SPF, DKIM, and DMARC Compliance: Understanding and Implementing Email Security

Written By Hope Trory
HOPEWORKSDESIGN Blog post banner image with blog post title overlaid on photo of a concrete structure.

It's crucial to stay ahead of the curve with the upcoming changes from Google and Yahoo. Starting this month, February 2024, for Google and Yahoo!, there's a significant update that everyone needs to be aware of, especially if you're sending out a high volume of emails.


If your daily email outreach exceeds 5,000, it's time to ensure you're fully compliant with SPF, DKIM, and DMARC policies. This isn't just a box-ticking exercise; it's an essential step to guarantee your emails actually reach your audience. If these standards aren't met, your emails could be relegated to the dreaded spam folder or, worse, not delivered at all. Also, you must keep spam rates below 0.3% and provide the ability to unsubscribe with a single click if the recipient chooses.


Do I Need SPF, DKIM, And DMARC Compliance If I Send Less Than 5,000 Emails Per Day?


Now, I know many of you might be thinking, "Hope, my email list isn't that big and I don’t send anywhere close to THAT many emails." I hear you, but it's still vital to play by these rules. Even if you're not hitting that 5,000 email threshold, adhering to these guidelines will help keep your email delivery smooth and your messages clear of the spam folder.


Let's not forget the influence of Google and Yahoo on email. They are the two largest email providers and leaders in email filtering technology (Link opens in a new tab). When they implement changes like these, it's a clear sign that the rest of the industry will soon follow suit.


What are SPF, DKIM, and DMARC policies?

Wondering what SPF, DKIM, DMARC policies are and how they make your emails more secure? Glad you asked! Here’s the quick rundown:

  • SPF (Sender Policy Framework): SPF is a protocol designed to prevent email spoofing. It helps keep emails secure by allowing email senders to define which IP addresses are permitted to send emails on behalf of their domain.


  • DKIM (DomainKeys Identified Mail): DKIM is an email authentication method that attaches a digital signature to emails. This signature helps to keep emails secure by verifying that the email content has not been tampered with during transit and that the sender is legitimate.


  • DMARC (Domain-based Message Authentication, Reporting, and Conformance): DMARC is a policy framework that relies on SPF and DKIM to function. It enables domain owners to indicate that their emails are protected by SPF and DKIM, and provides instructions to receiving email servers on what to do if neither of those authentication methods passes - thus enhancing email security.



For those who've already set up SPF, DKIM, and DMARC, you're in a great position. Your emails will likely be prioritized over others that might fall into the poorly configured or spammy category. But if you haven't configured these yet, now is the time. It's not just about avoiding delivery issues; it's about ensuring your message reaches your audience effectively and maintains your professional reputation.


How to Check for and Attain Compliance:


Do you currently work with a web developer? If you do, you should contact them to have them set up your SPF, DKIM, and DMARC records for you. If you do not, then follow the instructions below.


Do you currently use Hubspot to send your marketing emails? If so, then please follow their instructions on how to authenticate your sending domain with them. Here is a link to their guide: https://knowledge.hubspot.com/email/manage-email-authentication-in-hubspot (Link opens in a new tab). You can also send this guide to your web developer to help you set up the SPF, DKIM, and DMARC records. 


If you have a Hubspot account and are not using Hubspot to send marketing emails (automated emails, newsletters, nurturing email sequences, etc) then you do not need to follow their guide, proceed with following the steps outlined below.


If you use squarespace for email marketing, mailchimp, or any other email marketing platform that is not Hubspot, proceed with the following steps.


How to Prepare:

  • You will need access to your DNS records (the following instructions will show you how to find them)

  • You will need to have your login credentials handy for either your Squarespace account (if you use it for hosting your website) and/or your login credentials for your domain host. 

  • If you do not use Squarespace, then you just need to have your domain host login credentials handy. 


Accessing your DNS Records:

Before you can configure a DMARC record, you must FIRST have SPF and DKIM records set up correctly. These two records are both required for DMARC to work. And it’s likely you already have one or both (SPF + DKIM) already set up.


Setting up all three records requires access to your DNS records. Your DNS records are usually accessed from where you purchased and manage your domain name. Your domain name is the main part of your website URL, for example for the website URL  www.mywebsitename.com (not a real link), the “mywebsitename.com” part is the domain name, not the www. 


If you use Squarespace for your website, then it is likely that your DNS is actually accessed from within the settings of your Squarespace account. To find your DNS records in Squarespace, log in to your account and navigate to Settings>Domains & Email. On this page you will see either “Domains managed by Squarespace” or “Domains managed by Third party”.  


If your domain is managed by Squarespace then you can access your DNS records from here by clicking on the domain name and on the next page clicking on “Edit DNS”. 


If you see that it's managed by a third party, that means you need to go to your domain host (GoDaddy, Enom, etc) to access your DNS records. If you’re not sure where your DNS records are located, do not worry, proceed with the next steps and you’ll find this out as you go through the process.


Next Steps: Scan Your Domain


Check to see if you already have any SPF, DKIM, and DMARC records set up for your sending domain. Your sending domain is the domain you send your emails from and in most cases is the same as your website domain.


  1. Scan your domain to look for any compliance issues. Use this free tool to check: https://easydmarc.com/tools/domain-scanner (Link opens in a new tab)

  2. What did your scan report? Do you have missing or incorrect records? If everything is green then you are fine and in compliance. If you are missing records (or have incorrectly configured records) then proceed to the next step. **You can ignore BIMI records for now. It’s optional to set them up. 

  3. Start a free trial of EasyDMARC. At the end of your trial, you will have the option to upgrade to a paid account or stay on their forever free plan. Choose the “Manage from DNS” option. If you do not know where your DNS records are located, EasyDMARC will tell you during the process of setting up a free trial.

    • You can choose either option (Manage from DNS or Manage in EasyDMARC) and you can always change your mind later if you decide you want to switch how you manage these records.

  4. The next step is to verify your domain by adding a TXT record to your DNS. They provide a guide on how to do this but if you’re unsure, you can always opt to verify later by clicking the “Later” button.

    • If you choose to verify later, or are not comfortable editing your DNS records, then reach out to EasyDMARC support for them to walk you through the setup. Simply open the chat by clicking the button in the lower right corner or email support@easydmarc.com (email opens in your email client). They can help you not only verify your domain but also help you set up all of your other records (SPF, DKIM, and DMARC).

  5. If you are comfortable editing your DNS records, then proceed with these next steps. Once you have verified your domain in the previous step, you’ll see vertical navigation on the left side of the screen.

  6. Do you need to set up an SPF record? Then go to Tools>SPF. Then click on the “SPF Generator” tab to generate one for you and then add that record to your DNS.

  7. Do you need to set up a DKIM record? Then go to Tools>DKIM and click on the “DKIM Generator” tab to generate a record for you. Take that record and add it to your DNS.

  8. Now that you have both SPF and DKIM records added to your DNS, it’s time to add your DMARC record. Go to Tools>DMARC and click on the “DMARC Generator” tab. Add the record provided to your DNS.
    It’s critical that your DMARC record is set to none for right now. This looks like “p=none”. Much later on, you will want to change it to “p=reject” or “p=quarantine” so that you have a strict level of email security. But for right now, leave it set to none.

  9. Wait a few minutes and then check your EasyDMARC account to confirm that all of your records are properly configured and working. 

  10. Now, you’re done with all the record updating! It will take a few days for servers around the world to see the DNS record updates. 


Single-click Unsubscribe

The other component to compliance is having an unsubscribe link in all your marketing emails. This was already a requirement for proper mass emailing (newsletters, drip emails, etc) however, now the requirement is to make sure your unsubscribe is a 1-click unsubscribe. 


Google says that, “Senders that already include an unsubscribe link in their messages have until June 1, 2024 to implement one-click unsubscribe in all commercial, promotional messages.”


This means when a person unsubscribes, they do not need to take any further action—no filling out unsubscribe forms, no checking boxes, no confirming they want to unsubscribe—once they click the unsubscribe link or button in your email, that’s all the action needed on their part to be removed from your lists. 


If you use GoHighLevel for your email marketing, this is already set up for you. Confirm this in your email settings in your account, however, you should not need to take any action.


If you are using Squarespace for your email marketing, this is already set up for you. You do not need to take any action. 


If you are using Mailchimp, Active Campaign, Constant Contact, or similar for your email marketing, this should be already set up for you, but check your email settings to confirm.


If you are using Hubspot for your email marketing, you may need to turn on the unsubscribe link in your email settings. You should already have an unsubscribe link in your marketing emails like your newsletters but you should check to see if your 1:1 emails also have an unsubscribe link. To do so, follow the steps in this article: https://knowledge.hubspot.com/email/add-an-unsubscribe-link-to-my-one-to-one-emails (Link opens in a new tab).

Want some help setting up your email authentication (SPF, DKIM, and DMARC) records? Book a free 20min Clarity Call to get started.

Hope Trory https://hopeworksdesign.com
Previous

Create a Referral Marketing System to Get New Clients Consistently
Next

How To Transform Your Architecture Firm Website Into A Lead Generating Machine