Email Authentication in 2024: SPF, DKIM, and DMARC For Dummies

Do you have a website for your business AND do you send emails from that domain? More importantly, do you want your emails to get delivered once February hits? (Yes, the answer is yes).

NOW is the time to double-check that your email authentication for SPF, DKIM, and DMARC are configured! Not sure what those are, then definitely read on…

Why? In February Google and Yahoo, two of the biggest email providers, are going to STOP delivering emails that don’t have those email standards configured properly.

"Shut the front door"

This is being done to help further combat spam and spoofing. It’s also forcing legitimate businesses to finally Be Pro and set up their email authentications.

Previously, this was optional but now it will be required.

SPF, DKIM, and DMARC work together to ensure that bad actors cannot send unauthorized emails as you. Here is a “For Dummies” breakdown of how each of these work:

SPF – Sender Policy Framework – This email authentication standard is a simple list of all mail servers that are approved to send emails from your business domain. For example, if you use Google Workspaces for your regular email and another CRM like Keap for automation, you would need to make sure that both Google and Keap’s mail servers are approved to send as your domain in your SPF records.

DKIM – DomainKeys Identified Mail – This email authentication mechanism is like SPF on steroids because it uses a secret key phrase to verify that each mail server is legitimate for your domain. Think of it like a password to get into an old speakeasy. If someone tries to get into the speakeasy without the proper password, they aren’t allowed in. Using the same examples as above, any emails that come from Google or Keap would include their secret key phrase in the header of the email. The receiving mailbox would check this key phrase for validity based on who was the sending server. If it doesn’t match, the email won’t even be delivered!

DMARC – Domain-based Message Authentication, Reporting & Conformance – This mouthful is another email authentication protocol. Your DMARC provides rejection rules and reporting that further enhances your email authentication. If SPF/DKIM is the cake, think of DMARC as the icing on top to bring it home.

Previously, these were nice to have and recommended but, again, in February Google and Yahoo are going to REQUIRE ALL OF THESE authentication methods otherwise they are going to flat-out reject any emails missing these pieces. They will also reject any emails with misconfigured authentication settings.

To put it bluntly, if you ignore these industry-wide email authentication requirements, your emails will not be delivered to your intended recipient(s). Period, end of story.

Only a fool would ignore these changes.

Here is the good news: getting SPF, DKIM, and DMARC configured for any domains from which you send emails is easy!

Email authentication is nerdy

Time to get into the nerdy bits…

These all are configured at the domain level, inside your Domain Name System (DNS) records. Any web domain has a DNS and it’s like the “phone book” for the various functions of a website like where the hosting server is, where the email servers are, etc.

There are different kinds of DNS records, but for email authentication, you typically only need to deal with two kinds.

The first kind of DNS record is a TXT type which, as the name lends, functions as information text for the domain. Both SPF and DMARC records are simple TXT records that you can typically copy/paste. A TXT record has its Name (typically defaulted to “@”) and then the Value.

For example, because we send our emails from Keap and Amazon, the value for our SPF record looks like this:
v=spf1 a mx ~all

The plain english is that we are approving the Keap and Amazon email servers to send as Be Pro. Obviously, your SPF record will look slightly different based on how your business actually sends email. The main thing to remember is that you need to list EVERY mailing server your business uses in the SPF record (regular email, CRM, ecommerce tools, etc.). Please note there should only ever be one SPF record per domain.

Then, as another example, the value for a simple DMARC record looks like this:
v=DMARC1; p=none;

The plain english here is that you are using DMARC and there are no quarantine policies (yet). Over time, you may expand your DMARC record and policies, but that simple record is enough to get the job done. Please note that the Name in your TXT record for a DMARC entry should be “_dmarc” instead of the default @ symbol for best results.

The second kind of DNS record is a CNAME type which is what DKIM often uses. However, we have seen a few services that also use TXT records for DKIM. While this record is a bit more technical all you need to do is copy/paste the CNAME records that are provided by your mail services to implement DKIM. Since these records are unique per mailing service and designed to be secret, we clearly aren’t going to provide ours as an example.

Email authentication protects your brand and reputation!

With these three email authentication standards in place, you are protecting your brand AND ensuring that your emails get delivered.

Bottom line: you can tighten up your email authentication in about 15 minutes assuming you have access to your domain’s DNS which is usually where the domain itself is registered (GoDaddy, etc.) and proper access to your email service provider to generate DKIM records.

Not sure if you have SPF/DKIM/DMARC configured for your domains? There are many free tools online that you can use to check for the presence (or not) of these authentication mechanisms. For SPF, we will use the Kitterman SPF Query Tool and for DKIM/DMARC we use the MXToolbox Super Tool.

If you need help configuring these email authentication standards or verifying they are properly set up, please reach out via our Contact Form and we will happily consult with you 🙂

Leave a Comment

Your email address will not be published. Required fields are marked *