A Step-by-Step Guide to ConvertKit SPF, DKIM, and DMARC Setup
TABLE OF CONTENTS
Email authentication is not only a need in the digital terrain of today—it’s a must. Since email marketing is becoming more and more important for companies, making sure your messages find their target recipients is absolutely vital. This is where DMARC, DKIM, and SPF find application. These systems cooperate to confirm the validity of your emails, therefore lowering the chance of your messages being labeled as spam or, worse, exploited for phishing efforts.
Using these systems in ConvertKit provides three-fold advantages. First of all, it greatly enhances your email deliverability so that your well written messages reach inboxes rather than spam folders. Second, by stopping illegal usage of your domain for evil intent, it preserves your brand reputation. At last, it offers priceless analysis of your email performance so you may adjust your plan for best effect.
Let’s explore how you might use these great tools to improve your email performance.
Let’s imagine your emails are packages you’re sending through the mail. Each of these protocols plays a crucial role in ensuring safe delivery.
SPF is like the return address on your package. It says, “Hey, this package really is sent from the company office at 123 Main Street.” When the mailman sees a package with your name on it, he checks if it’s really sent from the correct address. If the address doesn’t match, the mailman knows something’s fishy.
DKIM is similar to a wax seal on an old-fashioned letter. You seal the letter with your unique stamp before sending it off. When the recipient sees the unbroken seal, they’re confident the letter hasn’t been tampered with during its journey. In the email world, this digital seal proves your message arrived just as you sent it.
DMARC is like leaving instructions for the post office. You tell them, “If a package claims to be from me but doesn’t have the right return address or my wax seal, here’s what you should do with it.” Maybe you want them to return it, or perhaps just toss it out. Plus, DMARC is like getting a report from the post office about who’s trying to send packages pretending to be you.
Together, these three protocols work like a well-coordinated postal system, making sure your email ‘packages’ are delivered safely and that no one’s sending out fake mail in your name. They’re the guardians of your digital mailbox, keeping the bad stuff out and letting the good stuff through!
Navigating through Salesforce to check and enhance email deliverability involves a series of steps tailored to different environments within the platform. Here’s how you can ensure your emails are making their mark:
Verify that you have active administrative access to your ConvertKit account. This access is crucial for retrieving specific authentication records and implementing necessary changes within the platform.
Confirm you have the ability to modify your domain’s DNS records. This typically requires access to your domain registrar’s management console or your web hosting control panel, depending on your specific setup.
1. ConvertKit-specific SPF and DKIM Records
Obtain the specific SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) records provided by ConvertKit. These records are unique to your account and are essential for proper authentication setup.
2. Current DNS Records
Review your existing DNS configuration, paying particular attention to any current SPF, DKIM, or DMARC records. This information is critical for ensuring that new authentication records are integrated correctly without conflicting with existing settings.
- Log in to your ConvertKit account using your credentials.
- Navigate to the “Account Settings” or “Settings” section. This is typically found in the top-right corner of the dashboard.
- Look for a tab or section labeled “Domain Authentication” or “Email Authentication.”
- Click on this section to access the DNS settings specific to ConvertKit.
- In the Domain Authentication section, locate the area for SPF records.
- ConvertKit should provide you with their specific SPF record. It typically looks something like this:
v=spf1 include:spf.convertkit.com ~all - Copy this record exactly as it appears. Precision is crucial here, as even small errors can cause issues.
- Open a new tab or window and log into your domain registrar’s website (e.g., GoDaddy, Namecheap, Bluehost).
- Navigate to the DNS management section. This might be called “DNS Settings,” “Name Server Management,” or something similar.
- Look for an option to add a new DNS record or modify existing TXT records.
- Create a new TXT record with the following details:
- Host/Name: Usually, this should be set to @ or left blank, representing your root domain.
- TTL (Time to Live): If given the option, set this to 3600 seconds (1 hour) or the lowest available setting.
- Value/Answer: Paste the SPF record you copied from ConvertKit.
- If you already have an existing SPF record, you’ll need to merge the ConvertKit record with your existing one. For example:
v=spf1 include:spf.convertkit.com include:existing.spf.record.com ~all - Save your changes. DNS propagation can take up to 48 hours, but often occurs much faster.
1. Return to your ConvertKit account, to the Domain Authentication section.
2. Look for an option to verify or check your SPF record. ConvertKit may offer an automatic verification tool.
3. If automatic verification is not available, you can manually verify using these steps:
- Use an SPF record checker tool (available online for free).
- Enter your domain name into the tool.
- The tool should show that your domain is using the ConvertKit SPF record.
4. Alternatively, you can use a command-line tool:
- Open your computer’s terminal or command prompt.
- Type the following command, replacing “yourdomain.com” with your actual domain:
nslookup -type=txt yourdomain.com - Look for the SPF record in the results. It should match what you added.
6. If verification fails, double-check your DNS settings and ensure enough time has passed for propagation.
7. Once verified, ConvertKit should indicate that your SPF record is correctly set up.
Remember, changes to DNS can take time to propagate globally. If verification fails initially, wait a few hours and try again. If problems persist after 48 hours, review your settings or contact ConvertKit support for assistance.
- Log in to your ConvertKit account.
- Navigate to “Account Settings” or “Settings” (usually found in the top-right corner of the dashboard).
- Look for a section labeled “Domain Authentication” or “Email Authentication.”
- Within this section, find the DKIM settings.
- Click on “Generate DKIM Keys” or a similar option.
- ConvertKit will generate a unique DKIM key pair for your account. This process is automatic and should only take a few seconds.
- Once ConvertKit generates your DKIM keys, you’ll be provided with a DNS record to add to your domain. It will look something like this:
Name: convertkit._domainkey Type: TXT Value: k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC... - Copy this information exactly as provided by ConvertKit.
- Open a new tab or window and log into your domain registrar’s website (e.g., GoDaddy, Namecheap, Bluehost).
- Navigate to the DNS management section.
- Create a new TXT record with the following details:
- Name/Host: Enter the name provided by ConvertKit (usually “convertkit._domainkey”)
- TTL: Set to 3600 seconds (1 hour) or the lowest available setting
- Value/Answer: Paste the entire string provided by ConvertKit
- Save your changes. Remember, DNS changes can take up to 48 hours to propagate fully.
- Return to your ConvertKit account, to the Domain Authentication section.
- Look for an option to activate or enable DKIM.
- Click the activation button or toggle switch.
- ConvertKit may ask you to confirm that you’ve added the DKIM record to your DNS. Confirm this action.
1. ConvertKit might offer an automatic verification tool. If available, use this to check your DKIM setup.
2. If automatic verification isn’t available or you want to double-check, you can manually verify:
- Use an online DKIM record checker tool (several free options are available).
- Enter your domain name and the selector (usually “convertkit” for ConvertKit).
- The tool should confirm that your DKIM record is properly set up.
3. Alternatively, you can use a command-line approach:
- Open your computer’s terminal or command prompt.
- Type the following command, replacing “yourdomain.com” with your actual domain:
nslookup -type=txt convertkit._domainkey.yourdomain.com- The response should include the DKIM record you added.
4. Send a test email to an external address (like a personal Gmail account).
4. View the email headers of the received message. Look for a “DKIM-Signature” header, which indicates DKIM is working.
5. For a thorough check, you can use email authentication checking services that analyze the full headers of your test email.
If the DKIM setup doesn’t verify immediately, don’t panic. DNS changes can take time to propagate. Wait a few hours and try the verification process again. If issues persist after 48 hours, double-check your DNS settings and ConvertKit configuration, or reach out to ConvertKit support for assistance.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) has three main policy options:
- None (p=none): This is a monitoring mode. Emails are not rejected or quarantined, but reports are generated.
- Quarantine (p=quarantine): Emails that fail DMARC checks are sent to the spam folder.
- Reject (p=reject): Emails that fail DMARC checks are completely rejected.
Additionally, DMARC allows you to specify what percentage of emails should be subject to the policy using the “pct” tag.
A basic DMARC record consists of the following components:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.comv=DMARC1: Specifies the DMARC version.p=none: Sets the policy (none, quarantine, or reject).rua=mailto:email@example.com: Specifies where aggregate reports should be sent.
Additional optional tags include:
pct=: Percentage of emails subject to filteringruf=: Forensic reporting URLsp=: Policy for subdomains
- Log into your domain registrar’s website or DNS management platform.
- Navigate to the DNS management section.
- Create a new TXT record with the following details:
- Name/Host: Enter “_dmarc” (without quotes)
- TTL: Set to 3600 seconds (1 hour) or the lowest available setting
- Value/Answer: Paste your DMARC record (e.g.,
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com)
- Save your changes.
Remember, DNS changes can take up to 48 hours to propagate fully.
It’s crucial to start with a relaxed policy and gradually strengthen it. Here’s a recommended approach:
1. Start with monitoring (1-2 weeks):
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.comThis allows you to receive reports without affecting email delivery.
2. Implement quarantine for a small percentage (2-4 weeks):
v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc-reports@yourdomain.comThis applies the quarantine policy to 10% of emails that fail DMARC.
3. Increase quarantine percentage (2-4 weeks):
v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc-reports@yourdomain.comGradually increase the percentage, monitoring for any issues.
4. Move to full quarantine (2-4 weeks):
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.comApply quarantine to 100% of failing emails.
5. Implement reject policy:
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.comOnly move to this stage when you’re confident in your email authentication setup.
Throughout this process, regularly review the DMARC reports you receive. These reports will help you identify any legitimate emails that are failing DMARC checks, allowing you to adjust your SPF and DKIM configurations as needed.
Remember to update your DMARC record in your DNS settings each time you change the policy. Always monitor closely after making changes to ensure no legitimate emails are being blocked.
SPF (Sender Policy Framework) conflicts can occur when multiple SPF records exist or when the record exceeds the character limit. Here’s how to identify and resolve these issues:
- Multiple SPF Records:
- Symptom: Email authentication fails, or you receive warnings about multiple SPF records.
- Diagnosis: Use an SPF record lookup tool or run a DNS query:
dig TXT yourdomain.com - Solution: Combine all SPF records into a single record. For example:
v=spf1 include:spf.convertkit.com include:_spf.google.com ~all
- Exceeding Character Limit:
- Symptom: SPF checks fail for some recipients.
- Diagnosis: Count the characters in your SPF record. It should be under 255 characters.
- Solution: Use the ‘include’ mechanism to reference external SPF records instead of listing all IPs. For example:
v=spf1 include:spf.convertkit.com include:_spf.mycompany.com ~all
- Too Many DNS Lookups:
- Symptom: SPF checks timeout or fail.
- Diagnosis: Count the number of ‘include’ statements and ‘a’ mechanisms. The limit is 10.
- Solution: Flatten your SPF record by replacing ‘include’ statements with the actual IP addresses or ranges.
DKIM (DomainKeys Identified Mail) verification failures can occur due to key mismatches or configuration errors. Here’s how to troubleshoot:
- Incorrect DKIM Record:
- Symptom: DKIM authentication fails consistently.
- Diagnosis: Verify your DKIM record using a DKIM lookup tool or DNS query:
dig TXT convertkit._domainkey.yourdomain.com - Solution: Ensure the DKIM record in your DNS matches exactly what ConvertKit provided.
- Key Mismatch:
- Symptom: Intermittent DKIM failures.
- Diagnosis: Check if you’ve recently regenerated DKIM keys in ConvertKit.
- Solution: Update your DNS with the new DKIM record provided by ConvertKit.
- Selector Issues:
- Symptom: DKIM verification fails, but the record seems correct.
- Diagnosis: Verify you’re using the correct selector (usually ‘convertkit’ for ConvertKit).
- Solution: Ensure the DKIM record is added with the correct selector in your DNS.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) reports can be complex. Here’s how to interpret common issues:
- High SPF Failure Rate:
- Symptom: DMARC reports show many SPF failures.
- Diagnosis: Check if all legitimate sending sources are included in your SPF record.
- Solution: Update your SPF record to include all authorized sending IP addresses or domains.
- High DKIM Failure Rate:
- Symptom: DMARC reports indicate frequent DKIM failures.
- Diagnosis: Verify DKIM is correctly set up for all sending services.
- Solution: Ensure DKIM is properly configured for ConvertKit and any other email sending services you use.
- Alignment Issues:
- Symptom: DMARC reports show alignment failures.
- Diagnosis: Check if the ‘From’ domain matches the domain used for SPF and DKIM.
- Solution: Ensure all emails are sent from the domain you’ve authenticated, or consider using relaxed DMARC alignment.
- Unexpected Sending Sources:
- Symptom: DMARC reports show emails from unknown sources.
- Diagnosis: Review the sending sources in the DMARC reports.
- Solution: Investigate these sources. They could be legitimate services you’ve forgotten about or potential spam/phishing attempts.
- Low DMARC Coverage:
- Symptom: DMARC reports show a low percentage of authenticated emails.
- Diagnosis: Check if all your email sending services support SPF and DKIM.
- Solution: Implement SPF and DKIM for all services sending emails on behalf of your domain.
Remember, when troubleshooting, make changes one at a time and allow for DNS propagation (up to 48 hours) before testing again. If issues persist, don’t hesitate to reach out to ConvertKit support or consult with a domain expert.
While setting up SPF, DKIM, and DMARC is crucial for email authentication, there are additional steps you can take to improve email deliverability. One best practice is to use email warmup tools, with Warmy.io being a notable example.
Email warmup is the process of gradually increasing your email sending volume to establish a positive sending reputation. Warmy.io automates this process, helping you:
- Improve inbox placement rates
- Reduce the likelihood of your emails being marked as spam
- Establish trust with ISPs and email providers
Warmy.io offers several free tools that can be invaluable for email marketers:
- Email Deliverability Test. This comprehensive test provides crucial information about your email setup, including:
- Spam score assessment
- Blacklist checks
- Authentication record verification (SPF, DKIM, DMARC)
- Content analysis for spam triggers
2. Free SPF and DMARC Record Generator. This tool simplifies the process of creating correct SPF and DMARC records, helping you avoid syntax errors that could impact your email deliverability.
Using these tools in conjunction with ConvertKit can significantly enhance your email deliverability and provide valuable insights into your email authentication setup.
While Warmy.io offers excellent free tools, there are other DMARC monitoring services worth considering for more extensive needs:
- Dmarcian
- Postmark’s DMARC Monitor
- Valimail
These services provide detailed reports and analysis of your DMARC implementation, helping you identify and resolve issues quickly.
When using ConvertKit alongside other email services, consider the following:
- Consistent Authentication. Ensure all services are properly configured with SPF, DKIM, and DMARC. This may require adding multiple entries to your SPF record.
- Alignment. Verify that the ‘From’ address aligns with your authenticated domain across all services.
- Separate Subdomains. Consider using different subdomains for different services to simplify management and troubleshooting.
- Unified Reporting. Set up DMARC to send reports to a single address, allowing you to monitor authentication across all services in one place.
- API Integration. Where possible, use API integrations to ensure consistent sending practices and authentication across platforms.
Managing email authentication for subdomains requires special consideration:
- Separate Policies. You can set different DMARC policies for subdomains. For example:
_dmarc.subdomain.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com" - Inheritance. By default, subdomains inherit the DMARC policy of the organizational domain. You can override this using the
sptag in your main DMARC record:v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc@example.comHere, the main domain has a ‘reject’ policy, while subdomains have a ‘quarantine’ policy.
- Dedicated Records. For granular control, create separate SPF and DKIM records for each subdomain you use for sending emails.
- Monitoring. Ensure your DMARC reports include data from subdomains. Some DMARC monitoring services offer subdomain-specific analytics.
- Consistency. Maintain consistent branding and sending practices across subdomains to build a unified reputation.
Establishing SPF, DKIM, and DMARC for your ConvertKit account is a trip well worth the enhanced email delivery and brand protection. From adding the required DNS entries to perfecting your DMARC policy, we have guided through the configuration procedure for every protocol. Recall, this is not a set-it-and-forget job. Your authentication technique should change with the always changing email terrain.
Remain alert, keep learning, and let your authenticated emails to be the champions of dependability and credibility of your brand. ConvertKit and appropriate email authentication will help you to negotiate the complexity of email delivery and maximize every communication.
📜 Related articles: