Email authentication methods: SPF, DKIM, and DMARC
** Note: Starting February 2024, Gmail and Yahoo require the use of DKIM and DMARC authentication for bulk email delivery. We recommend adopting these standards to ensure continued deliverability on your future email campaigns for all email senders.
When sending emails, mailbox providers (such as Gmail, Yahoo, and Outlook) perform checks to distinguish legitimate messages from potential spam or phishing attempts. The authentication process involves confirming the authority of the sender's domain through established methods such as SPF, DKIM, and DMARC.
Starting in February 2024, Gmail and Yahoo will require DKIM and DMARC to achieve delivery. All senders should implement these authentication methods before February to ensure continued email marketing results.
In addition to maintaining email deliverability, implementing these authentication methods for your sending domain offers broader advantages:
- Building up your sender reputation: Authentication solves the identification problem and helps establish your reputation as a trustworthy email sender.
- Enhancing domain security: DMARC protects your domain from potential fraudulent use. It allows good senders to strengthen their reputation and defend against fraudsters who misuse their domains.
Sender Policy Framework (SPF) is an email authentication method designed to prevent email spoofing, a common tactic used by spammers and phishers to send emails with forged sender addresses. SPF records are TXT records on your DNS. It allows the owner of a domain to specify which mail servers are authorized to send emails on behalf of that domain.
If you have not set up an SPF (DNS TXT Record) or you have not included ContactPigeon’s IPs as your ESP, please contact your account manager for details.
DKIM (Domain Key Identified Mail) is an email authentication method that allows the sender to digitally sign their emails, providing a mechanism for the recipient to verify the authenticity of the sender's identity. DKIM helps prevent email tampering and phishing by allowing email providers to check that the message content hasn't been altered and that it genuinely originated from the claimed domain.
General instructions for setting up DKIM with ContactPigeon
For every from-email-domain (e.g., example.com) that you use to send email campaigns via ContactPigeon, you will have to add the following CNAME DNS Record:
- Type of DNS Record: CNAME
- Domain Name: cp1._domainkey.example.com
- Canonical Name: cp1._domainkey.contactpigeon.com
- TTL: TTL means "Time to Live." Use the recommended or default setting of your DNS host. If there isn't a default setting, we recommend as short as possible.
Please consult your DNS provider and/or IT department for more details.
After setting up the above CNAME DNS record, please inform your ContactPigeon account manager so we can verify whether it is updated correctly.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication and reporting protocol that builds on the SPF and DKIM mechanisms. DMARC allows domain owners to specify how mailbox providers (e.g., Gmail or Microsoft) should handle messages that fail SPF or DKIM checks. It also provides a mechanism for senders to receive feedback on the authentication results.
DMARC supports the following policy configurations:
- "p=none": Monitor mode. No action is taken on failed emails, but reports are generated and sent to the specified email address.
- "p=quarantine": Mark the email as potentially suspicious. The email might be placed in the recipient's spam or quarantine folder.
- "p=reject": Reject the email outright. It instructs receiving servers to discard emails that fail authentication checks. The outcome is a bounced email.
General instructions for setting up DMARC
If you do not have a DMARC (DNS TXT Record), please consult your IT department first. Here is some information from Google.
Below, you can find an example of a less strict DMARC record to start working with:
We recommend starting with the policy of "p-none" so that your deliverability is not affected in case of misconfiguration.
If you want to implement more robust security on your domain, you can set up a stricter DMARC record using a policy of "Quarantine" or "Reject." To set up a strict DMARC record, we suggest you visit dmarc.org for recommendations on configuring the record properly.
After setting the DMARC, please inform your ContactPigeon account manager so we can verify the outcome.
Each authentication protocol and additional methods not mentioned here have public websites, where the technical specification is described in depth. Please take a look at the following for additional input.