Domain Keys and Sender Policy Framework Records Must be Set
Your Highness. I’ve received your correspondence and am honored to respond. Oh!? How did I know it was you? Because the letter was sealed in melted wax embossed with your official seal. That’s how it worked in the year 1818. How does it work in 2018?
You probably didn’t realize this, but the internet has an authentication system to ensure an email that says it came from you actually came from you. Stop and think about that for a second. What if bad actors could spoof your email address and send emails pretending to be you. It would be disastrous. So, how does the internet authenticate emails that come from you?
The internet uses two records in your DNS (Domain Name Servers) records to ensure you are who you say you are. You want both in place to improve your odds of staying out of the SPAM folder.
- Sender Policy Framework (SPF): A simple email validation system designed to detect email spoofing. It provides a mechanism to allow receiving mail exchanges to verify incoming email from a domain or IP address comes from an authorized host.
- DomainKeys Identified Mail (DKIM): A cryptographic authentication system where a private key is stored in your DNS records. This key is used to authenticate identity, as well as verify that the message hasn’t been modified or tampered with in transit.
Do you want to stay out of the SPAM folder? Absolutely. Here is what you need to do. Our primary example will be HubSpot, but this applies to any platform that sends email on your behalf.
Step 1: Check your SPF record
MxToolBox is an Austin-based company that provides several tools for testing email deliverability factors. You want to start with the SPF test. Here’s an example of an error. It is wrong for one reason we know and one reason we suspect.
- We can see there is a syntax error in the record (they need a colon after “include”)
- We suspect they’ve neglected to include other platforms they use to send email (Salesforce, MailChimp, Constant Contact, etc.)
When you run the same test on the allies4me.com domain, you will see two platforms – Office 365 and HubSpot. You also see there are no syntax errors. We don’t send from MailChimp or any other platforms, so this is all we need in our SPF record.
Notice that the record is a single txt entry in the DNS record. Don’t enter a separate TXT record for each platform. They need to be in the same line.
v=spf1 include:spf.protection.outlook.com include:1939566.spf08.hubspotemail.net -all
Step 2: Check your DKIM Settings
DKIM gets a little more complicated. Your domain keys (DKIM) are part of the decryption key that determines if an email sent in your name is valid or not. So, there is no way to view these publicly. To make matters worse, each platform handles the domain keys a little differently.
- Navigate to “Profile” using the top-right navigation
- Under “Settings” select “Verified Domains”
- Next to “Authentication” click “View setup instructions”
- You will find the values for both DKIM and SPF
- From the web interface, go to Admin center
- Expand “Admin centers” in the left vertical menu and click on “Exchange”
- Under “Protection” select DKIM
- Click on your emailing domain and on the right-hand side click to enable DKIM signatures
- Then read this article to find the correct syntax for your DKIM record
HubSpot is moving this setting, but at the time of writing this, go to Content Settings in the Marketing Portal. Go to Domain settings and at the bottom of the page you will find Email Sending Domains.
At first pass, ours looked properly configured as you can see in the following image.
But when we clicked on “Details” we saw that we were missing some entries in our DNS record.
Once those were added, everything passed.
You obviously want your emails going to the Inbox and not the SPAM folder. But you probably didn’t know about these two important records. Set the SPF and DKIM records correctly to engage better with your customers, prospects, and anyone you want to get your emails.