When sending outgoing emails, there are quite a few things to take into account to make sure that you are viewed as a trustworthy sender. There are some steps that should be taken to avoid your emails ending up in your customers’ spam folder. In this article we will mainly focus on DKIM and SPF records, how and why they should be added to your domain’s DNS as well as how to determine if the issues you are facing occurred in relation to this.
So, first things first: How do you know that you need DKIM and/or SPF-records? DKIM- and SPF-records are not required, but rather a recommendation as you’ll still be able to send outgoing emails without these records, but the receiver won’t necessarily know that you are a trusted sender. These records are in fact optional security protocols. That being said, there are multiple reasons as to why they should be in place, and how to check if they are so.
What are DKIM records?
DomainKeys Identified Mail (DKIM) in short is a way of verifying that you are a trusted sender, and it contains a cryptographic signature to outgoing emails that is used by the recipient to verify exactly that. It can be seen as an email authentication protocol that allows the sender of an email to take responsibility for their message by curating the portion of the message that is actually from them and securing it with a cryptographic signature. Its primary goal is to stop email address forgeries.
What are SPF records?
In short a sender policy framework (SPF) record is a type of DNS TXT record that lists all the servers authorised to send emails from a particular domain. The receiving party checks the email domain’s return-path address to see if the sending server is allowed to send. These types of records were originally created because the standard protocol used for email known as Simple Mail Transfer Protocol (SMTP), does not inherently authenticate the “from” address in an email. In other words, not having SPF records in place could lead to attackers impersonating a sender and trick the recipient into sharing information that should not be shared or different kinds of malicious activity.
How to check DNS propagation of your DKIM/SPF records
Let’s say you have added the DKIM TXT record to the DNS of your domain, which can look something like this (example from Cloudlfare):
You can check if your TXT records are in place by using the dig command with the parameter -t (type) in the command line interface as such (using the example above):
dig -t TXT big-email._domainkey.example.com +short
Given that the TXT record has been added to the domain in question, the command line should prompt the value of the record as the answer:
v=DKIM1;p=76E629F05F709EF665853333EEC3F5ADE69A2362BECE40658267AB2FC3CB6CBE
You can also check if your TXT record is in place by using a DNS Propagation Checker. Simply paste in the name of the record (big-email._domainkey.example.com in this example), select the type of record in the drop down menu (TXT), and click “search”. The value of the record should then show up as the result.
What is the difference between DKIM and SPF?
The main difference between the two types of records is that DKIM provides an encryption key and digital signature that confirms that the sender’s email address is legitimate and not forged or altered. SPF on the other hand allows email senders to define which IP addresses are allowed to send mail for a particular domain. We also encourage you to use good email etiquette when sending out emails, so that your clients are happy and don’t feel spammed.
Does Servebolt support DKIM and SPF?
We support it in the sense that you can add these types of TXT records to the DNS of your domain, but we don’t provide you with DKIM records ourselves. You have to contact external mail server provider for that. We do have an article on Outgoing Email Configuration, where you can find SPF-records, that also includes a list of recommended external transactional email services.
