Essential Guide to Email Authentication

For some - a picture is worth a thousand words

For others, a few more details are necessary:

While the blog on my site goes into more detail of what SPF, DKIM, and DMARC records are and their roles in email authentication and deliverability, here are the answers to a few FAQs about record placement:

Q: Can I place more than one SPF record?

A: To avoid SPF authentication errors, you should only have one SPF record; however, you can have multiple “includes” in that one record.

For example, say you use MailChimp for email marketing and you have a Google Workspace Business email.

Instead of two TXT records:

v=spf1 include:servers.mcsv.net ~all

v=spf1 include:_spf.google.com ~all

The correct TXT record would be: v=spf1 include:_spf.google.com include:servers.mcsv.net ~all

Q: Can I have multiple DKIM records?

Yes! DKIM records contain unique keys in order to authenticate the sender. For this reason, you may have a unique one for MailChimp saying MailChimp is allowed to send on your behalf and a different DKIM key for Google saying Google Workspace is allow to send on your behalf. Do not combine DKIM records. Put them in using the Host and Value record provided.

Q: Can I have multiple DMARC records?

Like SPF, you should only have one DMARC record to avoid authentication errors. It is important that the value in the DMARC record is v=DMARC1 followed by the policy (default is none) and who should be notified if the DMARC is rejected (rua=your email address). There are other fields available but these are the standard to meet authentication requirements.

Q: How can I check if I have these records in place?

DMARCION has a free service to allow you to check your SPF, DKIM, and DMARC records. Please note, they do not care for the default value (p=none) so if you see an X but your DMARC policy says "Your domain has a valid DMARC record...", you’re fine. I have seen at least one case where the DKIM record was on the server but it didn’t see it. If that is the case, just ask your support person to double check the formatting or put the DKIM into the validator field box so it can check it for you.

Q: I need a DMARC policy, how can I create one?

DMARCION also has a free DMARC policy creator. Simply go to DMARC Record Wizard and follow the prompts to create your policy if you want something more robust than the standard default:

TXT Record:

Host: _dmarc.{your domain}

Value: v=DMARC1; p=none; rua=mailto:{your email address};

Q: What if I use a forwarding email address?

Forwarding emails are being caught in the crossfire, especially if they are business domain based but being pushed to a free account (like gmail). I have already witnessed servers rejecting these emails because the sender (your business domain) does not match the DKIM record (for a gmail.com account - Google). While the new policy does focus more on bulk emails of 5000 or more, it may be best to discontinue email forwarding and migrate to Google Workspace or Microsoft Office 365; however, do what works for you and your budget.

Q: Anything I should know?

Make sure anyone who is authorized to send as you is authenticated via SPF (making sure their “include” is part of your one SPF record) and DKIM (having their specific DKIM record added as an individual TXT file). Ontraport just did a major push where they have created CNAME records and updated the A record for custom domains that require configurations.

Read the entire blog post about SPF, DKIM, and DMARC here: https://kopfconsulting.org/inbox-guardians-unlocking-the-mysteries-of-spf-dkim-and-dmarc/

Need further support?

Reach out! We provide a Quick Gig service to get your SPF, DKIM, and DMARC records set up as well as Temp Tech service for further support.

Prefer to receive these sent directly to your inbox? Sign up for our newsletter and get notified about new blogs, great deals, and other helpful tips.