First of all, we suggest that you read our article about setting up sender and reply addresses.
Why authenticate domains?
Authentication technology allows the receiver of an email and the ISP to confirm the identity of your sender address. If the identity of your sender address cannot be authenticated, then ISPs may reject your messages, or put it through additional filters to determine if it should be delivered. Without authentication, your chances of being filtered or blocked by major ISPs are greatly increased. By authenticating your domains, you can instantly bypass certain filters, giving your emails a better chance of arriving in the receivers inbox. Not only that, but many ISP’s like Yahoo! and Hotmail will flag your email as authenticated, which helps to build trust between you and your subscribers and improves the chances of your emails being opened.
These are the three most common types of authentication:
- SPF
- DKIM
- DMARC
We highly recommend ALL authentications to be setup for each of your sending domains.
SPF
SPF (Sender Policy Framework) is an email authentication system that verifies that the message came from an authorized mail server. If so, it verifies if the sending IP address is allowed to send mail for the sending domain. Most major ISPs check for SPF records and will usually place your email in their junk folder (or equivalent) without one. One major reason to implement SPF is that forging your maildomain is harder and you are therefore less likely to become a victim of phishing attempts.
Add a TXT record for the domain you will be using for the Sender Address using the following:
“v=spf1 include:carmamail.com ~all”
More about SPF from Google here.
DKIM
DomainKeys Identified Mail (DKIM) is a synthesized and enhanced Yahoo!’s Domain Keys and Cisco’s Identified Internet Mail specifications. The domain authorizes the emails and it verifys that the content or email headers hasn´t been modified. A private key at the server signs the email and the domain has the public key in a TXT record.
Create a subdomain dkim2048._domainkey.<yourdomain.com>
Add a TXT record to this subdomain using the following value:
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzWGGBpzaOp4gCZ9o1f8PU8LOAlis2eTWQPWNLLuQ9urpC3oFp2i9kzkuFl5jMZY+3P4IEQJX+ju02khakL2rxe13E/FemB/OLqkhNkL+0dv8txBwIyK51FSI7ZJr96jiP3QwuyjOf8Xl9qAWOL9WFXqR+makG0u69hBO+V/dCzlprfH8M/2HGKp4HqtrqRvpdhSXTLz/dQG82Sz6xWClaT415PljmuDH2X7meHwPHuB6Lt36qmqAnBbgyMvyWOtB6eEIoxwqleYlDzqK/QmIpXL0k3e7JAZh6vwnrYTlzDDjFD/6wkeZZVptynwrOoO01H5A1KXg6n3+AkBlzHe0jwIDAQAB
DKIM keys and TXT record limits
Most TXT records can have up to 255 characters. For TXT records that include more than 255 characters, DNS adds multiple strings together in a single record.
If you’re using a 2048-bit DKIM key, you can’t enter it as a single text string in a DNS record with a 255-character limit. Instead, take these steps:
- Split the key characters into multiple text strings.
- Put each string inside quotes.
- Enter the strings one after another in the TXT record Value field at your domain provider.
"k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzWGGBpzaOp4gCZ9o1f8PU8LOAlis2eTWQPWNLLuQ9urpC3oFp2i9kzkuFl5jMZY+3P4IEQJX+ju02khakL2rxe13E/FemB/OLqkhNkL+0dv8txBwIyK51FSI7ZJr96jiP3QwuyjOf8Xl9qAWOL9W"
"FXqR+makG0u69hBO+V/dCzlprfH8M/2HGKp4HqtrqRvpdhSXTLz/dQG82Sz6xWClaT415PljmuDH2X7meHwPHuB6Lt36qmqAnBbgyMvyWOtB6eEIoxwqleYlDzqK/QmIpXL0k3e7JAZh6vwnrYTlzDDjFD/6wkeZZVptynwrOoO01H5A1KXg6n3+AkBlzHe0jwIDAQAB"
The old 1024 bit key: k5._domainkey.<yourdomain.com>
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDeME/BOupsVhYh3Q4luTOUnS7qhBhsFUPcZvONZmJeFR/gMBpt4kjSqgmhnLQmE0ev1+d02AGU/AB97VuGEYJBFHIl8aN67rmTOPVANK5jTyE5B0jnuY/LDRWXPNmeJiP35UCVMFAS0Pis0YVsgxMJLaLv/JVlk3oBfJd673LgLQIDAQAB
More about DKIM from Google here and TXT limits here.
DMARC
DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.
Create a subdomain _dmarc.<yourdomain.com> and add a TXT record to this subdomain using the following value:
v=DMARC1; p=none; rua=mailto:<address>@<yourdomain.com>;
Read more about DMARC: https://dmarc.org/
Common obstacles
Many web hotels and some basic domain managing tools might not support the options you need to get the authentication to work. Here are some of the troubles you might run into:
TXT records get line breaks even though it might look ok in the tool you are using. You can avoid this problem by putting the TXT record value within “” (Included in the descriptions above).
Impossible to create sub domains with special characters witch stops you from adding the DKIM domain (dkim2048._domainkey..)
No option to add or edit the TXT records for your domain.
SPF Testing Tool for verification
If you are uncertain of the setup of your domain, you can go to a external tool called Kitterman and test the verification!