WTF is DMARC, SPF, DKIM?

Aaron Dielmann
By
Aaron Dielmann
on
featured image

Don’t let spam protection requirements shut down your email marketing.

If you’ve been using business email providers like Google Workspace or Microsoft 365, or send marketing emails from platforms like MailChimp, Constant Contact or HubSpot, then you’ve likely received emails about Google and Yahoo’s new email requirements and guidelines. 

You may have been confused by acronyms like DMARC, SPF and DKIM, but your email marketing campaigns (and your email in general) could grind to a halt if these important records aren’t configured properly.

Here’s what you need to know:

There are three new requirements for bulk email senders that are rolling out right now to combat spam, phishing and ransomware. Google and Yahoo have teamed up to lead the charge, but you can expect all major email providers to follow suit.

  1. All email needs to be authenticated before it will be allowed through. That means you need to set a DMARC policy, an SPF record, and any required DKIM records to be able to send emails to users of Google and Yahoo email.
  2. All marketing or promotional emails need to have a one-click unsubscribe link in the header and the body. Some email marketing platforms like Mailchimp and Benchmark are already compliant, but it’s best to do your due diligence and assure these links are present in outgoing emails. Note that you only need a one-click unsubscribe option for marketing emails, not for important transactional messages like password resets or reservation confirmations. Important Warning: It’s been suggested that Microsoft 365 users are being auto unsubscribed from emails that feature the mandated one-click unsubscribe link because Outlook “clicks” links to check them for malicious redirects before delivering them to the inbox. That can cause half of your email marketing list to disappear IN ONE SEND. This issue is still being investigated at the time of this writing. We recommend proceeding carefully when adding the one-click unsubscribe feature, testing with smaller subsets of your lists. For what it’s worth, we have not experienced mass unsubscribes from emails we’ve sent through Mailchimp.
  3. All senders are required to stay under a 0.3% spam rate threshold set by Google in order to continue sending emails to Google platforms. To reach that threshold, only 3 emails need to be marked as spam by recipients or their email providers out of every 1,000 emails you send. If your spam rate goes over that threshold, none of your emails will be delivered to Gmail and Google Workspace users.

The last two points are fairly straightforward, if a bit terrifying, but those who aren’t IT professionals might be wondering what DMARC, SPF, and DKIM even are.

What is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting & Conformance. DMARC is both a policy and a protocol outlined in a TXT record in your Domain Name Server (DNS) that uses SPF and DKIM protocols to authenticate emails. When someone receives an email from your domain, this record tells them whether to accept or reject the email based on the SPF and DKIM records found in the email and on your domain.

What are SPF and DKIM records?

Both SPF and DKIM are additional authentication records added to your domain – SPF as a TXT record, and DKIM added as either CNAME or TXT records. A domain can only have one SPF record, but it can have multiple DKIM records. The SPF record lists the mail servers and domains that are allowed to send emails on behalf of your domain, while the DKIM record provides proof that an email was in-fact sent from an approved server.

Think of the DKIM record as one half of a two-key cryptographic pair. The record you add in your DNS serves as a public key and then the server you are sending your emails from signs each email with a private key. Email recipient’s email platform can use your public key to decrypt the email it receives and guarantee that the email is authentic.

Email platforms can review the SPF and DKIM records from an email sender in tandem and determine whether or not an email is authentic, and then look up the sender’s DMARC policy to understand what they should do with the result. Should the recipient allow an email if the server the email originated from is found in the SPF record but the DKIM is wrong or missing altogether? Or should they reject the email? And how can I let the sender know they were rejected? That’s what DMARC does.

Here’s what you need to do… NOW.

  1. Check with your IT team to ensure that your DMARC, SPF and DKIM records are set up properly. You can test this by using this tool from MXToolBox to check your email deliverability (just be sure to send the email from the server you want to test).
  2. Check with your email marketing provider to find out how they are handling one-click unsubscribes. MailChimp has already automatically added this functionality, but others, like Hubspot, may require you to add the feature manually.
  3. If you are a Ridge Marketing client and are unsure about what to do, please contact us right away. You’ve already received an email from us that outlines your specific situation and our recommended next steps, and our development team is standing by to work with you to ensure compliance.

DO NOT send mass marketing emails until you are confident that these important compliance issues have been resolved.

Ultimately, these requirements are a good thing, as they should dramatically reduce the amount of spam clogging your inbox and decrease the chances of a virus or ransomware crippling your organization. 

But the time to act is now, or you just might find yourself asking, “WTF happened to our email, DMARC, SPF and DKIM?”