Table of Contents:
What is SPF record
SPF record stands for Sender Policy Framework. This record will show what IP’s and hosts are allowed to send emails on behalf of your domain (if so). If there are no policies anyone can pretend to be “you” and send emails using your domain name.
How to add SPF record
In order to add SPF records, you have to add a DNS (Domain Name Service) record. Depends on your specific case:
Let’s say you have bought a domain via Namecheap registrar and pointing all records to your server. Then you have to connect to your Registrar and add new records.
I usually like to point domain names from the registrar to Cloudflare and just then add all records.
You will need to add TXT type record where the name will be your domain name
E.g. Name: example.com
If you want to send emails just from your own domain/IP then your record (value) should look like this:
v=spf1 mx a include:example.com -all
Sending emails via third parties like GetResponse and others I suggest searching their knowledge base because usually they care about customers and there will be an article about it with clear instructions. In my case
v=spf1 mx a include:_spf.getresponse.com -all
If you don’t plan to send emails via your own domain add the record below in order to stop spammers from using your brand domain name.
v=spf1 -all
Usually, I use a third-party email autoresponder, but still, sometimes I need to communicate with email subscribers “one on one” as well. This is not really possible as most third-party tools don’t have a “chat” function to send emails forwards and backward. In this case, you want to add an SPF record from your third party plus the IP of your website host. Now connect to your hosting and find out what IP address is used to host your website.
v=spf1 mx a include:_spf.getresponse.com ip4:192.168.0.2 -all
The operator “all” may be executed in four ways
-all | Fail- Servers/IP’s/domains not included in this record will not be able to send emails. Anyone who tries to send using your domain name will be rejected. (in most cases you will use this policy) |
~all | Softail- If emails are sent using this operator and servers/IP’s not included in the record, then emails still be delivered but marked. (not recommended) |
+all | Allow all servers to send an email (I don’t recommend using this in any case) |
?all | Neutral- no policy at all (don’t use unless testing) |
What is DKIM record
DKIM stands for DomainKeys Identified Email. This record validates that the company/domain has a right to send emails using special keys (public and private).
How to add DKIM record
You will need to add one TXT record to your DNS settings where “name” will be your selector and the value will be your public DKIM key.
When you’re using a third-party service then DKIM settings should be ready waiting for you to be added. Search knowledge base on how to access it and add (all instructions).
In my case, I’m using GetResponse and can’t access the private key, just a public key. So the DNS record looks like this
Name(selector): 25ba39._domainkey
Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCoYdyGzjSszi4caBkAFgiHUCq9G9ooP62Bua78M9A0Ptr4zSYOPq+2fXqoNDbvVbkN4yGQNwGxecK3uCrSD5VMwk1DiYV99yg8mdYi5J2gftVp1sZ5mYaScO0aUy9AGkzUVWu3zl/D3azexMMOYR7MMo
What is DMARC record
DMARC stands for Domain-based Message Authentication, Reporting & Conformance. This record is like a rule, which identifies if SPF and DKIM passed or failed and what to do next.
Image credit: https://dmarc.org/
How to add DMARC record
You will have to add a TXT record to your DNS.
Name: _dmarc
Value:
v=DMARC1; p=none; rua=mailto:webmaster@example.com; ruf=mailto:webmaster@example.com; fo=1;
There may be 3 policy configurations to this record
Monitor policy: p=none
No policy is good when you want just to monitor, gather reports and analyze.
Quarantine policy: p=quarantine
All emails which fail SPF and DKIM will be sent to the spam folder and will not reach the recipient’s “inbox”.
Reject policy: p=reject
All emails which fail SPF and DKIM will not reach the recipient at all (this is the best policy to prevent email spoofing).
rua-mailto:webmaster@example.com;
This means all aggregated DMARC reports about messages will be sent to the selected email addresses.
ruf=mailto:webmaster@example.com;
This means all failing or partially failing (SPF or DKIM) message reports will be sent to the selected email addresses.
How to test email DNS records and emails delivered
Handy links:
mail tester– to send a real email, get the email sender score and identify problems (just like in this video)
mxtoolbox– test your domain for blacklist and email DNS records
dmarcian– check email DNS records
You might also like:
