SPF and DKIM can be a very daunting subject so we wanted to try and explain in simple language what this authentication is all about and why it is so important.
Do you trust Elastic Email to send your emails for you? Of course, you do, however, more importantly, do your recipients and their mail servers trust Elastic Email to send emails to you? Prove it by setting up your SPF and DKIM in the domain validation process. Having SPF and DKIM properly configured identifies which mail servers are authorized to send mail for your domain. It's like you are authorizing (trusting) Elastic Email to send emails directly from your domain.
It’s about email deliverability, so please check this out! Deliverability depends on your domain’s reputation. Setting SPF and DKIM records for your domain will help to protect your domain’s good reputation which in turn improves your email delivery. So let’s get down to the basics:
SPF? What the heck is it?
In easy terms, SPF (Sender Policy Framework) is security created to help prevent fraudulent sending on your behalf - others sending emails pretending to be you. This security mechanism controls communication between the mail servers, ours and your recipients.
Let’s try to keep this as simple as possible. You send an email to one of your friends - if you haven’t included Elastic Email in your SPF on your DNS server, your friend’s mail server won’t be able to recognize that it is actually sent by you. SPF designates which IP addresses you’ve given permission to send emails from your domain.
It’s all about the conversations - if you send an email and you don’t have your SPF set up, the receiving server will not recognize the IPs as permitted and the delivery may be denied. Let’s walk through some simple steps to highlight what is happening:
- You send an email from yourdomain.com through Elastic Email to firstname.lastname@example.org.
- Gmail receives the email from one of our servers sending IP addresses.
- Gmail authenticates that the IP address it received the email from is permitted to send for yourdomain.com. This is done by querying the DNS records of yourdomain.com for an SPF record containing the IP address it received the email from. Listing every IP address is obviously not very convenient, so the SPF record has an include attribute where you can put another SPF entry to check, in our case _spf.elasticemail.com. This SPF record contains all of our sending IP addresses including the one that delivered your email to email@example.com.
- Depending on the success of matching the sending IP address from Step 3, the email could be either accepted, junked or bounced.
SPF? How do I set it up?
You will want to include Elastic Email’s SPF in your SPF record - this is the trust part. You need to log into your domain’s DNS settings for this step. You will create a TXT record as follows:
Host/Name: @ (yes you put the @ symbol here under the host or name category)
Value: v=spf1 a mx include:_spf.elasticemail.com ~all
You can check to see if you have an existing SPF record or not as you are only allowed to have one. A couple of third-party SPF checkers are:
These tools will run some diagnostics and show your current SPF or if it hasn’t been set yet, you will see a notification indicating this. Elastic Email will only validate if you have correctly included our SPF record.
If you’re struggling with setting this up, some of our customers have contacted their hosting provider for help. You can always contact us and we will run through the step by step process with you. If you run into any issues with validating SPF, you will find helpful hints here.
DKIM? Explain please?
DKIM (DomainKeys Identified Mail) is a standard security created which is similar to SPF in that its purpose is to prevent impersonators from sending emails pretending to be you. It’s a second method to help recipient servers check if the sender is actually you or not.
The process involves encrypting and decrypting headers in your email. There are two keys - a private key and a public key.
- Private key - this key is used by Elastic Email to encrypt the header. Only the public key can successfully decrypt a header that was encrypted by this private key.
- Public key - the key that we ask you to add to your domain’s DNS records. The recipient servers retrieve this key to decrypt the header. When we refer to setting DKIM, it means adding this public key to your server’s records. If this key is not present or is incorrect in your DNS, the recipient server cannot successfully decrypt the header and DKIM will fail.
When set up correctly, this authentication process allows the recipient servers to identify that the email is received in fact came from you.
DKIM? How do I set it up?
Again, you will log into your domain’s DNS settings for this step. You will create a TXT record as follows:
If you run into any difficulties with setting these records, you are welcome to contact us.
We have made also changes allowing accounts to validate an email address associated with your domain if you do not have the technical expertise required to validate SPF and DKIM fully on your account. However, the best choice is always to go through the work to validate your domain fully. This will improve your delivery and reputation. If you are interested in this new email address verification option and it’s not already available on your account, please contact us.