Skip to main content

Email Authentication: SPF, DKIM, and DMARC Setup

Email authentication protocols help prevent email spoofing, improve deliverability, and protect your domain reputation. This guide explains how to set up SPF, DKIM, and DMARC records for use with SendSquared.

Understanding Email Authentication

Email authentication consists of three key protocols:

  • SPF (Sender Policy Framework): Verifies the IP addresses authorized to send email on behalf of your domain
  • DKIM (DomainKeys Identified Mail): Adds a digital signature to verify emails haven't been tampered with
  • DMARC (Domain-based Message Authentication, Reporting & Conformance): Tells receiving servers how to handle messages that fail authentication

Setting up these protocols is essential for:

  • Improving email deliverability
  • Preventing your emails from being marked as spam
  • Protecting your domain from being spoofed by malicious actors
  • Building and maintaining your sender reputation

SPF Records Explained

The Sender Policy Framework (SPF) is an open standard aimed at preventing sender address forgery.

How SPF Works

SPF verifies that the IP address sending an email is authorized to send mail on behalf of the domain in the email's Envelope From or Return-Path:

  1. The receiving email server retrieves the SPF record from the DNS records for your domain
  2. The server checks if the sending IP address is listed in the SPF record
  3. If the check passes, the email continues to processing
  4. If the check fails, the email may be rejected or flagged as suspicious

SendSquared's SPF Records

To allow SendSquared to send emails on your behalf, you need to include SendSquared's SPF record in your domain's DNS settings:

include:_spf.sendsquared.com

Setting Up Your SPF Record

If you don't have an existing SPF record, create a TXT record with:

v=spf1 include:_spf.sendsquared.com ~all

If you already have an SPF record, add SendSquared's include statement:

v=spf1 [your existing includes] include:_spf.sendsquared.com ~all

DKIM Configuration

DomainKeys Identified Mail (DKIM) adds a digital signature to your emails that verifies they haven't been modified in transit.

How DKIM Works

  1. SendSquared generates a pair of cryptographic keys for your domain
  2. You add the public key to your DNS records
  3. SendSquared uses the private key to sign outgoing emails
  4. Receiving servers verify the signature using the public key in your DNS

Setting Up DKIM with SendSquared

When you complete Domain Authentication in SendSquared, automated security is enabled by default, which handles DKIM records for you:

  1. Navigate to Global Settings → Domain Authentication
  2. Select the domain you want to authenticate
  3. SendSquared will provide CNAME records you need to add to your DNS
  4. Add these CNAME records to your domain's DNS settings
  5. Return to SendSquared and verify the configuration

DMARC Implementation

DMARC builds on SPF and DKIM by specifying what receiving servers should do with emails that fail authentication.

How DMARC Works

  1. You publish a DMARC policy in your DNS records
  2. The policy tells receiving servers how to handle emails that fail SPF or DKIM checks
  3. DMARC can also send you reports about emails using your domain

Setting Up DMARC

Add a TXT record with the following settings to your DNS:

Name: _dmarc.yourdomain.com
Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

This basic policy:

  • Monitors but doesn't take action on failing emails (p=none)
  • Sends aggregate reports to the specified email address

As you become more comfortable with DMARC, you can strengthen your policy:

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc-reports@yourdomain.com

This more aggressive policy:

  • Suggests that 25% of failing emails be sent to spam (quarantine at pct=25)
  • Continues to send reports for monitoring

Eventually, you can move to a strict policy:

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com

This policy rejects all emails that fail authentication.

Custom MX Records for From Headers

For optimal deliverability when using custom From addresses (e.g., noreply@yourdomain.com), you may need to set up custom MX records:

  1. Navigate to Global Settings → Domain Authentication → Advanced Settings
  2. Look for the "Custom From Headers" section
  3. SendSquared will provide MX records specific to your domain
  4. Add these records to your DNS settings

Adding DNS Records with Common Providers

Here's how to add these records with popular DNS providers:

GoDaddy

  1. Log in to your GoDaddy account
  2. Click My Products
  3. Select DNS for your domain
  4. Click Add to add a new record
  5. Select the record type (TXT for SPF/DMARC, CNAME for DKIM)
  6. Enter the provided hostname and value
  7. Save changes

Namecheap

  1. Log in to your Namecheap account
  2. Go to Domain List and click Manage next to your domain
  3. Select the Advanced DNS tab
  4. Click Add New Record
  5. Select the record type and enter the required information
  6. Save changes

Google Domains

  1. Log in to Google Domains
  2. Select your domain
  3. Click DNS in the left menu
  4. Scroll to "Custom records"
  5. Click Add to create a new record
  6. Enter the host, record type, and data
  7. Save

Amazon Route 53

  1. Log in to AWS Console
  2. Navigate to Route 53
  3. Select Hosted Zones
  4. Select your domain
  5. Click Create Record
  6. Choose record type and enter values
  7. Click Create Records

Cloudflare

  1. Log in to Cloudflare
  2. Select your domain
  3. Go to the DNS tab
  4. Click Add Record
  5. Select the record type and fill in the required fields
  6. Save

Verifying Your Configuration

After adding all required DNS records:

  1. Return to SendSquared and navigate to Global Settings → Domain Authentication
  2. Click Verify Configuration for your domain
  3. SendSquared will check that all records have been properly added

You can also use these external tools to verify your configuration:

Troubleshooting Common Issues

DNS Propagation Delays

DNS changes can take 24-48 hours to fully propagate. If verification fails:

  • Wait at least 24 hours before troubleshooting
  • Verify records were entered exactly as provided
  • Check for typos or missing characters

SPF Record Limitations

SPF has a limit of 10 DNS lookups per record. If you have many email providers:

  • Consolidate lookups where possible
  • Consider using macro-expanded includes
  • Prioritize your most important email providers

DKIM Key Rotation

DKIM keys should be rotated periodically:

  • SendSquared handles key rotation automatically
  • Follow any notifications about key updates
  • Update your DNS records promptly when new keys are issued

Next Steps

After configuring email authentication: