With instances of ransomware and phishing attempts on the rise over the past few years, email providers are becoming more and more strict about the emails they allow into their users’ inboxes. As of 2020, spam / phishing emails were by far the most common source for ransomware infections (source), so it makes sense that email providers would want to prevent that traffic as much as possible. Unfortunately, that can often mean that legitimate emails are identified as potential spam and land in recipients’ spam folders instead of their inboxes.
To reduce the likelihood that your emails are treated as spam, there are several types of DNS records you need to make sure you have set up for your domain (and any subdomains you use to send email): SPF, DKIM, MTA-STS and ideally DMARC.
What are SPF, DKIM, MTA-STS, and DMARC and what do they do for you?
In a nutshell, SPF and DKIM tell other email servers how to identify what is legitimate email from you, vs. what is likely spam / spoofing (fake). DMARC tells the servers what to do with emails that fall into the “likely spam” category (whatever they want to do, quarantine, or reject). When there is any question whether or not an email is legitimate (i.e., when these records haven’t been defined), receiving servers err on the side of caution and classify it as spam.
Here is more detail on each type of record:
- SPF defines the list of servers that you authorize to send email on your behalf, using your email address / domain. You can only have one SPF record for each domain or subdomain (though you can daisy-chain when needed), and it must be a TXT record type. There are length and lookup limits when defining these, and sometimes you have to get creative (hence the daisy-chaining).
- DKIM is a “stamp” on outgoing email that receiving servers can check to make sure the message hasn’t been tampered with enroute. You should ideally have at least one DKIM record for every system that sends email using your domain (e.g., your email provider, your email marketing tool, your photo gallery tool, your help desk system, etc. UNLESS the tool connects directly to your email account to send for you). These can either be TXT records or CNAME records, depending on how each tool is configured.
- MTA-STS helps ensure only secure connections are used between servers along the sending path. This increases the effort needed by scammers to try to break into the middle of the process.
- DMARC sets your policy and tells the servers where to send your result reports. Not all servers respect the policy you have set, but the big ones generally do. There is one DMARC record for each domain or subdomain, and it must be a TXT record type. To be most useful, you’ll want a monitoring tool that receives the reports generated from recipients’ servers, so you can see the results of the emails going out. You don’t see what the servers do with your emails, but you do see whether they pass or fail the checks performed for SPF, DKIM, MTA-STS and DMARC. Failing emails generally go to spam or get rejected altogether, depending your policy.
It’s important to make sure you’ve identified all the systems that send email on your behalf and account for them in your records. Generally, each tool that uses your email address as the sender should give you instructions on how to define each of your records with them in mind. They may call it domain authentication (not just verification, but one step beyond), custom domain, custom return path, or you may find it in their help documentation under SPF and DKIM.
Need help?
If any of this has made your eyes cross, I understand! I’ve helped many business owners with their setup so they know their emails are going to inboxes instead of spam folders, and I’m happy to help you. Click here to get started!
0 Comments