SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) are email signatures used to prevent spoofing, phishing, and impersonation. When sending an email, the recipient's spam filter scans the sender's domain for these SPF and DKIM signatures. If these signatures are present, then the recipient's spam filter will confirm that emails sent from your domain are authenticated and they will not be marked as spam.
SPF and DKIM are both added as TXT records in your DNS settings.
The email service you are using is usually the one to provide you with an SPF record. If not, then there are tools out there that can help you generate one.
SPF Wizard can create or edit an SPF record if it's necessary. SPF generator tools like the one mentioned are helpful because they allow you to adjust and edit the IP addresses and/or domains mail can be sent from. You would first enter the name of your domain, and you will see how the record entry changes and keys are added as you edit the other options below.
SPF Keys Explained
v=spf1 will almost always be the first value because spf1 is the most common version of SPF that is used by mail exchanges.
Enter any IP addresses that belong to the servers sending the mail. You can enter more than one IP just by including a space after the first one. Note the format of your IP will be written as either
Below are the mechanisms included in the record that determine what domains or IPs are allowed to send mail:
aallows the current IP to send mail.
mxallows the MX servers to send mail.
includewill allow a third-party to send emails on your domain's behalf.
allis usually at the end of this value and is referenced if the sender's IP doesn't match any of the previously defined mechanisms. It will be appended by a flag that determines if and how the mail should be accepted when sent on your domain's behalf.
+all= Any IP is allowed to send emails on your behalf.
-all= No other IP is allowed to send emails on your behalf.
~all= Other IPs are allowed to send emails on your behalf, but they will be marked.
Add the SPF record to your DNS settings as a TXT record. Enter the domain in the Name field, and the generated result in the Value field.
DKIM records are composed of a selector and a public key. You are also provided with a private key that is used by the server and is attached to your email header, but only the public one is added to your DNS records. The public key is what the receiving email server scans to determine if the email is legitimate and not spam. Again, the organization providing the email service is responsible for administering the keys.
A selector allows for the publishing of public keys. Since the public key was provided to you, then you would have also been provided with the selector since they are bound together. A selector is oftentimes formatted like the following:
<selector> identifies what key you are using and can be used for multiple keys, so it's possible to have more than one DKIM record as long as the correct selector is used.
It's recommended to rotate your public key at least once a year for security purposes, so remember to change the Value in your DNS records to reflect this change.
In this example,
default._domainkey was the provided selector entered into the Name field and the provided public key was entered into the Value field. Here are the public key values explained:
v=DKIM1\indicates the version of DKIM.
k=rsa\indicates the key type which is RSA.
p=<public key>specifies the public key.
If you are running your own mail server, or are unable to obtain a DKIM record from your email service provider, it's possible to generate one using tools such as the one SocketLabs provides. You just need to enter your domain name and specify a selector.
Depending on the TTL, SPF and DKIM TXT records need time to propagate. If there are any issues after propagation has completed (emails can't be sent/received, emails are sent directly to spam, etc.), then please double-check the configuration for these records.
ISnotSPAM is a good tool to use to verify if your emails are not being sent directly to spam.
For more information on troubleshooting DNS records, feel free to reference our DNS Debugging article.