Email Authentication & what you need to know about DMARC, DKIM & SPF
Are your emails not going through? Have your customers said that they never got your email, or keep going to their spam folders? It is likely because Gmail, Yahoo, AOL, Google Apps, and Microsoft Office 365 are BLOCKING your emails due to a lack of authentication or a strict DMARC policy on your email.
Email authentication requirements have ramped up in recent years, and for good reason. In 2019, 55% of all email sent was SPAM! Yikes. If you get a ton of scams and spam emails in your inbox every day, you’ll eventually change to a different email provider, right? Email providers want to keep you as a customer, so they add extra security to help keep your inbox free of SPAM via 3 things: DKIM, SPF, and DMARC. We’ll talk more about what those are later, so don’t get bogged down in acronyms.
When you send emails to your customers, you have to make sure that your email passes these email security tests. That applies to everywhere you send an email, including:
- Your email provider: Google Apps, Microsoft Office 365, Gmail, or Yahoo.
- Newsletter / email marketing: MailChimp, SendinBlue, HubSpot, or Constant Contact.
- CRM tool: Do you use sales software to send or receive CRM or new lead emails? Like HubSpot or PipeDrive?
- Recruiting tool: How about a recruiting tool where you send/receive emails from within the software to new applicants?
- Support Tickets: How about sending emails through a support ticketing system that sends emails from your domain on your behalf to and from customers to answer questions or solve problems? Examples include FreshDesk or ZenDesk.
- Review Request Tool: Do you have a review system that sends emails to customers asking them to review your company online? Are those emails set up to send from your email address or any email at your domain? Some of the popular ones include Podium, TrustPilot, and GatherUp.
- Website form notifications: Do you get an email every time someone fills out your website’s contact form? That email is sent through your website as a notification, does it come from an email at your own domain? You may also have email confirmations automatically sent to form submitters.
How Do DMARC, DKIM, and SPF Work?
Email spammers can fake the email address that they’re sending from to pretend to be a person or business you are familiar with. For example, a scammer may pretend to be your bank or facebook.com to try to get you to click on a fake link and enter your login details to a fake form. Scary, right? That’s why email clients take authentication seriously!
Email authentication via DMARC, DKIM, and SPF make it harder for spammers to fake that email address. Let’s use Gmail as an example. When I (from my jollity.io email) send an email to your Gmail account, Gmail sends a message to my jollity.io DNS (Domain Name Service) provider saying
“Hey, I just got this email from this server claiming to be @jollity.io, is that legit?”.
My jollity.io DNS provider reviews the server that the email was sent from and either says
“Yep, that’s a real email, go ahead and deliver it”
“NO WAIT! We don’t recognize that server! That is suspicious! Send it to SPAM!”
OR in some cases may say “DON’T deliver it at all!”
In the above scenario, SPF and DKIM both tell Gmail (or your email server) if the email is legit or not. DMARC gives Gmail instructions for what to do if the email appears to be suspicious. Think of it as having a fancy alarm system with a fingerprint scanner for your email inbox: nobody gets in unless they’re authenticated.
Example of blocked emails
Ok, I’m done with all this technical lingo. How do I fix this?
The solution, of course, is never simple! How annoying, right? Keep in mind that all this mambo-jumbo originates from protecting you and your email recipients against scammers and spam, so direct your anger towards those scam creeps :-). How you set up authentication to ensure that you can send emails that get to your recipients depends on which type of emails you’re trying to fix. I covered a few basics below. For other providers, you’ll want to search their knowledge base or contact them directly. Or if you don’t want to mess with any of this, then reach out to us at Jollity via chat, support ticket (existing clients), or email and we’ll help you get it setup.
Google Apps has a pretty straight-forward set of instructions on authenticating for DMARC. Before you get started, make sure you have current access to:
- Your domain registrar or host, whoever manages your DNS records. Don’t know? If you host with Jollity, just email or chat to us, we’ll help you out. If you do not host with us, you can try tools like https://mxtoolbox.com/. However, their results can be a little technical and confusing, and haven’t you already had enough technical lingo for one day?
- Your Google Apps account, administrator-level (technically “super admin,” but just use the same user who created the account and that has the access you need).
Follow these instructions for Google Apps:
- DKIM: https://support.google.com/a/answer/174126?hl=en
- SPF: https://support.google.com/a/answer/33786?hl=en DANGER HERE: These instructions say “if you have an SPF record, remove it.” That is NOT accurate!!! If you have already set up valid SPF records for an email marketing provider or another 3rd party service, you do NOT want to delete the SPF record! The complexity here requires another few blog posts to explain.
Microsoft Office 365:
Follow these instructions for Microsoft Office 365 email:
- DKIM: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide
- SPF: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing?view=o365-worldwide
If you host with us (Jollity managed WordPress hosting), on the business plan or above you have nothing to worry about as your website’s emails now come from an email address that is authenticated automatically. Hallelujah! If on the freelancer plan (our introductory tier), unfortunately, the new server perks don’t apply. If you don’t host with Jollity, then SendGrid could be a great option to consider. Or, my preference: switch to Jollity hosting!
SendGrid is also a great option if you want your website’s email notifications to come from your own domain. SendGrid has a free plan. https://sendgrid.com/. We are not affiliated with Sendgrid, we just like them 🙂
MailChimp provides instructions for setting up both SPF and DKIM here: https://mailchimp.com/help/set-up-custom-domain-authentication-dkim-and-spf/. BEWARE one step of their instructions says to create a new record for SPF. THAT IS NOT ALWAYS TRUE!! The instructions MailChimp provides fails to address that you can only have 1 SPF record per domain, so if you already have an SPF record in your DNS, you can not create another record. You can, however, have multiple domains in a single SPF record. It is insane to me that MailChimp doesn’t address this in their instructions, but they don’t, so be careful.
Your Next Steps
Ok, so what do you do now? Ask your email provider if SPF, DKIM, and DMARC are set up on your email account. In some cases, Jollity hourly support can help you. We can help you test for and configure SPF and DKIM authentication for your website’s email sending, for Google Apps, and for many of the 3rd party email services we mentioned above.