Deliverability
Understanding Email Authentication
Make sure you have your DMARC / SPF / DKIM records in place to meet sender requirements.
Starting in February 2024, Google and Yahoo! have stated that there will be new requirements for sending emails to their users. Two of the mentioned requirements are that all senders must have an authenticated domain (SPF/DKIM) and a DMARC policy.
In this article, we’ll go over what these new requirements are and how you can make sure that you are up to speed with all of them so you won’t run into any issues with these email service providers while sending your emails securely through Privy.
In order for a custom domain to become fully-verified, the custom domain must pass both of the following checks:
What are Google and Yahoo’s requirements?
Send emails from your custom domain.
Send emails from your custom domain.
Using free email domains like @gmail.com or @aol.com in your ‘From’ address has never been a good practice — not only does it negatively affect your recipients’ experience with your brand, but it can now cause your emails to get rejected or land in the spam folder. Transitioning to a domain you own is strongly advised for seamlessly setting up authentication and complying with evolving standards. For customers without a custom domain, acquiring one promptly is recommended.
Email authentication using DMARC, SPF, and DKIM records.
Email authentication using DMARC, SPF, and DKIM records.
Authentication is a way to verify that an email comes from who it claims to come from and is not a spoof. In other words, it helps prevent spam, phishing attempts, and other malicious activities that could damage your brand’s reputation or the trust your recipients have in your emails. Authentication also improves deliverability, as mailbox providers will be able to confirm the identity of the sender. The most commonly used email authentication records are SPF, DKIM, and DMARC. If you want to do a quick check to see if your domain already has DKIM and SPF records as well as a DMARC policy in place, you can do a lookup here: https://dmarcian.com/domain-checker/
Maintain a spam rate below 0.3%.
Maintain a spam rate below 0.3%.
This will also be enforced by Google to prevent recipients from being spammed with unwanted content. We have systems in place that can be useful for tracking your spam complaints with Privy, but ultimately businesses should want to use Google Postmaster Tools to track those as well. Segmentation is a great way to make sure that your messages are more tailored + reaching the intended audience.
All emails must contain a one-click unsubscribe rate.
All emails must contain a one-click unsubscribe rate.
All emails sent to both providers will require that an unsubscribe link/button is visible in the email body. Luckily, emails created with Privy have and always will include this option by default.
What are DMARC, SPF, and DKIM records?
Dive into what each of these DNS records stands for and its purpose below:Sender Policy Framework (SPF)
SPF is an email authentication protocol that allows receiving email servers to accept incoming emails from authorized senders. It was designed to prevent email spoofing, a common technique used in phishing attacks and email spam. As an integral part of email cybersecurity, SPF enables the receiving mail server to check whether incoming email comes from an IP address authorized by that domain’s administrator.
DomainKeys Identified Mail (DKIM)
DKIM is an email authentication method that employs public-key cryptography to digitally sign emails, ensuring that the message body and attachments remain unaltered during transmission. Receiving servers use DKIM to verify that the domain owner sent the message. It also acts as a digital signature that is added to the header of an email to further verify the identity of the sender. Receiving email servers will verify that the DKIM signature matches that of the associated sending domain.
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
DMARC is a standard that builds on SPF and DKIM. It ensures emails are genuinely coming from the domain they claim to be from, by checking the alignment of the SPF and DKIM records. It detects and prevents email spoofing techniques used in phishing, business email compromise (BEC), and other email-based attacks.
- DMARC provides instructions to receiving servers about how to handle incoming mail. To get delivered, messages need to pass DKIM and SPF alignment checks according to the requirements set by the DMARC policy. Messages that do not pass DMARC checks can be allowed, rejected, or placed in the spam folder.
How to set up these records
Setting up SPF, DKIM, and DMARC records can be a complex and time-consuming process and improper configuration can result in several errors. Because of this, and due to liability reasons, we recommend consulting with an IT team expert or your host domain support team to make and use online tools to analyze and ensure your SPF, DKIM, and DMARC policies are set up correctly. That being said, here is a brief overview of what this process looks like:Set up SPF Records
These records are TXT records on your domain that authorize specific servers to send mail using your domain name. This is how an SPF record may look:Replace “google.com” with whichever email server your domain uses.
Tips for setting up your SPF Record
Tips for setting up your SPF Record
- Publish the record and test to ensure proper configuration.
- Create your SPF TXT record specifying the authorized addresses. You can do this in your DNS settings depending on your domain host provider.
- Get a list of the IP addresses, email servers, or domains authorized to send emails on your behalf.
Set up DKIM Records
A DKIM record is a specially formatted DNS TXT record that includes a name, version, key type, and the public key itself, and is often made available by the provider that is sending your email. A simple DKIM signature is composed of several parts and may look like this:Our team also recommends checking out this DKIM Record Generator resource for more guidance.
Tips for setting up your DKIM Record
Tips for setting up your DKIM Record
- Generate the public/private key pair for encrypting and decrypting your DKIM signature.
- Publish the public key in your DNS zone file as a TXT record – and secure your private key.
- Generate your signature and test your emails to ensure proper configuration.
Set up DMARC Record
A DMARC record may look like this:Tips for setting up your DMARC Policy
Tips for setting up your DMARC Policy
- Identify legitimate and illegitimate sources that fail authentication. This gives you insights to help you adjust other security protocols.
- We recommend setting your policy to quarantine (p=quarantine), and choosing an email address for receiving DMARC reports (rua).
- Monitor your emails to identify and analyze emails that fail authentication.
- Ensure you set up SPF and DKIM correctly.
- Generate and publish your DMARC record in TXT format in your DNS database.
Helpful Resources
To get some more detailed information about how you can create and manage these records, please check out the articles for some of the most popular host providers:- Google Domains: DMARC & SPF/DKIM
- GoDaddy: DMARC/SPF/DKIM
- Namecheap: DMARC/SPF/DKIM
- Squarespace: DMARC/SPF/DKIM
- Wix: SPF & DKIM (for DMARC, contact Wix Support)
- Shopify: DKIM/SPF (for DMARC, contact Shopify Support)
Verify your custom domain in Privy
If you haven’t already, make sure you’d added your custom sending domain in Privy in order to improve deliverability and build trust with your customers. Your DMARC, SPF, and DKIM records are tied to your custom domain — not Privy’s shared domain — so you should be sending your emails from your own domain in Privy once authenticating your domain. The approach to updating DNS records varies from one provider to another, most hosts have similar steps, however, we’ve included links to our KB articles for several top hosting sites:- Shopify
- GoDaddy
- Namecheap
- Wix
- Domain.com
If you encounter any difficulties while attempting to verify your custom domain with Privy, and require further assistance, don’t hesitate to schedule a call with one of our DNS experts using this link.
- DNS Records Check: Checks if the required Privy DNS records exist within the custom domain’s records and if they’re valid.
- DMARC Policy Check: Checks if a valid DMARC policy is configured within the custom domain’s records.
Sending Status
Privy introduced the following sending statuses, which are dependent on the outcome of the checks listed above.Can send emails
A Privy account is placed into this status if the custom domain passes the DNS Records check, regardless of if the DMARC policy check fails. However, a valid DMARC policy is still recommended and should be added as soon as possible in order to comply with the recent Gmail + Yahoo sending requirements.Cannot send emails
A Privy account is placed into this status if the custom domain fails both the DNS Records and the DMARC policy checks. Privy accounts under this status would not be able to schedule nor send emails from the custom domain. If your Privy account is under the “Cannot send emails” status, you’d need to add the Privy DNS records and a valid DMARC policy to your domain host account.FAQs
Who will be affected by the new requirements?
Who will be affected by the new requirements?
All senders must be compliant with these new requirements, with more noticeable effects on deliverability for bulk senders.
What happens if I don’t meet Google and Yahoo’s requirements?
What happens if I don’t meet Google and Yahoo’s requirements?
In that case, Google and Yahoo will block all emails that don’t meet their requirements, meaning that your recipients that have Gmail and Yahoo addresses will generate bounces on your newsletter campaigns and any other emails.This can cause a lot of damage to your sending reputation and deliverability rates and can create lasting consequences to your customers’ engagement and email-generated revenue.
Will sending volume be a factor in these new requirements?
Will sending volume be a factor in these new requirements?
While Google has stated that users who send to less than 5,000 contacts per day will have fewer requirements, we strongly recommend that all volume senders work on meeting all of the requirements to avoid deliverability issues.
Where can I find more information about Google and Yahoo’s requirements?
Where can I find more information about Google and Yahoo’s requirements?
For Google, you can access their email sender guidelines to see the full list of their requirements.And for Yahoo!, you can find this information on their sender best practices.