It's critically important, especially with the new Gmail and Yahoo updates in 2024, to authenticate your emails before engaging in any outreach, even if you send emails directly from your mailbox.
Why:
Deliverability: Emails without authentication can be rejected or placed in spam folders. These are mandatory settings enforced by mail providers.
Protection: Email authentication safeguards your emails from spoofing.
Note: Important!
If you are uncertain about how to perform these actions or if you lack access to your hosting website, please contact your IT person or someone who manages your domain.
You can also reach out to your hosting or mail provider support; they will assist you in configuring email authentication settings mentioned below.
What:
Email authentication consists of three parts:
SPF: Should include all mail servers (tools) that send emails on behalf of your domain.
DKIM: A digital signature that signs your emails and helps to verify their authenticity.
DMARC: Instructs the recipient's mail server on what to do with emails that fail SPF and DKIM.
Note: These are domain settings that are propagated across your entire domain, affecting all mailboxes associated with that domain.
Where:
Office 365 Admin account to access admin centre: here you will get your DKIM part.
Your Namecheap website -> DNS: here you will add all 3 records. Your hosting website is a place where all your domain settings are located.
Step-by-step guide:
Step 1: Test your domain.
Firstly, you need to understand if there is anything to be fixed. You need to check your current domain settings.
Some useful tools that can help you:
Mail-tester tool: check the section "You are (not) fully authenticated".
Check out How to improve your Email Deliverability Score article to get Mail-tester report explained.
Step 2: fix your domain.
Note: Use the drop down arrow to expand the details.
SPF record
The correct record should follow several rules:
there should be only 1 record
should not exceed 10 DNS lookups
should contain all mail servers (mail tools) that send emails from your domain
Below you will find several cases of SPF issues.
Case 1: your domain has a missing SPF record:
Go to your Namecheap account -> Domain list
Find your domain and click "Manage":
Go to Advanced DNS:
Click "add new record", create the following record and hit "save":
Type: TXT
Host: @
TXT value: v=spf1 include:spf.protection.outlook.com -all
Case 2: your domain has SPF, but it doesn't include your Office 365 value.
In Advanced settings, please, find your current record -> click "Edit" and add your Office 365 value:
include:spf.protection.outlook.com
Case 3: SPF has more than 10 DNS lookups.
SPF record has a limit of 10 DNS lookups.
If you exceed this limit, your SPF check fails.
To fix the issue, you need to review your record and remove values of the tools you don't use.
For example, on the screenshot above domain is using Google workspace, but contains both Office 365 and Google Workspace values.
To fix the issue, Office 365 needs to be removed.
Case 4: multiple SPF records.
Your domain can have only 1 SPF record.
How it looks in your DNS:
To fix the issue, combine 2 records into one and remove the extra record:
Here is the correct setup:
DKIM record
DKIM is provided by your mail service, not by Reply.io. It's a pair of digital keys. One is stored at your mail provider's side (you don't see it), the second part is provided to you so that you can add it you DNS.
See the details of setup below.
DKIM guide from Microsoft can be found here.
Login to your Office admin account and navigate to Admin centre:
Click on "DKIM in Microsoft 365 Defender" and you will be transferred to the page with the list of your domains.
Click on your domain:
When you see, that it's Disabled, click on the toggle to enable it and you will receive 2 records to add to your DNS.
Please go to your hosting website and create 2 CNAME records with the values you have just received.
They will look like this:
After that give your DNS time to apply the changes ( ~30 min), then go back to DKIM in Microsoft 365 Defender and click on "Enable".
Please contact Office 365 support or your IT person and ask to assist with DKIM setting!
Note: For Office 365 accounts, purchased with GoDaddy you may need to use PowerShell to set up DKIM, since you don't have an full Admin portal.
DMARC record
DMARC record instructs mail providers what to do with your emails if they fail SPF / DKIM check.
There are 3 options of DMARC policy:
Policy | Type | Details |
p=none | soft | It instructs mail providers to do nothing with emails that fail authentication. Does not protect you from spoofing. |
p=quarantine | strict | It instructs mail providers to place such emails to spam. Protects you from spoofing. |
p=reject | strict | It instructs mail providers to reject emails that fail authentication. Protects you from spoofing. |
Note:
Important! Please, do not use strict policy unless you are sure you mail authenticated all mail servers that send emails form your domain with SPF and DKIM. If not, your deliverability from unauthenticated servers will be hurt.
How to set soft DMARC:
DMARC can be rather complicated. If you want to fully use it, consider subscribing to any DMARC deployment tool to monitor your DMARC reports.
Here is how you can set a very basic DMARC that can help you follow the requirements, but will not hurt you.
Go to your Namecheap -> Domain list -> select your domain -> Advanced DNS (see SPF record section to details) and add the following TXT record:
Type: TXT
Host name: _dmarc
TXT value: v=DMARC1; p=none;
Step 3: Re-test your domain to see if everything is implemented properly.