Avoiding tightened spam filters with SPF and DKIM

.
/
Date

To safely deliver thousands of emails a day, you need the right SPF, DKIM and DMARC records.

.

If you send a lot of email, especially to Gmail and Yahoo addresses, you might have had more messages being marked as spam lately. That's because of changes that these two mail receivers have made recently. Their aim was to stop bulk email senders from flooding inboxes with junk, but some legitimate businesses have also been caught out.

So, do you send more than 5000 emails a day? If you do, you're a bulk sender and there are some changes that you might need to make. With the right security protocols in place you ought to skip through newly-toughened spam filters.

This article will look at three separate protocols, each with its own abbreviation:

  • SPF (Sender Policy Framework), used to identify the servers that send mail from your domain.

  • DKIM (DomainKeys Identified Mail), which uses a digital signature to add an authentication layer to email messages.

  • DMARC (Domain-based Message Authentication, Reporting & Conformance), a record that defines one of three possible policies for recipients to follow if a message fails SPF and DKIM checks.

All three are managed by updating DNS TXT records for the domain from which you send email.

Working out which records you need

You are a bulk sender if your organisation sends more than 5000 messages a day. If you are near that threshold, or you think you'll reach it soon, it's best to act as if you're already a bulk sender.

Bulk senders need SPF and DKIM

Both SPF and DKIM are required for bulk senders. DMARC is optional.

It can be smart to consider using a service like MailChimp or SendGrid for broadcast-style messages like newsletters. Services like these have a deep understanding of anti-spam regulations and they put a lot of effort into compliance. They also work hard to preserve their IP address reputations. If you want thousands of message to get through, all of this is very valuable.

Everyone else only needs one of SPF or DKIM

If you're not emailing 5000 recipients a day, then either one of SPF or DKIM will suffice. As always, DMARC is optional.

Last year Gmail made anti-spam changes that brought SPF records into the spotlight. If you added an SPF or DKIM record then, and you're not a bulk sender, you are still in the clear now.


SPF, DKIM, and DMARC: What they each do and how they work

The idea behind all three of these protocols is to ensure that emails genuinely come from the sender that they appear to be from. If a spammer attempted to hide behind your email domain, SPF and DKIM would help to spot their messages and divert them away from inboxes. DMARC doesn't identify spam, but advises recipients how harshly to treat it.

SPF (Sender Policy Framework)

An SPF record is a DNS TXT record that tells systems the known sources (servers or IP addresses) of emails that come from your domain. This lets receiving systems like Gmail, Yahoo, and others flag messages that appear to have been sent from your domain but weren't actually from a source that you have declared.

The simplest SPF record would be this:

v-spf1 a mx ~all

This record would "soft fail" suspected spam. Soft fails are usually still delivered, either into a spam folder or into the usual inbox with a clear warning attached to it.

By changing ~all to -all (with a dash), you can implement a "hard fail". This usually bounces email back to the sender or just deletes it. Either way the intended recipient sees nothing.

For an example of a more thorough SPF record that we recommend for most SiteHost customers, see the SPF article already mentioned above. Or read the Email FAQs in our knowledge base for how to add SiteHost's mail servers to your SPF record.

DKIM (DomainKeys Identified Mail)

DKIM offers another way to check that, when emails look like they're from your domain, they actually are. It's designed to spot spoofed or forged messages, and to ensure that emailed are not altered during transit.

With a DKIM record in place, your outgoing emails are digitally signed with a private key. The record contains the public key that recipients can use to verify this signature.

Adding a DKIM record is more complicated than adding an SPF record. See DKIM Records in the Knowledge Base for a full run-through.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

With DMARC, you can give extra information to email recipients when messages fail SPF and DKIM checks. That information specifies one of three policies to follow ("none", "quarantine" the message, or "reject" it). It also lets you set an email address to receive feedback reports about emails that claim to be from your domain. It's handy to know who's out there, using your name.

DMARC is optional for all email senders. If you want to add a DMARC record, see how in the Knowledge Base.

Gmail addresses still causing issues?

If you believe that your SPF/DKIM/DMARC records are all in place, but Gmail spam filters are still catching you out, Google has published very thorough email sender guidelines that are worth reading.


Main image by cattu on Pixabay.