Authenticating Your Domain with SPF and DKIM
Introduction
Email authentication is a critical part of keeping your communication secure and trusted. By setting up SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), you ensure that emails sent from your domain are verified as legitimate. This protects your brand, improves deliverability, and reduces the risk of phishing or spoofing.
Why Authenticate Your Domain?
Protect Your Brand
Prevents attackers from impersonating your domain by confirming that your emails come from authorized servers.Improve Deliverability
ISPs (like Gmail, Yahoo, Outlook) use SPF and DKIM checks to determine if your emails should reach the inbox instead of spam.
What is SPF?
SPF lets domain owners specify which mail servers can send emails on behalf of their domain. This is done by adding an SPF record (a DNS TXT record).
How SPF Works
When an email is sent, the receiving server checks the SPF record:
If the sending server matches the authorized list, the email passes.
If not, the email may be flagged as suspicious.
Setting Up SPF with Zencity
Log in to your domain provider’s DNS settings.
Add a TXT record:
Name/Host:
@or leave blank.Value:
v=spf1 include:spf.mailjet.com ~all
Note:
If multiple SPF records exist, merge them into one. Example:
v=spf1 include:spf.example1.com include:spf.mailjet.com ~allAvoid exceeding the 10 SPF lookup limit, which can cause errors.
What is DKIM?
DKIM adds a digital signature to your emails, confirming that the content hasn’t been altered and that the sender is authorized.
How DKIM Works
Zencity signs each email with a private key.
The receiving server checks the signature using your domain’s public key (stored in DNS).
If they match, the email is authenticated.
Setting Up DKIM with Zencity
Log in to your DNS provider.
Add a TXT record:
Name/Host:
mailjet._domainkey.yourdomain.com.Value: (Paste the DKIM key provided in your Zencity account under SPF/DKIM Authentication).
Some providers may:
Require quotes around the TXT value.
Append the domain name automatically. Double-check after saving.
DKIM Key Length (Bit Rate)
1024-bit: Standard, secure, widely supported.
2048-bit: Recommended for stronger protection. Default for new Zencity DKIM keys (since April 2024).
4096-bit: Strongest but less common; may impact performance.
Recommendation: Use a 2048-bit key if supported by your provider. Periodically regenerate your DKIM key to stay secure.
To regenerate, go to:
Communicate → Newsletters → Account → Domains & Sender Addresses → SPF/DKIM Authentication → Regenerate Key.
Verifying SPF & DKIM Setup
After adding your records:
Go to Zencity → Communicate → Newsletters → Account → Domains & DNS.
Select your domain.
A green checkmark confirms SPF and DKIM are active.
Best Practices
Use a single SPF record per domain.
Choose your SPF mechanism:
~all(SoftFail): Accept but mark unauthorized senders.-all(HardFail): Reject unauthorized senders.?all(Neutral): No enforcement.
Combine SPF & DKIM with DMARC for stronger protection.
Monitor DMARC reports to spot unauthorized activity.
Keep DNS records consistent across all sending domains.
Troubleshooting
Propagation delay: DNS changes can take up to 48 hours.
Multiple SPF records: Merge into one.
SPF too long: Use subdomains or consolidate records to stay under the 10-lookup limit.
DKIM not authenticating: Ensure TXT values are exact (no extra spaces or errors).
Email still rejected: Some servers run extra checks. Add DMARC for full coverage.
Additional Security Measures
DMARC: Adds policies for how to handle failed SPF/DKIM emails and provides reports on domain usage.
Ongoing monitoring: Regularly check reports and update DNS as new services are added.
Conclusion
By configuring SPF and DKIM, you strengthen your domain security and increase the chance your emails reach inboxes, not spam folders. Together with DMARC, these protocols provide a comprehensive protection framework for trusted, secure communication.
Comments
0 comments
Please sign in to leave a comment.