SPF, DKIM, and DMARC Best Practices for Mailgun
TABLE OF CONTENTS
Spam accounts for roughly 85% of email traffic worldwide (Statista). Three basic but effective tools protect your mailbox against spam and email fraud: SPF, DKIM, and DMARC.
SPF, DKIM, and DMARC—essential email authentication acronyms—are explained in this article. These procedures help ensure emails reach their recipients safely and reliably, not only as computer jargon. We’ll explain how to set them up with Mailgun, explain their responsibilities in email security, and offer ideas to improve email delivery and domain reputation. This article will help you master SPF, DKIM, and DMARC, whether you’re an email marketer or new to email security.
Sender Policy Framework (SPF) validates sender IP addresses to avoid spam. It lets domain owners choose which mail servers can transmit email for them. Domain owners can help mail servers identify spam and phishing attacks using their domain by setting up SPF.
SPF entries are text (TXT) records in DNS that specify mail servers permitted to deliver emails for a domain. SPF’s main function is to let domain owners claim responsibility for sending emails and identify approved senders. This technique protects the “From” address against spammers and phishers by preventing email address forging.
- Email Send Attempt. When an email is sent from a domain, the outbound mail server attempts to deliver it to the recipient’s mail server.
- SPF Record Lookup. Upon receiving the email, the recipient’s server retrieves the SPF record for the sender’s domain from the DNS. This record lists all the IP addresses that are authorized to send mail from this domain.
- IP Verification. The recipient server then checks if the IP address of the mail server that sent the email is on the list of authorized IP addresses in the SPF record.
- Result Interpretation. If the sending server’s IP is found in the SPF record, the email passes SPF validation, indicating that it was sent from an authorized server. If not, the email fails SPF validation.
✅ SPF prevents spammers and phishers from fake email identities by checking sender IP addresses and blocking domain use in the “From” address. This authentication process reduces unsolicited email volume.
✅ Improved deliverability is another major SPF benefit. Emails that pass SPF checks are less likely to be detected as spam by ISPs, ensuring that legitimate emails reach their receivers.
✅ SPF also boosts domain email legitimacy, boosting recipient trust. Users can trust senders more when emails pass SPF checks, which is important for professional relationships and customer trust.
✅ Although beneficial, SPF has drawbacks. The issue of email forwarding is significant. The sender’s IP address can be lost when emails are forwarded, causing genuine emails to fail SPF tests. This can disrupt communication and mark vital messages as spam.
✅ Additionally, SPF only verifies the ‘Envelope From’ address used during SMTP transactions, not the recipient’s email client’s ‘Header From’ address. SPF verifies the sending server, but not the visible sender’s address, allowing for email address forging.
Implementing SPF (Sender Policy Framework) with Mailgun is a crucial step in ensuring your emails reach their intended recipients and are not marked as spam. Below, we provide a detailed, step-by-step guide to setting up SPF records correctly with Mailgun, along with some common mistakes to avoid.
1. Verify Existing SPF Record. Before adding a new SPF record, check if your domain already has one. Multiple SPF records can cause conflicts and lead to emails being rejected. Use a DNS lookup tool to see if your domain has an existing SPF record.
2. Create or Modify SPF Record. If you do not have an SPF record, you’ll need to create one. If there’s an existing record, you will modify it to include Mailgun.
- Go to your domain’s DNS settings.
- Create a new TXT record.
- Set the Host/Name field to “@” or your domain (depending on DNS host requirements).
- In the Value field, enter:
v=spf1 include:mailgun.org ~all
- This record tells email providers that emails sent from servers authorized by Mailgun are valid, and emails from any other sources should be treated with suspicion (but not necessarily rejected).
- Locate the existing SPF record in your DNS settings.
- Modify the record to include Mailgun’s SPF mechanism without creating a new SPF record. It might look something like this:
v=spf1 include:_spf.google.com include:mailgun.org ~all
- This example assumes you are using Google’s email services alongside Mailgun. The principle remains the same when integrating other services.
3. Save the Record. After entering the correct SPF syntax, save the record. DNS changes might take some time to propagate, usually up to 48 hours.
4. Verify the Record. Use an SPF validation tool to ensure your SPF record is correctly set up and recognized. Tools like MXToolbox can help you verify that your SPF record includes Mailgun and is valid without syntax errors.
DomainKeys Identified Mail (DKIM) uses cryptography to authenticate email messages. It lets email senders verify email authenticity by associating a domain name with it. Each outgoing email has a digital signature tied to a domain name, which receiving email systems can validate using the signer’s DNS public key. DKIM’s main function is to prevent email spoofing and preserve email content in transit, ensuring email security and integrity.
DKIM validates sender identities and ensures message integrity, improving email security. When DKIM is used, unauthorized parties cannot change email content during transmission. It builds confidence because only the domain owner has the private key to make signatures. Email providers can better screen bogus communications, decreasing phishing and other email dangers.
- Log into your Mailgun account and navigate to the domain settings section.
- Select the domain for which you want to set up DKIM.
- Look for the DKIM settings area and initiate the process to generate a new DKIM key pair. Mailgun will automatically create the public and private keys.
- Mailgun retains the private key to sign outgoing emails, while the public key will be used in the next steps.
- After generating the DKIM keys, Mailgun will provide you with a DNS record for the public key.
- Access your DNS provider’s management console where your domain’s DNS records are stored.
- Add a new TXT record. The host name or name field should be set as specified by Mailgun, typically something like
selector._domainkey.yourdomain.com,
where “selector” is a unique identifier for the DKIM public key.
- In the value field, enter the DKIM record provided by Mailgun, which will include the public key.
- Save the record and wait for the changes to propagate, which can take up to 48 hours.
- After adding the DKIM record to your DNS and allowing some time for propagation, it’s important to verify that everything is set up correctly.
- Use Mailgun’s control panel features to validate the DKIM settings. Mailgun often provides tools for checking the status of your DKIM record.
- Alternatively, use external tools like MXToolbox to check the DKIM TXT record. These tools can confirm whether the DKIM record is found and is correctly formatted.
- If the validation fails, check for common issues such as typos in the DNS records or incomplete propagation.
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. This email authentication, policy, and reporting mechanism improves email security. DMARC adds policy enforcement and reporting to SPF and DKIM. Email domain owners use DMARC to prevent email spoofing. This reduces phishing and spoofing abuse.
DMARC authenticates emails against SPF and DKIM standards and blocks or flags fraudulent activity from domains under its policy. Email providers are instructed on how to handle SPF or DKIM-failed emails. Senders can change their email strategy based on DMARC’s aggregated information on email success and failure. This trio of protocols secures email transmission and receiving, guaranteeing only authenticated emails reach their destinations.
Decide on the policy level appropriate for your needs:
None: DMARC will monitor emails and report on those that fail SPF and DKIM checks but will not affect their delivery.Quarantine: Emails that fail SPF and DKIM checks will be treated as suspicious. Depending on the recipient’s email server, these might be placed into the spam/junk folder.Reject: The strictest level, where emails that fail SPF and DKIM checks are actively rejected and not delivered at all.
- Access your DNS management console where your domain’s DNS records are hosted.
- Create a new TXT record for your domain. The host name for this record should be
_dmarc.yourdomain.com. - Set the value of the TXT record to reflect your chosen policy. For example:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com;
This record sets the policy to none and specifies an email address where aggregate reports should be sent.
- Save the DNS record and wait for the DNS changes to propagate, which might take up to 48 hours.
Collecting Reports
- Ensure that the email address provided in the DMARC record (
rua=mailto:...) is active and able to receive emails. This address will receive DMARC aggregate reports from ISPs about the performance of your emails in terms of SPF and DKIM validation.
- Ensure that the email address provided in the DMARC record (
Reading and Interpreting the Reports
- DMARC reports are typically delivered in XML format and provide data on which messages passed or failed SPF and DKIM checks, what policy was applied, and why certain actions were taken.
- Use DMARC report analysis tools available online to parse these XML reports into a human-readable format.
Adjusting Your Email Security Strategy
- Based on the insights gained from these reports, adjust your SPF, DKIM, and DMARC settings as necessary to improve security and deliverability.
- Consider tightening your DMARC policy gradually, moving from
nonetoquarantine, and possibly torejectas you become more confident in your email authentication setup.
Email marketing success and security depend on appropriately configured SPF, DKIM, and DMARC settings. Warmy.io’s free email deliverability test can validate these settings and improve email delivery.
Warmy.io’s tool goes beyond SPF, DKIM, and DMARC certification. It analyzes your email deliverability landscape, identifying configuration mistakes and other difficulties. This includes checking for IP blacklists, which can substantially impair email delivery.
Using Warmy’s deliverability test is straightforward and yields valuable information. The process involves sending a test email to Warmy, which then analyzes it against numerous criteria. You receive a detailed report that covers the following:
Authentication Verification. The test checks your email against SPF, DKIM, and DMARC settings to ensure they are correctly implemented and functioning as intended. This helps in identifying any mismatches or errors in your records that could lead to email rejections or spam classification.
Deliverability Insights. Beyond authentication, the report provides insights into where your emails are landing in recipients’ inboxes across different providers. This can highlight issues like consistent landing in spam folders at specific email services, allowing you to make targeted adjustments.
IP Reputation Check. Warmy also checks if your sending IP address is on any blacklists. Being listed on a blacklist can drastically reduce your deliverability. Understanding your IP’s reputation helps you take corrective measures, such as delisting procedures or improving your sending practices.
General Deliverability Health. You get an overview of your overall email deliverability health, including tips on how to improve it based on current industry standards and best practices.
If you’re new to configuring SPF and DMARC records or want to ensure accuracy, using free generators can be a great help.
An SPF record generator simplifies creating a correct SPF record by guiding you through the process. You just input your domain and email sending sources, and it provides you with a properly formatted SPF record. This tool helps avoid common errors like syntax mistakes or missing IP addresses, ensuring your emails are authenticated correctly.
Setting up a DMARC policy can be complex. A DMARC record generator helps by creating a record that matches your email security policies. Specify your policy preference (none, quarantine, reject) and how you want to receive reports, and the generator will create a DMARC record for your DNS. This ensures your record is correct and reflects your email security strategy effectively.
When managing multiple domains and subdomains, the complexity of implementing SPF, DKIM, and DMARC increases. However, with a strategic approach, you can effectively manage these settings across all your domains to ensure consistent email security and deliverability. Here are some strategies to consider:
- Consistency Across Domains. Ensure that your SPF, DKIM, and DMARC policies are consistently applied across all domains and subdomains. This consistency helps in maintaining a uniform security posture and simplifies management.
- Use of Subdomain Policies. Subdomains can inherit the DMARC policy of the parent domain, but setting specific policies for subdomains can enhance control over email streams and pinpoint sources of delivery issues. Similarly, SPF and DKIM should be set up specifically for each subdomain to address their unique sending sources and characteristics.
- Template-Based Configuration. For organizations with multiple domains, using templates for SPF, DKIM, and DMARC records can streamline setup and updates. Create a base configuration that suits the majority of your domains, and then customize as necessary for specific cases.
- SPF Configuration for Multiple Domains. When dealing with multiple domains, ensure that each domain has its own SPF record reflecting its specific sending sources. Avoid overly broad SPF policies that could inadvertently allow unauthorized sending across domains.
- DKIM with Multiple Selectors. Use different DKIM selectors for different domains or even different email streams within the same domain. This allows more granular control and easier troubleshooting of DKIM verification issues. It also isolates security risks—if one key is compromised, it does not affect others.
- Centralized DMARC Reporting. Implement DMARC with reporting enabled (using the
ruaandruftags) for all domains. Centralize the reception and analysis of these reports to get a holistic view of your email channels’ performance and security. This consolidated approach helps in identifying trends, anomalies, and areas needing attention.
- Leverage Automation. Use automated tools to manage DNS records, especially when updating SPF and DKIM settings across multiple domains. Automation ensures that changes are applied consistently and reduces the risk of human error.
- Regular Audits and Reviews. Schedule regular audits of your SPF, DKIM, and DMARC settings to ensure they remain effective and aligned with your current email sending practices. This is crucial as networks evolve and email strategies change.
Maintaining your email security and guaranteeing best deliverability depend on SPF, DKIM, and DMARC. These systems guarantee that your communications are safe and trustworthy by recipients, thereby helping to guard your email domain from misuse. Using Mailgun to properly apply these policies improves the standing of your domain and raises the possibility that your emails find their intended recipients.
We urge every user of Mailgun to apply these best practices in their configurations. Spend some time evaluating and enhancing your present email security setups, then keep an eye on their performance. Using these protocols helps your company create a professional and dependable communication system rather than only stopping spam.