Email deliverability is a crucial part of effective cold email campaigns â if you know your emails are landing in your prospectâs primary inbox, youâll start more conversations and have more opportunities to close new deals.
SPF, DKIM, and DMARC are the three most important email authentication methods that ensure good email deliverability. These email security measures protect both senders and recipients from the dangers of phishing, email spoofing, and spam.Â
But how do they work, and how exactly are they related to deliverability? Let's find out:
Why Do You Need to Use SPF and DKIM?
In the early days of email, a lot of viruses, spam, and scams were sent via email using fake sender information. This does still happen today, but there are more mechanisms in place to help verify information about email senders.Â
Two of these mechanisms are SPF and DKIM.
SPF and DKIM are methods of email authentication. As such, they allow email servers to identify who is sending emails and verify if theyâre trustworthy or not.Â
Setting these records up is crucial to email deliverability and ensures that your messages reach their intended recipients safely and securely.Â
Starting February 1, 2024, two of the worldâs biggest email providers â Google and Yahoo â will require all senders targeting Gmail and Yahoo accounts to set up SPF or DKIM email authentication for their domains.
What is Sender Policy Framework (SPF)?
Sender Policy Framework, or SPF, is a form of email authentication. SPF defines a validation process for a specific email that has been sent from a mail server.Â
The goal of SPF is to detect forgery and prevent spam. Through the help of SPF protocols, a domainâs owner can pinpoint the exact mail servers the email senders are able to send the message from.Â
Through this, SPF gives the email recipient information about the email senderâs legitimacy. When the recipient gets the email, their email provider (Ex. Gmail) verifies the SPF credentials through a domain lookup in the DNS records. If something is amiss, the receiving server will flag the message as spam, as it has effectively failed the SPF authentication check.Â
If you cold email without your SPF records in place, your recipientâs inboxes wonât let your email through, as it doesnât trust you as a legitimate sender. Most spammers wonât take the time to add their SPF records, so itâs an effective email validation mechanism.
What is DomainKeys Identified Mail (DKIM)?
DomainKeys Identified Mail, or DKIM, is an email authentication protocol used to detect fake sender email addresses or spoofed ones.Â
It works by linking an email back to its domain. An email sender can attach DKIM signatures, which are encryption-secured headers added to the message, which can help the receiving inbox verify the source of the message.Â
This is important because a lot of phishing campaigns spoof emails from trusted domains. Think of the emails youâve received posing as a bank, Google, or some other trusted domain. It still happens today, but DKIM acts as a potent safeguard against ill-intentioned scammers.
When it comes to cold emailing, your DKIM essentially tells your prospectâs inbox that you are who you say you are, and gives the email service provider (ESP) a good reason to let your email through.Â
Gmailâs New Bulk Sender Requirements
Starting in February 2024, Google will require senders who send 5,000 or more emails per day to Gmail and Yahoo accounts to:
Authenticate outgoing email with SPF and DKIM
Avoid sending unsolicited email
Make it easy for recipients to unsubscribe
Learn more: Gmail Bulk Sender Guidelines
Whatâs the Difference Between SPF and DKIM?
DKIM and SPF seem similar if youâre new to them. So, whatâs the difference?
Put simply, SPF allows senders to define exactly which IP addresses may send an email for that particular domain. Meanwhile, DKIM verifies the authenticity of an email by providing a digital signature and encryption key.Â
They work hand-in-hand to prevent spam and detect forgery while sending and receiving emails.
How Does SPF Work for Email Authentication?
SPF works by specifying the mail servers authorized to send emails from your domain. If you have it in place, the receiving mail servers can verify that the incoming messages did come from you.
Without SPF records, the messages sent by your organization may be marked as spam, because your prospectsâ and customersâ inboxes wonât be able to verify that itâs really you sending the email. Your emails will land in the spam folder or be completely blocked from landing in their inbox.
Once your SPF records are in place, you wonât need to do any ongoing management. Youâll need to make sure theyâre in place for every domain you use for your email activity.
Hereâs a basic overview of how SPF records work:
Publishing an SPF record:Â Your domainâs administrator publishes an SPF record, which is the policy that defines which mail servers are allowed to send emails. The SPF record is stored under the domainâs overall DNS records.
Checking IP against the list of authorized IPs:Â Each time an inbound server gets an incoming message, it searches DNS for the rules for the bounce or Return-Path domain. The inbound mail server checks the IP of the message sender against the list of authorized IPs defined in the SPF record.
Taking action:Â The receiving server uses the rules indicated in the sender domainâs SPF record to determine what to do: Accept, reject, or flag the email as spam.
How Do I Set Up an SPF Record?
Setting up your SPF takes a few minutes and will ensure that your messages land in your prospectsâ inboxes. Itâs a vital step before sending any cold outreach.Â
If youâre using a custom inbox, make sure to check with your email provider. Theyâll be able to show you the best way to set up your SPF record.
If youâre using G Suite or Outlook, follow these steps:
How to Set up SPF for G Suite
Here are Googleâs instructions for Setting up your SPF records in G Suite.
Itâs relatively easy to do.
To set up SPF records in G Suite, sign in to your domain host and navigate to the DNS management page. (Your domain host could be Google Domains, Namecheap, GoDaddy, or whichever service you use to manage your domain.)
Next, Locate the DNS TXT records section and create a new TXT record. Enter "@" in the host field if it's required; otherwise, leave it blank. For the value, input "v=spf1 include:_spf.google.com ~all" to authorize G Suite servers to send emails on your behalf. Save the record.
This process may take up to 48 hours to propagate. Verify your SPF record through G Suite's admin console to ensure it's correctly configured, protecting your domain against email spoofing.Â
How to Set up SPF for Outlook
To set up SPF records for your domain in Microsoft Outlook or Microsoft 365, access your domain's DNS settings through your hosting provider's control panel.
Locate the DNS management area and create a new TXT record. In the value field, enter your SPF details to specify the mail servers authorized to send emails on behalf of your domain. If all of your mail is being sent with Microsoft 365/Outlook, use the following SPF record: âv=spf1 include:spf.protection.outlook.com -allâ.
You may enter other records if youâre using a dedicated Exchange Online account or an on-premises email system. For unique situations like these check out Microsoftâs guide here.
Save the record and allow up to 48 hours for propagation.
If youâre unsure if your domain is ready to start using for your email activity, you can use tools like spamtester.ai to verify (more on this later in the guide).
To troubleshoot SPF issues, check out this guide from Microsoft.Â
How To Set Up SPF With Other Email Providers
You might have an email account from your domain host that isn't one of the major providers. You should configure SPF if you want to use that account for sending, as well. The basic process is the same.
First access to your domain's DNS settings. Then search for your email provider's documentation on SPF records. You'll add a TXT record. It usually begins with "v=spf1", indicating the version and policy.
The record may specify "a", "mx", or "ip4" to define which hosts are allowed to send emails on your domain's behalf. It often has "include:serviceprovider.com" in the record. An ending qualifier like "-all" rejects all other hosts. Update your DNS records, and propagation will secure your email authenticity against spoofing.
How Does DKIM Work for Email Authentication?
DKIM was created for similar purposes as SPF: to prevent spammers from impersonating your domains and pose as a legitimate email sender from your brand.Â
DKIM is a kind of signature that you can add to your emails to allow receiving mail servers to check the email senderâs authenticity. The signature isnât a typical email signature. It works with encrypted keys, your private and public key:
Private key:Â This is available only to you and is unique to your domain. The private key will allow you to encrypt your signature.
Public key:Â This is something you have to add to your DNS (using DKIM) so that the receiving mail server can retrieve it and decrypt your signature.
Setting up DKIM on your DNS allows you to add a layer of security. For example, itâs like presenting an ID card (your public key) to get into your office, even if the security guard already knows that you work at the building. Itâs a way to prove that itâs really you at the door. If you forgot your key, you may still get let in, but security wonât be certain.
How Do I Set Up a DKIM Record?
The first step is to generate a public key. To do this, youâll have to log into your email providerâs admin console. The steps vary depending on your email provider.Â
Setting Up DKIM for G Suite
For example, if you're using G Suite to send emails, hereâs a detailed guide.Â
DKIM signatures need to be manually turned on in your Google Admin console as they turn these off on default.
Once you have your public key, you can then take the generated TXT record to place into your DNS records.Â
Hereâs a simple overview of how DKIM is set up and tested:
Step 1: Publishing your cryptographic key
The key is published by the domain owner and is formatted as a TXT record in the domainâs DNS record.
Step 2: Attaching the unique DKIM
Every time a message is sent by an outgoing mail server (i.e., your outbound emails), this server attaches the DKIM signature to the messageâs header.
Step 3: Detecting and decrypting the signature
Inbound mail servers (i.e., your prospectsâ email server) uses the DKIM key to decrypt the signature of the message. If it matches with the expected values, then the message is considered authentic and can get through.
Setting up DKIM for Outlook
In Outlook, the process works in a similar way.
Youâll need to create your DKIM keys in your Microsoft account. Then, once those are ready, youâll be shown new CNAME records that you need to copy and paste into a new CNAME entry in your domainâs admin panel.
Once your DKIM signature is enabled, youâll be ready to start sending your emails with the confidence that theyâll land in your prospectâs inbox.
Click here to read detailed, step-by-step instructions on Microsoftâs website.Â
Setting Up DKIM Authentication for Other Email Providers
If you got a free or cheap email account from your domain provider like GoDaddy or Hostinger, you can set up DKIM there, as well. The basic process starts by generating a DKIM key pair using a tool provided by your domain host or a third-party service.
Once you have the public and private keys, you must add the DKIM record to your domain's DNS settings. This DNS entry will include your public key and should follow your host's specifications.
Configure your email server or service provider to use the private key to sign outgoing messages. This ensures that receiving servers can verify messages using the public key in your DNS. Remember to test the configuration to ensure it's working correctly. It's a good idea to look up instructions from your specific email provider, too.
What Will Happen if I Donât Set Up My SPF and DKIM Records?
In any business scenario where youâre sending a lot of emails â whether itâs cold outreach to new potential clients, or nurturing campaigns to welcome customers and email subscribers to your list â you need to set up SPF and DKIM.Â
If you donât set up these records, over time, most of your emails will be flagged as spam, potentially even resulting in your domain getting completely blocked by email service providers.Â
Needless to say, your emails wonât have the business impact you expected them to.
How to Check if Your SPF and DKIM Records are Set Up?
Once youâve followed your inbox providerâs instructions to add your SPF and DKIM records, youâll need to verify that theyâre working.
Reviewing using QuickMailâs Deliverability Report
On QuickMailâs pro plan youâll have access to advanced deliverability reports.
First, head to your inbox and make sure your deliverability testing is active.
Every week, QuickMail will automatically test to see how your inbox deliverability is performing.
If your SPF and DKIM pass the checks, youâre ready to start sending your emails.
If your SPF or DKIM records have issues, youâll see it in the deliverability report so you can take action to update them.
If your emails are being sent to spam, youâll be notified.Â
Using Free Tools to Check Your Email Setup
There are also free tools like spamtester.ai and Check MX that will review your domain setup and let you know if any issues are present.
spamtester.ai will ask you to send a test email to their inboxes, and the service will scan your email for issues.
Then, it will generate a report analyzing all of your domainâs potential areas for improvement. If everything is set up correctly, you should see a green check and the âYouâre properly authenticatedâ message, and two sections mentioning your SPF and DKIM.
If youâre missing any essential records, spamtester.ai will tell you which ones are missing so itâll be easy for you to add them.
Check MX is a free tool from Google that offers a similar service. Run your domain through it, and wait for the results.
Hereâs what your results will look like if your SPF and DKIM records are correctly set up in Check MX:
These tools make it fast and straightforward to review your email setup. If thereâs an issue, youâll be told exactly what it is and given instructions on how to fix it.
For a deliverability jumpstart, grab our guide: Cold Email Deliverability 101
How Does DMARC Work for Email Authentication?
You may have also seen DMARC being referenced on your email account. DMARC stands for Domain-based Message Authentication, Reporting & Conformance.
Itâs another email authentication system that helps you protect your domain against spoofing.
From February 1, 2024, Google and Yahoo will require any senders who send more than 5,000 messages per day to Google/Yahoo accounts to implement DMARC email authentication for the sending domain.
DMARC requires you have your DKIM and SPF records set up before implementing it.
It works by telling email servers what to do if they receive an email from your domain that does not pass SPF or DKIM authentication methods, either: do nothing, quarantine the email, or reject it completely. In other words, you're letting other email servers know what to do with spoofed email messages claiming to come from your account.If your SPF and DKIM records on outgoing messages donât match the records you defined in your admin console, DMARC will tell the receiving server to do what youâve indicated.Â
For example, if your DMARC policy is set to ânoneâ, then the receiving inbox will receive them normally (even if thereâs a risk the email isnât really from you). Quarantine tells the inbox to send emails to the spam folder. Reject tells the inbox to reject them.
Hereâs how to set DMARC up on Gmail, and hereâs add DMARC rules for Outlook accounts.
Warming Up Your Email Account to Ensure High Deliverability
Once your SPF, DKIM, and DMARC authentications are set up, you can begin sending emails and have a strong degree of confidence that they wonât land in spam filters.
But, if your domain is new, thereâs still a risk that your recipientsâ inboxes donât completely trust you.
To help prove to ESPs that youâre a trustworthy sender, you should warm up your domain before launching any high-volume email campaigns using MailFlow, which has a native integration with QuickMail.
MailFlow is an email warmup tool that is ideal for anyone who wants to improve their deliverability.
To start with the Auto-Warmer, sign up for MailFlow and connect the inbox youâre going to use to send emails.
Then, head to the settings tab, and go to the Auto Warmer. Add the number of daily emails you want to send. A best practice for this is to start with a low volume on a new domain, and slowly work up from there. If you buy a new domain and immediately start sending hundreds of emails per day, ESPs will know something isnât right.
Once youâve set that up, the Auto Warmer will start automatically sending and replying to your emails for you, generating real positive engagement on them.
Youâll know exactly where your emails are landing â in the main inbox, spam, or other folders â thanks to the MailFlow Auto Warmer Report.
If you notice your emails are being sent to spam too often, you can review your DKIM and SPF records, and review your email campaigns for problems that could be causing the deliverability issues.
Wrapping Up
Setting up both SPF and DKIM records is a crucial step in ensuring your domainâs email deliverability stays high.Â
And if you send high volumes of emails to Gmail and/or Yahoo accounts, youâll need to set up DMARC authentication too.
It may seem complicated at first if youâre not a technical person, but the steps are easy to follow, and all email service providers will have detailed instructions on how to implement them.
The process wonât take long, and itâll have a huge payoff as youâll be sure that your email campaigns are landing in your recipientâs inboxes. Click here to start your free trial.