Ever experienced spam? Not the porky canned goodness. The all annoying scams and unwanted content that gets flung around the interwebs.
What’s even worse is when your own legit emails get blocked as spam. Whether you’re sending from your email client or website, let’s breakdown how to ensure your emails get sent on time, straight to the recipients inbox.
Spam protection starts with your domain
Your domain is your sender reputation, so you need to ensure you are protecting it from spam AND being seen as a spam sender.
We a start with understanding SPF, DKIM, and DMARC: the essential Email Authentication Protocols to protect your domain. Ensuring the authenticity and security of messages is crucial.
This is where email authentication protocols like SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) come into play. Grab a cuppa and let’s explore these protocols and their significance in safeguarding your email integrity… and how to add them.
Where do these records go?
All of these protocols are added to your domains DNS. That’s the Domain Name System and it’s the phonebook of the internet. It communicates who you are and how to reach you.
You control these settings through your domain registrar. You would need to login to your domain account, access the specific domain and then add the appropriate DNS records. When we are talking about spam protection, these are either CNAME or TXT records. CNAME records redirect one URL to another and TXT records contain information about your domain that tells external network server how to handing outgoing email and requests from your domain. The DNS record is broken up into 2 or 3 parts depending on your domain registrar. These are the Hostname or Host, Alias or Value or Target and an optional TTL field. This last one stand for Time To Live and tells the domain registrar how long to keep this record saved, before it rechecks to see if the information has changed. This can be dictated in min or seconds. These look something like the below.
| Name or Host | Type | Value or Target | TTL (optional) |
| @ or example.yourdomain.com | TXT or CNAME | something.com | 5min |
SPF specifies who can use your domain to send emails
SPF (Sender Policy Framework) is an email authentication protocol that helps prevent email spoofing and unauthorized use of your domain’s identity. SPF relies on DNS (Domain Name System) records to publish a list of authorized sending mail servers for a specific domain. When an email is received, the recipient’s mail server checks this SPF record to verify if the sender (and this could be your website or email client) is authorized to send emails using your domain. These records specify the allowed IP addresses or hostnames that can send mail for a domain, reducing the risk of spam or fraudulent messages.
Your SPF record is normally something simple like “v=spf1 include:_spf.google.com ~all” if you use Google Workspace or ” v=spf1 include:spf.protection.outlook.com” if you use Microsoft Outlook. Your email client will have documentation on what this record should be. This isn’t always the only thing you want to specify.
To enhance the effectiveness of SPF, you can add additional parameters to the SPF record. These parameters include:
- “+all” or “-all”: Specifies the policy for handling mail that fails SPF checks. “+all” means all sources are allowed, while “-all” indicates that only explicitly authorized sources are allowed.
- “include”: Allows you to include additional domains or IP addresses in the SPF check by referencing their SPF records.
- “redirect”: Redirects the SPF check to another domain’s SPF record.
Say you want to add the IP address of your website server, which is 12.34.56.789 to your SPF record. You would take your existing record and add ip4: to the beginning. So you would end up with ip4:12.34.56.789
What if you want to authorise another domain like example.com? You then preface this domain with include: and then type the domain. For example include:example.com
To put these all together, say you started with “v=spf1 include:_spf.google.com ~all” as your record. You would then end up with “v=spf1 include:_spf.google.com include:example.com ip4:12.34.56.789 ~all
Remember, there can only be a maximum of ONE spf record defined to a fully qualified domain at a time. So yourdomain.com can only have one. If you have a subdomain like example.yourdomain.com as well, then likewise, this can only have one SPF record attached to it.
DKIM adds a digital signature for authentication
DKIM (DomainKeys Identified Mail) is an email authentication method that adds a digital signature to outgoing emails. It uses public-key cryptography to verify the authenticity and integrity of your messages and emails. When an email is sent, the sender’s mail server signs the email with a private key. The recipient’s mail server then uses the corresponding public key, published in the DNS, to validate the signature. DKIM ensures that the message has not been altered or intercepted during transit and provides proof of the sender’s domain.
DKIM records are normally a long string provided by your email client or sending platform. Email clients could be Google or Microsoft. Sending platforms could be Sendgrid, Mailgun or Postmark.
They look something like this:
“k=rsa; t=s; p=MIGf…long string of letters and numbers…AQAB”
Insert this as a TXT record on your domain. Do this by selecting TXT as the record type, and entering the string you were given into the Content field.
You will also be provided with a specific subdomain to use. Something like:
“something._domainkey”
Enter this subdomain in the “Name” field.
If your provider gives you a fully-qualified name that ends with your domain name, DO NOT include your domain name in the “Name” field when you add the TXT record. So for example, if you’re given example._domainkey.yourdomain.com, only enter example._domainkey in the “Name” field.
DMARC enables you to define how you receive emails and check for spam
DMARC (Domain-based Message Authentication, Reporting, and Conformance): DMARC is a comprehensive email authentication protocol that builds upon SPF and DKIM. It enables domain owners to define policies for how receiving mail servers should handle emails that fail authentication or spam checks. DMARC records are published in the DNS and specify what you want to do with emails that fail SPF or DKIM checks. These records are added as a TXT record.
They look something like this:
“v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@dmarcdomain.com”
You will also be provided with a specific hostname to use. Something like:
“_dmarc.hostname.com”
Enter the subdomain part of the hostname in the “Name” field. Remember, don’t add your domain into this section. The subdomain is everything to the left of your domain name.
So what do all these things mean? So happy you asked. p=protocol. pct=percentage of emails the system will check. rua= who gets emailed the report about blocked messages.
The three main protocols within DMARC are:
- “None”: The DMARC policy is set to “none” when a domain owner wants to monitor email authentication failures but take no specific action to block these emails.
- “Quarantine”: When the DMARC policy is set to “quarantine,” emails that fail authentication checks may be delivered to your spam or quarantine folder.
- “Reject”: The “reject” policy instructs receiving mail servers to reject emails that fail authentication, ensuring they don’t even reach the recipient’s inbox.
Changing the pct or percentage is an optional setting that tells the system how many emails it receives will be checked for spam. 0 means none will be checked, and 100 means all will be checked. This setting can be adjusted depending on how aggressive you want your spam checking to be.
Finally rua sets who gets emailed a report about block messages or emails failing and passing the spam check. You can add multiple emails to this record, just make sure you append mailto: before the email address you are adding. So example@domain.com becomes mailto:example@domain.com
So what now?
To recap, SPF, DKIM, and DMARC protocols are crucial for securing and authenticating your email communication and preventing unauthorized use your domain. SPF verifies the sending server’s authority, DKIM adds digital signatures for message integrity, and DMARC provides policies for handling failed authentication. You should now know what each element is, how to correctly configure these protocols and how to add these settings to your domain to ensure you emails and domain are protected from spam and don’t get blocked.
Happy emailing 🙂