It's critically important, especially with the new Gmail and Yahoo updates in 2024, to authenticate your emails before engaging in any outreach, even if you send emails directly from your mailbox.
Deliverability: Emails without authentication can be rejected or placed in spam folders. These are mandatory settings enforced by mail providers.
Protection: Email authentication safeguards your emails from spoofing.
If you are uncertain about how to perform these actions or if you lack access to your hosting website, please contact your IT person or someone who manages your domain.
You can also reach out to your hosting or mail provider support; they will assist you in configuring email authentication settings mentioned below.
Email authentication consists of three parts:
SPF: Should include all mail servers (tools) that send emails on behalf of your domain.
DKIM: A digital signature that signs your emails and helps to verify their authenticity.
DMARC: Instructs the recipient's mail server on what to do with emails that fail SPF and DKIM.
Note: These are domain settings that are propagated across your entire domain, affecting all mailboxes associated with that domain.
Google Workspace Admin Account: Navigate to Admin Panel -> DKIM; here, you will find your DKIM settings.
Your GoDaddy Website: Access DNS settings; here, you will add all three records. Your hosting website is the central location for all your domain settings.
Step 1: Test your domain.
Firstly, you need to understand if there is anything to be fixed. You need to check your current domain settings.
Some useful tools that can help you:
Check out How to improve your Email Deliverability Score article to get Mail-tester report explained.
Step 2: fix your domain.
Note: Use the drop down arrow to expand the details.
The correct record should follow several rules:
there should be only 1 record
should not exceed 10 DNS lookups
should contain all mail servers (mail tools) that send emails from your domain
To perform any actions with your SPF:
Sign in to your GoDaddy Domain Portfolio -> Go to "My Products" and select your domain -> Select DNS to view and edit your DNS records.
Below you will find several cases of SPF issues.
Case 1: your domain has a missing SPF record:
Case 2: your domain has SPF, but it doesn't include your Google Workspace value.
Case 3: SPF has more than 10 DNS lookups.
SPF record has a limit of 10 DNS lookups.
If you exceed this limit, your SPF check fails.
To fix the issue, you need to review your record and remove values of the tools you don't use.
For example, on the screenshot above domain is using Google workspace, but contains both Office 365 and Google Workspace values.
To fix the issue, Office 365 needs to be removed.
Case 4: multiple SPF records.
DKIM is provided by your mail service, not by Reply.io. It's a pair of digital keys. One is stored at your mail provider's side (you don't see it), the second part is provided to you so that you can add it you DNS.
See the details of setup below.
You can face several issues with DKIM:
your DKIM is generated, but not added to DNS, that's why your DKIM key can't be detected.
you can use a default Gmail DKIM and may want to generate your own (recommended).
In all cases just follow the steps of setup and the issue will be fixed.
Example: this is a default Google Workspace DKIM, most of the users will have it at once. You may want to generate your own.
Note: to set your custom record, your Google workspace account should be 24 to 72 hours old.
To set your custom record, navigate to Google work space admin account -> Admin panel -> DKIM
Select your domain:
Then click on "Generate new record":
you can keep your key 2048 bit length since most hosting providers support it.
you can use any selector you want
You've got your DKIM value to add to your hosting website:
Now go to your GoDaddy -> Domain list -> select your domain -> Advanced DNS (see SPF record section to details) and save a new TXT record with the values copied from Google Workspace:
Give your DNS time to update the record. It can take from couple of minutes to 48h.
To see, if DNS have been updated, click on "Start authentication".
You can try using this button from time to time until you stop seeing this error.
You will see if DKIM is enabled properly here:
DMARC record instructs mail providers what to do with your emails if they fail SPF / DKIM check.
There are 3 options of DMARC policy:
It instructs mail providers to do nothing with emails that fail authentication. Does not protect you from spoofing.
It instructs mail providers to place such emails to spam. Protects you from spoofing.
It instructs mail providers to reject emails that fail authentication. Protects you from spoofing.
Important! Please, do not use strict policy unless you are sure you mail authenticated all mail servers that send emails form your domain with SPF and DKIM. If not, your deliverability from unauthenticated servers will be hurt.
How to set soft DMARC:
DMARC can be rather complicated. If you want to fully use it, consider subscribing to any DMARC deployment tool to monitor your DMARC reports.
Here is how you can set a very basic DMARC that can help you follow the requirements, but will not hurt you.
Go to your GoDaddy -> Domain list -> select your domain -> Advanced DNS (see SPF record section to details) and add the following TXT record:
Host name: _dmarc
TXT value: v=DMARC1; p=none;
Step 3: Re-test your domain to see if everything is implemented properly.