DMARC/DKIM/SPF Record Authentication

Starting in February 2024, Google and Yahoo! have stated that there will be new requirements for sending emails to their users. Two of the mentioned requirements are that all senders must have an authenticated domain (SPF/DKIM) and a DMARC policy. 

In this article, we’ll go over what these new requirements are and how you can make sure that you are up to speed with all of them so you won’t run into any issues with these email service providers while sending your emails securely through Privy.

Requirements put in place by Google and Yahoo!

  • Sending emails with your custom domain:

    Using free email domains like @gmail.com or @aol.com in your ‘From’ address has never been a good practice. Not only does it negatively affect your recipients’ experience with your brand, but it can now cause your emails to get rejected or land in the spam folder.Transitioning to a domain you own is strongly advised for seamlessly setting up authentication and complying with evolving standards.For customers without a current domain, acquiring one promptly is recommended.

  • Email authentication using SPF, DKIM, and DMARC:

    Authentication is a way to verify that an email comes from who it claims to come from and is not a spoof. In other words, it helps prevent spam, phishing attempts, and other malicious activities that could damage your brand’s reputation or the trust your recipients have in your emails.In addition to preventing phishing and spoofing attempts, implementing these protocols can help improve deliverability, as mailbox providers will be able to confirm the identity of the sender.It refers to the technical standards that allow for the verification of an email sender's identity. The most commonly used email authentication standards are SPFDKIM, and DMARCIf you want to do a quick check to see if your domain already has DKIM and SPF records as well as a DMARC policy in place, you can do a lookup here: https://dmarcian.com/domain-checker/

  • SPF and DKIM email authentication: To get your emails authenticated, you must have SPF and DKIM records in place.DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) are the two foundational forms of email authentication.
  • Sender Policy Framework(SPF): SPF is an email authentication protocol that allows receiving email servers to accept incoming emails from authorized senders.It was designed to prevent email spoofing, a common technique used in phishing attacks and email spam. As an integral part of email cybersecurity, SPF enables the receiving mail server to check whether incoming email comes from an IP address authorized by that domain’s administrator.
  • DomainKeys Identified Mail (DKIM): DKIM is an email authentication method that employs public-key cryptography to digitally sign emails, ensuring that the message body and attachments remain unaltered during transmission. Receiving servers use DKIM to verify that the domain owner sent the message. It also acts as a digital signature that is added to the header of an email to further verify the identity of the sender. Receiving email servers will verify that the DKIM signature matches that of the associated sending domain.
  • Emails bearing a DKIM signature serve as a clear indicator of your legitimacy and reliability as a sender. As a result, your messages are more likely to land in a recipient’s inbox rather than being sent to their junk or spam folders.
  • DMARC email authentication: Companies must also have a DMARC (Domain-based Message Authentication, Reporting, and Conformance) policy in place.
    • DMARC is a standard that builds on SPF and DKIM. It ensures emails are genuinely coming from the domain they claim to be from, by checking the alignment of the SPF and DKIM records.
    • It detects and prevents email spoofing techniques used in phishing, business email compromise (BEC), and other email-based attacks.
    • DMARC provides instructions to receiving servers about how to handle incoming mail. To get delivered, messages need to pass DKIM and SPF alignment checks according to the requirements set by the DMARC policy. Messages that do not pass DMARC checks can be allowed, rejected, or placed in the spam folder.
  • Maintain spam rates below 0.3%: this will also be enforced by Google to prevent recipients from being spammed with unwanted content. We have systems in place that can be useful for tracking your spam complaints with Privy, but ultimately you’d want to use Gmail’s postmaster tools to track those as well. Segmentation is a great way to make sure that your message is reaching the intended audience. 
  • Messages need to have a 1-click unsubscribe link: all emails sent to both providers will require that an unsubscribe link/button is visible in the email body. Luckily, emails created with Privy will always include this option by default, and you can even customize it.

Set up SPF, DKIM, and DMARC email authentication for your sending domain

Setting up SPF, DKIM, and DMARC records is a complex and time-consuming process and improper configuration can result in several errors.

Because of this and due to liability reasons we recommend consulting with an IT team expert or your host domain support team to make and use online tools to analyze and ensure your SPF, DKIM, and DMARC policies are set up correctly, helping you stay compliant with these new guidelines and avoid any negative impact on email deliverability.

However, here's a general overview of the setup process for SPF, DKIM, and DMARC records:

  • SPF (Sender Policy Framework): These records are TXT records on your domain that authorize specific servers to send mail using your domain name.This is how it may look:

  • ​​Here are general tips to help you set up SPF email authentication:
    • Publish the record and test to ensure proper configuration.
    • Create your SPF TXT record specifying the authorized addresses. You can do this in your DNS settings depending on your domain host provider.
    • Get a list of the IP addresses, email servers, or domains authorized to send emails on your behalf.
  • DKIM (DomainKeys Identified Mail): A DKIM record is a specially formatted DNS TXT record and it stores the public key the receiving email server will use to verify a message’s signature. A DKIM includes a name, version, key type, and the public key itself, and is often made available by the provider that is sending your email.A DKIM record is a form of TXT record in the DNS zone file containing the DKIM public key. The public key is an asymmetric key that decrypts the signature signed by the private key.A simple DKIM signature is composed of several parts and may look like this:

  • Here are general tips to help you set up DKIM email authentication:
    • Generate the public/private key pair for encrypting and decrypting your DKIM signature
    • Publish the public key in your DNS zone file as a TXT record – and secure your private key
    • Generate your signature and test your emails to ensure proper configuration.
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance):  Setting up a DMARC record is a proactive measure to protect your brand and your audience from phishing and spoofing attacks. It’s about ensuring that only legitimate emails from your domain reach the inbox, which in turn boosts your sender's reputation and deliverability rates.A DMARC record may look like this:

  • Like SPF and DKIM, DMARC requires critical processes to avoid errors. Here are general tips to help you set DMARC email authentication:
    • Identify legitimate and illegitimate sources that fail authentication. This gives you insights to help you adjust other security protocols
    • Gradually tighten your DMARC policy from none to quarantine, and reject, and choose an email address for receiving DMARC reports
    • Monitor your emails to identify and analyze emails that fail authentication
    • Ensure you set up SPF and DKIM correctly
    • Generate and publish your DMARC record in TXT format in your DNS database

To get some more detailed information about how you can create and manage these records, please check out the articles for some of the most popular host providers:

If your host provider is not on the list above, don’t worry - you can contact us at support@privy.com so we can point you in the right direction!

Note: Domains can take 24-48 to reflect the updated information


Verify your custom sending domain with Privy

To improve your email deliverability and build trust with your email recipients, the default address from your Privy account should be updated to reflect your specific domain and brand.

The approach to updating DNS records varies from one provider to another, most hosts have similar steps, however, we’ve included links to our KB articles for several top hosting sites:

Note: You can use these same guides to access the DNS settings page from your host domain provider to set up the SPF, DKIM, and DMARC email authentication for your sending domain.

If you encounter any difficulties while attempting to verify your custom domain with Privy, and require further assistance, don’t hesitate to schedule a call with one of our DNS experts using this link

In order for a custom domain to become fully-verified, the custom domain must pass both of the following checks:

DNS Records Check

Checks if the required Privy DNS records exist within the custom domain’s records and if they’re valid.

DMARC Policy Check

Checks if a valid DMARC policy is configured within the custom domain’s records.

Sending Status

Privy introduced the following sending statuses, which are dependent on the outcome of the checks listed above.

Can send emails

A Privy account is placed into this status if the custom domain passes the DNS Records check, regardless of if the DMARC policy check fails.

If your Privy account is under the “Can send emails” status, you are still able to send emails from this domain if it is already selected as the default sending domain or as an override domain on individual emails. If it is not, you will need to fully verify it before selecting it for sending.

However, a valid DMARC policy is still recommended and should be added as soon as possible in order to comply with the recent Gmail + Yahoo sending requirements.

Cannot send emails

A Privy account is placed into this status if the custom domain fails both the DNS Records and the DMARC policy checks.

Privy accounts under this status would not be able to schedule nor send emails from the custom domain.

If your Privy account is under the “Cannot send emails” status, you’d need to add the Privy DNS records and a valid DMARC policy to your domain host account.


General Email Best Practices

  • Your email list should be up to date and clean prior to sendingWe recommend lists no older than 90 days since sign up and/or engagement. Avoid role and transactional addresses being sent to
  • Maintain a steady send frequencyToo many emails can be seen as spamming and too little emails can lead to forgetting or loss of interest
  • Avoid link shorteners like bit.ly
  • Ensure your email signature is complete with your business information (full name, title, company address) without images or HTML
  • Set daily and hourly sending limits and a minimum delay between sends of 60 seconds or more

FAQ

Who will be affected by the new requirements? 

All senders must be compliant with these new requirements, with more noticeable effects on deliverability for bulk senders. 

What happens if I don’t meet Google and Yahoo’s requirements?

In that case, Google and Yahoo will block all emails that don’t meet their requirements, meaning that your recipients that have Gmail and Yahoo addresses will generate bounces on your newsletter campaigns and any other emails.

This can cause a lot of damage to your sending reputation and deliverability rates and can create lasting consequences to your customers’ engagement and email-generated revenue.

Will sending volume be a factor in these new requirements?

While Google has stated that users who send to less than 5,000 contacts per day will have fewer requirements, we strongly recommend that all volume senders work on meeting all of the requirements to avoid deliverability issues.

Where can I find more information about Google and Yahoo’s requirements? 

For Google, you can access their email sender guidelines to see the full list of their requirements.

And for Yahoo!, you can find this information on their sender best practices.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us