Email authentication remains the first step before sending emails and a critical pillar in maintaining sender reputation, protecting recipients, and aiding spam filters in discerning legitimate from fraudulent communication. The significance of this has been underscored by recent updates from Google and Yahoo, emphasizing a proactive stance on email security. At the heart of authentication are two tools that every email sender should be using: SPF and DKIM.
So let’s take a closer look at what SPF and DKIM actually do, how they help keep your sending domain safe, and how to implement them for your newsletters.
Why SPF and DKIM matter
Sender Policy Framework, or SPF, has been a cornerstone of email authentication since its inception in 2004. SPF allows you, the sender, to define which email platforms and which IP addresses are authorized to send mail on behalf of your domain. You might be sending emails from a number of places:
- An email service provider, like Beehiiv or Mailchimp
- A mailbox, like Gmail or Outlook
- A third-party tool, like Shopify or Stripe
By telling the inboxes where you’re sending emails from, you can help reduce spam and prevent email spoofing.
The other key tool for authentication is DomainKeys Identified Mail, or DKIM, was also introduced in 2004 as a method for email senders to sign their messages cryptographically, allowing inboxes to verify that the email was not altered in transit and indeed comes from the stated domain. Setting up DKIM requires adding a digital signature to the headers of email messages sent from your domain, which is then verified against a public cryptographic key published in your DNS.
A correctly configured DKIM record not only secures email but also boosts deliverability. Email service providers favor emails that can prove their authenticity, thereby reducing the chances of legitimate messages being flagged as spam. This trust mechanism is vital for maintaining effective communication channels and letting spam filters understand different types of emails you send. This is the reason you need to add a DKIM key for each tool and subdomain used to send emails with your sender domain based email address.
Integrating SPF and DKIM in your email strategy
Getting your authentication setup correctly involves updating your DNS records to include SPF and DKIM settings that reflect all the email sources you use. This ensures that emails sent from your domain or subdomains are recognized as legitimate, enhancing your deliverability and protecting your brand’s reputation.
SPF Setup
Consolidate all sending sources into a single SPF record to avoid exceeding DNS lookup limits and ensure comprehensive coverage.
You need to get the SPF records of all the tools that use your domain or subdomains to send emails, including your domain based inbox.
If you were to add a Google Workspace SPF record, it would look like this:
v=spf1 include:_spf.google.com ~all
The important thing to remember is that you can only have one SPF record per domain or per subdomain. If you have more than one, it will fail authentication. So, if you were to add a that Google Workspace SPF record (v=spf1 include:_spf.google.com ~all) and one from an email marketing platform (for example: v=spf1 include:md02.com ~all), they would have to be merged together. Your SPF Record would end up looking like this:
v=spf1 include:_spf.google.com include:md02.com ~all
One notable challenge with SPF is the DNS lookup limit — you’re only allowed 10 lookups, which shouldn’t be an issue for an individual or a small organization, but anyone sending via multiple email service providers or sending large volumes of email might quickly get close to that limit. You should regularly check your SPF records to make sure you’re not authenticating any sources that you’re not regularly using, and removing those unnecessary records. With careful management, you can stay under these limits, ensuring all legitimate sending sources are accounted for without impacting email deliverability.
DKIM Configuration
Publish a DKIM record for each sending domain or subdomain with every single tool that sends using your sender domain, allowing receivers to verify the authenticity and integrity of your messages.
They tend to look like this:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD…
Continuous monitoring of your authentication status is crucial — if there’s an issue with these records, you’ll need to fix it quickly in order to stay in the inbox. Monitoring can be done through free tools, like like Valimail’s DMARC Monitor or Postmark’s DMARC tool. One thing to remember: ESPs occasionally update their configurations or authentication requirements. When they do so, you may need to update your records to ensure emails remain authenticated and secure.
How to check your SPF + DKIM settings
Verifying the correct implementation of SPF and DKIM is quite simple to do. For Gmail users, you inspect your email’s authentication status with just a few steps:
1. Send yourself a test email, and open it in your Gmail inbox. (This also works if you use Google Workspace.)
2. Select the three dots in the email’s upper-right corner to access more options.
3. Choose “Show Original” to view the email’s detailed headers and authentication results.
4. Look for the PASS status next SPF and DKIM. If you see PASS next to both, you’ve set up both correctly. (A status of FAIL would mean you’ve got errors to correct.)
There are other free tools that can help you verify authentication, too. A free tool like AboutMy.Email, for instance, allows you to send a test email to their system, and within about a minute, it’ll tell you if there are authentication errors you need to correct.
If you’re struggling with authentication, a free service like Let’s Authenticate the World can help you fix errors and make sure you’re set up correctly to send email.
Good deliverability involves more than just SPF and DKIM
SPF and DKIM aren’t just tools for safeguarding sender reputation; they’re foundational elements for ensuring that emails are delivered as intended. With spam threats and phishing on the rise, it’s increasingly important to deploy SPF and DKIM to keep your email communication secure.
But don’t stop with SPF and DKIM. There are a few other steps you should take.
Make sure you set up DMARC — Any sender, even if you’re just sending a few thousand emails, should set up DMARC for their domain. (In most cases, Gmail and Yahoo require it in order to deliver emails.) Here’s our guide to setting up DMARC.
Keep your email lists clean — Don’t send emails to readers who aren’t opening and engaging. Building out a winback series, like this, and regularly removing inactive users from your list is a must.
Monitor your spam complaint rates — As part of the new requirements from Gmail and Yahoo, all senders should maintain a low rate of spam complaints — something below 0.1% per send. Going above 0.3% would be a huge red flag. Track complaints using tools like Google Postmaster — it’s easy to set up, and tutorials like this can walk you through the process.
Don’t act like a spammer — If you’re sending unwanted email, utilizing shady subject lines, or sending to readers who didn’t specifically opt in to your newsletter, you might already be acting like a spammer — at least in the eyes of the inbox. Here are 25 things to fix to improve your sending strategy.
There’s a lot to do to make sure you stay in the inbox. The good news: All of these tasks, from basic SPF and DKIM authentication to more advanced deliverability strategies, are things that any sender, big or small, can implement.