DMARC, DKIM, SPF...oh my!!

You have likely received emails about changes that services like Google and Yahoo made that will affect the messages you send from your business. Here’s our summary of frequently asked questions about this topic.

• What is this all about?

• Do I need to make any changes?

• What should everyone be doing?

• What things should I know before starting?

• What should I know about setting up a DMARC?

• Additional information and resources

What is this all about?

It can cause irreparable reputational damage if a spoofer imitates a brand's domain to scam recipients. Newly enforced security will cull the number of spam emails and will reduce spoofing attempts too. Though these changes can be confusing to understand (especially in terms of what you need to do…which hopefully this article will help with!), this is good news overall.

Like physical mail sent via the post office, someone could send you a letter and forge the sender's name on the envelope and the letter itself. The same is possible for email. We've seen stats that say most network attacks originate through email. To better protect against fraud, SPF, DKIM, and DMARC were introduced. Starting in 2024, companies like Gmail and Yahoo will be helping to reduce these issues, and spam in general, by enforcing email requirements.

This affects every business and every person who receives emails.

Do I need to make any changes?

If you don’t already have things setup, then yes. Though this is primarily a measure that affects bulk senders, you might be amazed to hear who is considered a bulk sender. Any emailer who sends over 5,000 emails per day to a specific service (like Google Mail) is considered a bulk sender. Some of our clients fit this classification with each marketing email they send, so it's a no-brainer for them to review their setup and make changes. However, the transactional emails you send also count. So, order and shipping notifications, customer service emails, etc. also count toward your 5.000 emails per day. Others, however, should also make changes since these guidelines are now considered a best practice for email sending. 

From what we have heard, you could still see emails blocked/filtered as spam if you don’t have the requirements implemented. Based on our research, all businesses that send any emails are affected in some way.

• If you send less than 5,000 emails per day (newsletters, order notifications, etc), you should be using email from your domain (avoid sending from @gmail.com or @yahoo.com accounts) and you're required to authenticate your domain via DKIM;

• If you send more than 5,000 emails per day, you must start using a custom domain and you're required to have DKIM, SPF and DMARC records in place.

Additionally, if you send newsletters to your email subscribers, they are requiring that your emails include a one-click unsubscribe option. From what we have seen, newsletter platforms like Klaviyo, Flodesk, Shopify and Squarespace are taking care of this for you. We highly recommend reviewing your platform and what they implemented (so that you know what your email subscribers will be experiencing).

Important note: Mistakes to your setup (like an errant space or making something too strict) can result in messages being rejected or sent to spam too, so it’s important to get things as right as possible and make corrections quickly should you find issues.

What should everyone be doing?

1. Set up a branded sending domain and align your 'from' address with your branded domain (don't use generic emails like mybusinessname@gmail.com)

2. Verify your domain via DKIM and SPF

3. Have A DMARC record set up and at least set it up to p=none

4. Make it easy to unsubscribe (one-click unsubscribe button is the requirement)...some bulk email sending companies are doing this automatically

5. Keep spam complaints low (below 0.3%)

The importance of the spam complaint percentage is relative! If you send 1,000 emails and over 30 are marked as spam, then you have a problem beyond the blocking of your emails from service providers.

What things should I know before starting?

• Know your domain registrar and make sure you have access to make updates to your DNS there. If you don’t remember where you purchased your domain, you can look this up here.

• Know which services send email on your behalf, the most obvious being your email marketing provider but also consider other services, like your billing provider. Some common ones we have seen with our clients include Google Workspace, Shopify, Klaviyo, and Flodesk.

• Know a few definitions that will come in handy to understand…

• SPF: Defines a list of authorized servers that are allowed to send emails on behalf of your domain. SPF stands for Sender Policy Framework. These are the servers I send messages from. If it says it's from me but comes from somewhere else, it's likely fake. 

• DKIM: This adds a digital signature to messages allowing receivers to verify that mail hasn’t been tampered with during transit. DKIM stands for DomainKeys Identified Mail. This is my signature, if it's not on the email, it probably didn't come from my server.

• DMARC: This trains servers (like Google Mail, Yahoo Mail, etc) with what to do with email that is or isn't authenticated. DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. If I get mail that doesn't match the SPF or DKIM, here's what I should do with it

SPF and DKIM are responsible for spotting potential problems with an email and DMARC can be used to tell email servers what to do with problematic emails.

What should I know about setting up a DMARC?

Setup is relatively easy for this! The most basic version is to sign into your domain registrar and add the following entry to your DNS records:

Type:
TXT

Host or Subdomain: 
_dmarc

Value: 
v=DMARC1; p=none;

Setup of a DMARC record with the policy of 'none' tells the email servers to not take any action. This should suffice for most needs!

With a bit more info added to the DMARC, you can have the email companies send you or a service a report of what it did that day! We tried this at first by having the following DMARC entry:

v=DMARC1; p=none; rua=mailto:ouremail@randrcreativeco.com; pct=100; adkim=r; aspf=r

Unfortunately, the daily reports were sent in a format that isn't human friendly. To make this better, we signed up for a service (valimail.com, which we and Klaviyo recommend…the free version will be enough for most of us). After signing up, we only needed to update a part of the TXT line above (so that the reports were sent to valimail instead of us). Now we are compliant and can also check in on what is happening with our email sends.

If you are curious, here is what all the different parameters in the DMARC entry mean.

Additional information and resources

• Reviewing DNS Records
  Anyone can review any domain's DNS records online. This can help if you aren't sure what to do! Here is one such service.

• Reviewing DMARC
  You can see what other services see as your DMARC by using this DMARC Inspector (you can also learn from other DMARC setups this way).

• Email Address
  If you change your email address, be sure to update your email in all the services you use…and to update this in all the right places. Klaviyo example: You need to change the default email sender AND change all of your flows and campaigns to mention this new default email address.

• List Cleaning
  To keep your spam complaints to a minimum, practice regular list cleaning. Not only can this reduce your email marketing costs (since most charge based on number of contacts or number of emails sent), you will also reduce unsubscribes and spam complaints by only sending to engaged recipients.

• More About All Of This
  We have found this Flodesk info page to be the most understandable and it includes several links to help with getting your SPF and DMARC setup on different registrars (like GoDaddy and NameCheap). Klaviyo’s version of this is fairly succinct and helpful too. It’s sometimes helpful to go to the source too, so here is what Google says about all this.

Couldn’t find the answer to your question? Please don't hesitate to reach out. You've got this!