Email Authentication: SPF, DKIM, DMARC
Email authentication refers to implementing various DNS records to prevent emails from being marked as spam and increase their deliverability rate. By setting these up, you
- Improve your open rate;
- Increase engagement with your readers;
- Improve your sender reputation.
In simple terms, SPF, DKIM and DMARC verify that a sender is authorized to send emails on their website's behalf, and they ensure you aren't pretending to be someone else.
SPF and DKIM authentication can be set up by adding TXT entries to your server's DNS records. This is done through your host's control panel (usually cPanel, Plesk or WHM).
Quick links:
What is SPF?
SPF (Sender Policy Framework) is a DNS record used by your subscribers' email servers (Gmail, Hotmail, Outlook, self-hosted email, etc.) to verify if your website authorizes the FROM email address you used on your newsletter. This is why you can't send newsletters with a FROM address using a domain you don't own. Read our guide on the FROM address.
If you use a third-party service to send your MailPoet newsletters (like SendGrid or ElasticEmail), you'll need to add their SPF or DKIM records to your website's DNS. Read how to add or edit your SPF record to help you set up an SPF record in your host's DNS records.
Users sending with MailPoet's Sending Service usually don't need to set up their own SPF, as messages will automatically have MailPoet Sending Service's SPF set up. As you're sending through our servers, <a href="http://sendingservice.net/">sendingservice.net</a> SPF will be checked, not your domain's, and it's expected it's not aligned with your domain from the sender's domain. However, as long as DMARC and DKIM records pass, it should not impact your deliverability.
What is DKIM?
DKIM (DomainKeys Identified Mail) is another record added to your host's DNS records. Your MailPoet install will cryptographically sign your newsletters with a key generated specifically for your domain. When your subscribers receive your newsletter, their email servers will grab the key on your domain's DNS records. Then, it will use this key to perform a cryptographic authentication to make sure your newsletter was not modified during the sending process.
MailPoet users that send their newsletters using a third-party service, like SendGrid or Elastic Email, already have their messages signed by these services with their DKIM keys. See SendGrid's document on DKIM and Elastic Email's guide. If you are sending emails with your own website and want to set up DKIM, please contact your host company support to get assistance.
Set up DKIM for your domain when using the MailPoet Sending Service
If you are using MailPoet Sending Service to send emails, you may need to set up DKIM for your domain if you are already using DMARC or are experiencing email spoofing issues. Adding a Sender Domain and setting up DKIM will help assure your subscribers that emails MailPoet sends on your behalf were indeed sent by you and thus may improve the deliverability of your emails.
A sender domain is a domain you use on your email' FROM address. Usually, it is the same domain as your website, but this may not always be the case. If you're sending your emails as johndoe@example.com, your sender domain is “example.com”.
Note: it's impossible to set up a DKIM record using a free email address, such as Gmail.com or Yahoo.com, so there is no need to take action if that's your case. More about it here.
You will need to add the three DNS records through your DNS provider. Usually, it is the same organization you purchased your domain from ( e.g. GoDaddy, NameCheap), or your hosting company.
Adding/creating the DNS records
You'll need to create two CNAME and one TXT DNS record to set up DKIM for your domain properly. To make it easier for you, you can check the instructions from some of the most popular hosting providers by referring to the list below:
| Hostinger | cPanel |
| Bluehost | Cloudflare (follow our instructions here) |
| OVH | Dreamhost |
| Ionos | NameCheap |
| Hostgator | GoDaddy |
| DigitalOcean | WordPress.com |
Troubleshooting invalid DKIM records
If you've added the records but are having trouble verifying them, you can check if your records are propagated properly and have the correct values in public DNS. To do that, visit these links (change example.com to your sender domain first):
- https://www.whatsmydns.net/#CNAME/mailpoet1._domainkey.example.com
- https://www.whatsmydns.net/#CNAME/mailpoet2._domainkey.example.com
- https://www.whatsmydns.net/#TXT/_mailpoet.example.com
If you've just added the records, try waiting for 5-10 minutes and click "Verify DNS records" again. DNS changes can take up to 24 hours to propagate, but commonly you may see them within 5-30 minutes.
If the records are still showing as "Invalid" in your MailPoet account, please ensure the record types, names are values in your DNS manager exactly match the values requested in the MailPoet interface. If you're having trouble verifying them, please check if you could be experiencing one of the following cases:
Domain name duplicated
Double check the DNS record name. Some DNS providers may create DNS records with a duplicate domain name, causing "mailpoet1._domainkey.example.com" record to be incorrectly created as "mailpoet1._domainkey.example.com.example.com". This is the case of GoDaddy and Namecheap, for example.
If this occurred in your case, try removing the domain name from the record's name, leaving it as " mailpoet1._domainkey", "mailpoet2._domainkey" and "_mailpoet".
To confirm this is what's happening, you can use the online tool https://www.mail-tester.com/spf-dkim-check
Duplicate the domain like this and check if you find a record for it:
Cloudflare configuration
Proxy status
If you use Cloudflare as your domain's DNS provider, switch from "Proxied" to "DNS only" Proxy status for both of the CNAME records:
CNAME Flattening
Also, please turn off CNAME Flattening in Cloudflare, as it can cause issues with the DNS resolution and prevent the domain from being verified. More information about CNAME Flattening is available in Cloudflare's documentation here: https://developers.cloudflare.com/dns/additional-options/cname-flattening/
What is DMARC?
DMARC is an instruction that an email service (e.g. MailPoet) gives to email service providers (e.g. Gmail or Yahoo) of what to do if they receive spoofed emails like phishing attacks. DMARC is not a prerequisite to good deliverability, although it can be considered one of the many deciding factors.
Setting up DMARC
We recommend setting up DMARC ("Domain-based Message Authentication Reporting and Conformance") for your domain to enable you to control and monitor its usage.
Malicious actors may impersonate your domain in their spam or phishing emails. Having a restrictive DMARC policy reduces their ability to do so and improves your deliverability at the same time.
ReturnPath and ProofPoint have great guides on how to set up DMARC.
It will require creating a new DNS record "_dmarc.yourdomain.com", so you may want to ask your domain provider to help.
If you have never used DMARC for your domain, we recommend starting with a neutral policy:
v=DMARC1; p=none; fo=1; rua=mailto:your-email-address@example.com; ruf=mailto:your-email-address@example.com
Once you ensure that all desirable emails pass DMARC (e.g. after a few weeks of monitoring DMARC reports), you can switch to a more restrictive policy:
v=DMARC1; p=quarantine; fo=1; rua=mailto:your-email-address@example.com; ruf=mailto:your-email-address@example.com
"rua=" specifies addresses where aggregate usage reports should be sent, while "ruf=" specifies addresses that should receive forensic reports.
This will allow you to see who uses your domain to send emails, whether authorized or unauthorized by you.
Tools like Dmarcian can make it easier to collect, process and visualize such reports for you.
Sending has been paused due to a technical issue with MailPoet: Error while sending. Email violates Sender Domain's DMARC policy. Please set up sender authentication.
This error happens when you have a DMARC policy set up for your sender domain with "p=quarantine" or "p=reject" policy and you are using our MailPoet Sending Service.
If your sender domain doesn't have DKIM records pointing to MailPoet, your emails sent with MailPoet will be quarantined or rejected. To avoid this, sending is paused on your site until DKIM records are added for your sender domain.
To solve this error, authenticate the sender domain by adding a DKIM record. If you don't have control over the domain's DNS settings, please use a different FROM email address. Just make sure it's authorized on your MailPoet account.
How to check your SPF and DKIM keys
You can simply use this tool to check your SPF and DKIM keys.
Add the website domain where you're sending your emails from and enter default as your DKIM selector.
You can run a spam score test if you want more information about it.