leaves a sending server.
DKIM signing (DomainKeys Identified Mail) is an email authentication method that assists in detecting forged sender addresses in email and helping senders associate a domain name with an email message, vouching for its authenticity in the process.
This is an email authentication method designed to detect forging sender addresses during the delivery of the email.
SPF alone, though, is limited to detecting a forged sender claim in the envelope of the email, which is used when the mail gets bounced. Only in combination with DMARC can it be used to detect the forging of the visible sender in emails, a technique often used in phishing and email spam.
SPF allows the receiving mail server to check during mail delivery that a mail claiming to come from a specific domain is submitted by an IP address authorized by that domain's administrators. The list of authorized sending hosts and IP addresses for a domain is published in the DNS records for that domain.
This is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing.
The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing emails, email scams and other cyber threat activities.
Once the DMARC DNS entry is published, any receiving email server can authenticate the incoming email based on the instructions published by the domain owner within the DNS entry. If the email passes the authentication, it will be delivered and can be trusted. If the email fails the check, depending on the instructions held within the DMARC record the email could be delivered, quarantined or rejected.
For example, one email forwarding service delivers the mail, but as "From: no-reply@<forwarding service>".
DMARC extends two existing email authentication mechanisms, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It allows the administrative owner of a domain to publish a policy in their DNS records to specify which mechanism (DKIM, SPF or both) is employed when sending email from that domain; how to check the "From:" field presented to end-users; how the receiver should deal with failures - and a reporting mechanism for actions performed under those policies.
DMARC is defined in the Internet Engineering Task Force's published document RFC 7489, dated March 2015, as "Informational".
Phishing and email spam are the biggest opportunities for hackers to enter the network. If a single user clicks on some malicious email attachment, it can compromise an entire enterprise with ransomware, cryptojacking scripts, data leakages or privilege escalation exploits.
What isn’t as well known is why most enterprises need all three of these protocols to protect their email infrastructures.
Like much in the IT world, the multiple solutions don’t all necessarily overlap. Actually, they are quite complementary to each other, and chances are good that the average business will need all three of them.
If you are using Google for your email, they have instructions about DKIM and how to generate your domain key. If you are using cPanel to manage your domain, they have suggestions on how to configure the various DNS records. Once you think you are done, you can use an online tool to validate that the appropriate DKIM keys are happening in your email headers.
Note that all the examples below apply in case Google is your domain provider and your mail provider.
So don't copy/paste the values without checking with your own provider first, they usually have their own FAQ on the subject.
1. Log in to Google Admin: admin.google.com
2️. In the navigation menu on the side menu > Apps > GSuite > Gmail
3️. Generate a DKIM Key
4️. Create a DNS TXT Record with the DKIM key generated in the previous step.
For this, you will need to go to your domain provider. e.g. GoDaddy, Squarespace, Namecheap, etc.
5️. After creating the DNS TXT record in your domain with the DKIM Key, you can start Authenticating.
1. Sign in to your domain account on your domain host's site (not your Google Admin Console). This can be GoDaddy, Squarespace, Namecheap, etc.
2️. Go to the page for updating your domain’s DNS records.
DNS Management, Name Server Management, or Advanced Settings.
3️. Find your TXT records and check if your domain has an existing SPF record. The SPF record starts with “v=spf1…”.
4️. If your domain already has an SPF record, remove it.
5️. Create a TXT record with these values:
Again, careful the example of value above will work only if Google is your email provider.
If your email provider is not Google, please double check with your email provider what is the correct value to use, we cannot confirm on our end.
This can take up to 72 hours to take effect.
1️. Go to your domain administrator’s site. Find DNS Management or Settings.
2️. Add this TXT record to your DNS:
- Host Name: _dmarc
- VALUE (with email): v=DMARC1; p=quarantine; rua=mailto:email@example.com; pct=90; sp=none
- Minimum VALUE is: v=DMARC1; p=none; rua=mailto:firstname.lastname@example.org;
- VALUE (without email): v=DMARC1; p=quarantine; pct=90; sp=none
Please always replace our example emails by one that actually exists and belongs to you.
The email version will send reports to whatever email you put in there.
That's it. Enjoy!