It's critically important, especially with the new Gmail and Yahoo updates in 2024, to authenticate your emails before engaging in any outreach, even if you send emails directly from your mailbox.
Why:
Deliverability: Emails without authentication can be rejected or placed in spam folders. These are mandatory settings enforced by mail providers.
Protection: Email authentication safeguards your emails from spoofing.
Note: Important!
If you are uncertain about how to perform these actions or if you lack access to your hosting website, please contact your IT person or someone who manages your domain.
You can also reach out to your hosting or mail provider support; they will assist you in configuring email authentication settings mentioned below.
What:
Email authentication consists of three parts:
SPF: Should include all mail servers (tools) that send emails on behalf of your domain.
DKIM: A digital signature that signs your emails and helps to verify their authenticity.
DMARC: Instructs the recipient's mail server on what to do with emails that fail SPF and DKIM.
Note: These are domain settings that are propagated across your entire domain, affecting all mailboxes associated with that domain.
Where:
Google work space admin account -> Admin panel -> DKIM : here you will get your DKIM part.
Your Namecheap website -> DNS: here you will add all 3 records. Your hosting website is a place where all your domain settings are located.
Step-by-step guide:
Step 1: Test your domain.
Firstly, you need to understand if there is anything to be fixed. You need to check your current domain settings.
Some useful tools that can help you:
Mail-tester tool: check the section "You are (not) fully authenticated".
Check out How to improve your Email Deliverability Score article to get Mail-tester report explained.
Step 2: fix your domain.
Note: Use the drop down arrow to expand the details.
SPF record
The correct record should follow several rules:
there should be only 1 record
should not exceed 10 DNS lookups
should contain all mail servers (mail tools) that send emails from your domain
Below you will find several cases of SPF issues.
Case 1: your domain has a missing SPF record:
Go to your Namecheap account -> Domain list
Find your domain and click "Manage":
Go to Advanced DNS:
Click "add new record", create the following record and hit "save":
Type: TXT
Host: @
TXT value: v=spf1 include:_spf.google.com ~all
Case 2: your domain has SPF, but it doesn't include your Google Workspace value.
In Advanced settings, please, find your current record -> click "Edit" and add your Gmail value:
include:_spf.google.com
Case 3: SPF has more than 10 DNS lookups.
SPF record has a limit of 10 DNS lookups.
If you exceed this limit, your SPF check fails.
To fix the issue, you need to review your record and remove values of the tools you don't use.
For example, on the screenshot above domain is using Google workspace, but contains both Office 365 and Google Workspace values.
To fix the issue, Office 365 needs to be removed.
Case 4: multiple SPF records.
Your domain can have only 1 SPF record.
How it looks in your DNS:
To fix the issue, combine 2 records into one and remove the extra record:
Here is the correct setup:
DKIM record
DKIM is provided by your mail service, not by Reply.io. It's a pair of digital keys. One is stored at your mail provider's side (you don't see it), the second part is provided to you so that you can add it you DNS.
See the details of setup below.
You can face several issues with DKIM:
no DKIM
your DKIM is generated, but not added to DNS, that's why your DKIM key can't be detected.
you can use a default Gmail DKIM and may want to generate your own (recommended).
In all cases just follow the steps of setup and the issue will be fixed.
Example: this is a default Google Workspace DKIM, most of the users will have it at once. You may want to generate your own.
Note: to set your custom record, your Google workspace account should be 24 to 72 hours old.
To set your custom record, navigate to Google work space admin account -> Admin panel -> DKIM
Select your domain:
Then click on "Generate new record":
Note:
you can keep your key 2048 bit length since most hosting providers support it.
you can use any selector you want
You've got your DKIM value to add to your hosting website:
Now go to your Namecheap -> Domain list -> select your domain -> Advanced DNS (see SPF record section to details) and save a new TXT record with the values copied from Google Workspace:
Give your DNS time to update the record. It can take from couple of minutes to 48h.
To see, if DNS have been updated, click on "Start authentication".
You can try using this button from time to time until you stop seeing this error.
You will see if DKIM is enabled properly here:
DMARC record
DMARC record instructs mail providers what to do with your emails if they fail SPF / DKIM check.
There are 3 options of DMARC policy:
Policy | Type | Details |
p=none | soft | It instructs mail providers to do nothing with emails that fail authentication. Does not protect you from spoofing. |
p=quarantine | strict | It instructs mail providers to place such emails to spam. Protects you from spoofing. |
p=reject | strict | It instructs mail providers to reject emails that fail authentication. Protects you from spoofing. |
Note:
Important! Please, do not use strict policy unless you are sure you mail authenticated all mail servers that send emails form your domain with SPF and DKIM. If not, your deliverability from unauthenticated servers will be hurt.
How to set soft DMARC:
DMARC can be rather complicated. If you want to fully use it, consider subscribing to any DMARC deployment tool to monitor your DMARC reports.
Here is how you can set a very basic DMARC that can help you follow the requirements, but will not hurt you.
Go to your Namecheap -> Domain list -> select your domain -> Advanced DNS (see SPF record section to details) and add the following TXT record:
Type: TXT
Host name: _dmarc
TXT value: v=DMARC1; p=none;
Step 3: Re-test your domain to see if everything is implemented properly.