Email Authentication: SPF and DKIM
Note 1: users sending with MailPoet's Sending Service don't need to set up SPF or DKIM unless they already have an SPF record set up for another service. In this case, they need to include our sending service domain (include:spf.sendingservice.net) to the list of servers authorized to send on your domain's behalf.
Example of SPF record before:
v=spf1 include:spf.protection.outlook.com include:sendgrid.net -all
Example of SPF record after adding our sending service domain:
v=spf1 include:spf.protection.outlook.com include:sendgrid.net include:spf.sendingservice.net -all
Note 2: Customers of the MailPoet Sending Service will have their messages signed with DKIM automatically. No need to set up anything else.
Email authentication is just a fancy word for stuff that helps you avoid ending up in spam folder. By implementing some of these technologies, you can improve your open rate, increase engagement with your readers, and improve your sender reputation. A win for everyone!
In simple terms, both SPF and DKIM work by verifying that a FROM address used on an email is authorized by that website's domain. In other words, they make sure that you aren't pretending to be someone else.
SPF (Sender Policy Framework)
SPF is used by your subscribers' email servers (Gmail, Hotmail, Outlook, self-hosted email, etc.) to verify if the FROM email address you used on your newsletter is authorized by your website.
This is why you can't send newsletters with a FROM address using a domain you don't own. Read our guide on the FROM address.
For example, when your recipients receive a an email from @gmail.com or @yahoo.com, their servers will check if you are authorized to use a Gmail email address on a newsletter sent from your website. Since Gmail's servers don't have SPF records for your domain, this means your newsletter was not authorized by Gmail. As a result, your emails will not get delivered, fall in the spambox or display a spoofing warning.
If you want to use a third-party service to send your MailPoet newsletters (like SendGrid or ElasticEmail), you'll need to add their SPF or DKIM records on your website's DNS.
Read these guides from Mail Tester to help you set up an SPF record in your host's DNS records.
DKIM (DomainKeys Identified Mail)
DKIM is another TXT record added to your host's DNS records. Your MailPoet install will cryptographically sign your newsletters with a key generated specifically for your domain. When your subscribers receive your newsletter, their email servers will grab the key on your domain's DNS records. Then, it will use this key to perform a cryptographic authentication to make sure your newsletter was not modified during the sending process.
MailPoet users that send their newsletters using a third-party service, like SendGrid or Elastic Email, already have their messages signed by these services with their own DKIM keys. See SendGrid's document on DKIM and Elastic Email's guide.
If you are sending emails with your own website and want to set up DKIM, please contact your host company support. They will be able to setup your DKIM.
Want to check if your DKIM record is working? Just use this handy tool from MailTester: SPF and DKIM check.
Note: it's impossible to modify the DKIM record on 1and1 hosting, unfortunately.
DMARC is an instruction that an email service (e.g. MailPoet) gives to email service providers (e.g. Gmail or Yahoo) of what to do if they receive spoofed emails like phishing attacks.
This removes a lot of the guesswork for spam filters of the biggest email email service providers, like Gmail and Yahoo.
DMARC is not a prerequisite to good deliverability, although it can be considered one of the many deciding factors. The majority of the world’s senders have yet to implement DMARC.
MailPoet does has implemented DMARC, but not a strict "reject" policy. In other words, you do not need to update your own DNS to add DKIM and SPF records for the MailPoet Sending Service.