DMARC, DKIM and SPF in email marketing
Emails are an important part of modern communication, whether for personal messages or business purposes. In order to improve email security and prevent fraud, the individual providers of recipient mailboxes (also known as email service providers) such as gmx, web.de, gmail etc. take extensive precautions.
Especially if you send a lot of emails at once (which is certainly the case when using an email marketing system), the recipient mailboxes "listen carefully" and check exactly what is arriving.
If the sender address of a mass mailing was used by a freemail provider (such as gmail, yahoo, web.de, gmx etc.), the provider knows that gmail & Co. (i.e. the "companies") have certainly not sent these emails themselves and will send warning messages to the recipient or sort these emails as spam straight away.
We therefore strongly recommend using a sender address from your own domain, such as name@meinefirma.de (If you don't have one, you can use a domain from Quentn. You can find instructions here).
However, having your own domain does not "reassure" the providers! DMARC, DKIM and SPF are checked to authenticate the emails (i.e. proof of identity).
With their help, email service providers can determine whether the incoming email really comes from the sender named in the email.
Attention: Some providers such as Google (gmail) and Yahoo have tightened their DMARC guidelines. All email senders with a high sending volume (from 5,000 emails per day) must have a DMARC record set up on their domain from February 1, 2024.
We still strongly recommend that our customers with a lower sending volume set up the DMARC record.
What are DKIM, SPF and DMARC?
DKIM, SPF and DMARC are essential tools to increase the security of emails and strengthen trust in your email communications. By setting up these protocols correctly, you can not only increase security, but also ensure that your emails are delivered successfully and your brand is protected.
How does DKIM work?
DomainKeys is based on asymmetric encryption. A digital signature is added to the emails in the header, which is assigned to your domain and is used for all outgoing emails. The receiving server then queries the public key that is available in the domain name system (DNS for short) of the domain. If the sender address was sent by a Freemailer (such as gmail, yahoo, web.de, gmx etc...), the provider knows that Gmail & co. certainly did not send this email themselves and will issue warnings to the recipient, or immediately label this email as spam.
How does SPF work?
The SPF (Sender Policy Framework) is another spam protection method used for sender authentication. Additional information (detailed information on the sending mail servers) is stored in the DNS records of a domain in the form of SPF records. The receiving mail server can use the domain's SPF record to check whether the email received originates from an authorized mail server or not. In the latter case, the e-mail can be identified via the SPF spam protection and declared as SPAM.
NOTE: If you have not yet made these entries, you should definitely do so now! Our support team will be happy to help you. So that we can make the entries for you, we need the login link to your domain provider and the access data.
How does DMARC work?
DMARC builds on SPF and DKIM and adds an additional layer of security: reporting. It allows senders to set policies on how recipients should handle emails that are not authenticated and provides reports on the authentication results.
It also rejects emails from fraudulent IP addresses trying to use your domain.
This means that as long as you have DKIM, SPF and DMARC set, no one will be able to "borrow" your domain to send a fraudulent email asking for a €100 donation for the Amazon rainforest or similar.
Special feature DMARC
From February 1, 2024, some email service providers will be tightening their security guidelines so that a DMARC record will be mandatory - at least for anyone who sends more than 5,000 emails a day.
Nevertheless, we strongly recommend that all our customers also set the DMARC record.
What do I have to consider before setting the DMARC record?
First: If you use other servers in addition to Quentn that send on your behalf (e.g. membership software, WordPress site, etc.), please make sure that all of these servers are listed in your SPF record BEFORE setting the DMARC record.
If you also use your domain for your WordPress site, you must add an "a" to your SPF record if this has not already been done.
Example:
v=spf1 a include:spf.m-1.eu-1.quentn.com ?all
Otherwise, emails from your WordPress system may no longer arrive (e.g. your own password reset email).
For other providers (e.g. Funnel Cockpit, Coachy, etc.), you must contact them and ask what additions you need to make.
Set DMARC - for the inexperienced:
Copy the simple DMARC record that you can find in Quentn in the verification information and paste it as a TXT record at your domain provider.
The record looks like this: v=DMARC1; p=none;
If you need help: Our Support will be happy to set the record for you. Please write us an e-mail to support@quentn.com and send us the access data for your domain provider.
Without the access data, we will not be able to set the record for you.
Setting DMARC - for advanced users
A DMARC record is a TXT record and consists of relatively simple tags and values. Only two fields are required, the rest are optional.
The following record must be set for your domain for DMARC at your domain host:
v=DMARC1; p=reject;
What do the characters mean?
The first tag (v=) is simple. The value must always be DMARC1. There are no other versions yet, so always use "1".
The second tag (p=) tells the recipient server what to do with messages that could not be authenticated. Here are your options:
- None: Messages are logged but no action is taken.
- Quarantine: Messages are marked as spam and held back (usually in the spam folder).
- Reject: Messages are rejected (a bounce occurs).
DMARC reports (optional)
Optionally, you can add a third tag: rua=mailto:deinemail@deinedomain.com;
This contains the e-mail address to which your DMARC reports will be sent.
Note: It is advisable to set up an additional e-mail address here, as there may be a large number of reports.
ATTENTION: The e-mail address to which the reports are sent must have the same domain for which you have set the DMARC settings!
As soon as DMARC has been set up securely, reports will gradually arrive in your inbox. They will inform you about the following:
- Which servers or third parties are sending emails from your domain and whether they pass authentication
- How the respective incoming server reacts to unauthenticated emails
- What the overall percentage of the DMARC success rate is.
You have two options for the reports:
- Aggregated reports
- Forensic reports
Aggregated reports (rua=)
Aggregated reports (rua=) are XML documents that display data about the messages received that are said to originate from a specific domain. These reports in raw XML format are machine-readable.
Forensic reports (ruf=)
Instead of "rua=" you can also optionally use "ruf=". This tag sends forensic reports to your email address.
This means that each failed delivery triggers a separate, detailed e-mail. The reports are in AFRF format and contain information on:
- Subject line
- Time at which the message was received
- IP information
- Authentication results
- SPF result
- DKIM result
- DMARC result
- Domain information
- Message ID
- URLs
- Deliverability result
- Policy applied
- ISP information
This tag is not supported by all email providers (e.g. Gmail) for privacy reasons, but it gives you more insight into the rejected email content than a standard aggregated report.
Why do I need these DNS records for email marketing?
Trust is crucial in email marketing. When you send emails to your customers or subscribers, you want to make sure that they are actually from you and not from scammers pretending to be you. DKIM, SPF and DMARC help to confirm the authenticity of your emails and reduce the risk of phishing attacks or spoofing.
What if my domain provider does not support setting DMARC?
If your domain host does not support the setting of DKIM and/or DMARC, we recommend that you change your domain host in the long term. To do this, you can initiate or request a transfer to another host that supports these settings. The domain hoster will be happy to answer any questions you may have in this regard.
I don't have my own domain! What now?
If you have a freemail address (@web.de, @gmail.com, @gmx.net etc.), you must choose a Quentn domain as your sender so that your delivery rate remains high and your emails are not sorted out in advance by the email service providers due to missing DNS entries.
When you create your email sender in Quentn, please select the sender type "Quentn domain" and then enter the desired address (@quentn-mail.de is already specified). You can find instructions here.