Add This To Your Website to Avoid the Spam Filter

Does your business also have a website? If so, we can use it to help avoid the spam filter and improve delivery of your email.

When you set up a website for your business or organization, do you use free email options like Gmail, Outlook, or Yahoo? This could be impacting your business in a number of ways without you being aware of it.

Free email options may seem like a great deal, but because they are free they are often used for spamming. If your business uses a free account from a free email provider (Google, Microsoft, Yahoo, etc.), your email might be getting delivered straight to the spam folder! A paid email account not only looks more professional and memorable, it is less likely to get delivery intercepted by spam filtering.

Why is this important? Currently Gmail and Yahoo account for almost 2 billion email users. On February 1, 2024, new sender requirements came into force to reduce the amount of spam to these services. In short, all bulk senders are now required to have DKIM, SPF, and DMARC configured, lest they find themselves going right to the spam folder.

Get your coffee and get comfortable… there’s a lot to cover here.

How Can My Website Help My E-mail?

If you have a website with a custom domain name, you have the option of setting up email using the same domain name. For example, I could set up spambait@ascendantbits.com to send and receive email.  It’s obvious to the mail recipient this mail address is from this website.  

Having a professional-looking email address is the first step in improving your email delivery chances. With a website you can use tools like DKIM, SPF, and DMARC that help verify and protect your email sending reputation. Before we explore those tools we need to briefly look at the Domain Name System or DNS.

A Brief Overview of the Domain Name System

The Domain Name System or DNS was created in 1985 to manage the growing number of computers and devices on the internet. It arranges domain names hierarchically. Domain names typically consist of two or more labels. The right-most label is the top level domain or TLD. Common TLDs are .com, .net, .org, etc.; there are also TLDs based on country (ccTLD), such as .ca for Canada.

As you move left in the name, the label indicates a subdomain or service. For example, youtube.com is a well known domain; studio.youtube.com is a subdomain where YouTube provides an online studio for uploading your videos. You might connect your email software to Google’s mail service at smtp.gmail.com.

DNS is much like a telephone book, converting the domain name (the first two labels) into an IP address. This IP address points to your server. Your server has DNS records that contain the information to connect to your website, subdomains, and services like email.

We can also use these DNS records to configure email authentication protocols like DKIM, SPF, and DMARC, which will help make your email more deliverable.

Email Authentication Protocols

The Domain Name System can be used improve your chances of avoiding the spam filter. This is done through a number of DNS resource records.

The Sender Policy Framework or SPF authentication ensures that the sending mail server is authorized to send email from your domain, and rejects anybody trying to fake or ‘spoof’ your email address. Setting up SPF is also what lets newsletter platforms like MailChimp, MailerLite, Moosend, etc. send on your behalf.

DomainKeys Identified Mail or DKIM is another email authentication method that prevents spoofing of your email address. A digital signature associated with your domain name is attached to your outgoing email. In addition to preventing spoofing, it also ensures that your email has not been altered after sending. This happens at the server level so you won’t see the digital signature.

The last part of of email authentication is Domain-based Message Authentication, Reporting and Conformance or DMARC. DMARC itself does not directly determine if an email has been spoofed or is spam. It publishes a policy that informs the mail receiver:

• The message is protected by SPF and DKIM;
• What to do if SPF or DKIM validation fails;
• How the receiver reports failures back to the sender.

Depending on the DMARC policy, email can fail validation if SPF or DKIM fails. DMARC can also fail if the FROM email address does not match or align with the authenticated domain names.

These three authentication protocols can help improve your email delivery dramatically.

DNS and Email Delivery

To enable SPF, DKIM and DMARC for your domain, you need to add DNS records that email recipients use to validate your email.

To set up these email authentication protocol, you will add several TXT records to your DNS configuration. Each Internet Service Provider (ISP) provides its own tools for managing your DNS records, so check with your ISP’s documentation for how to configure yours.

Configure DKIM

You will need to add a DKIM record for each service sending on behalf of your domain. Your DNS configuration should already have a default DKIM record for your domain. If you use a newsletter service like Moosend or MailChimp, you need to add a DKIM record with a selector for that sender. The selector allows mail servers to verify the domainkey of the sending domain.

The examples below are using fake IP addresses and domainkeys.

For example, let’s see how you would configure an entry for Moosend. In your DNS configuration, you would create a TXT record, and add a selector for Moosend:

TXT record name

ms._domainkey.mydomain.com

The public key other servers use to verify email is added to the value:

TXT record value

k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZ8jdw+F8KxSJHm/09uZvyz7ykYfsJQWnL8OVyG8nQmyEiG91skReXnLQJiyQf7XJWPL5/AXHkPloD5RdVEekFSwzRUGcq90JdEm9O6FHEyo43bBjwKfPq9kx+asYrZMkSjlvZpWpQl8Q9SbDH6bTkfQ2eWm+UcAe8tYNQo0TqDwIDAQAB

When email is sent on your behalf from Moosend, a digital signature is applied using a private key. The receiving mail server tries to use the public key on your server to validate that the email has not been tampered with.

Configure SPF

While you will add one DKIM record for each sender, your site will have only one SPF record. This DNS record is used to verify which sender is authorized to send on your behalf. This DNS record uses the special name of @:

TXT record name

@.mydomain.com

The value here has several parts or mechanisms, which are described below:

TXT record value

v=spf1 ip4:192.168.10.128 include:_spf.google.com mx ~all

The individual mechanisms are described below:

Each mechanism above can have one of four qualifiers:

• + for a PASS result. This can be omitted, as this default.
• ? for a NEUTRAL result, essentially the same as having no policy. Not recommended.
• ~ for a SOFTFAIL result. This mechanism is typically used for testing your policy. Messages will not fail but will be marked for review.
• - for FAIL. This mail should be rejected.

Configure DMARC Policy

A DMARC policy allows your domain to tells the receiving server that your email messages are protected by DKIM and SPF. It also instructs the receiving server what to do if the message fails authentication methods, such as reject or quarantine the message. This policy can also specify how to notify the sending domain of a failure.

If DKIM and SPF authentication passes, DMARC also checks to ensure the sender matches or is aligned with the previously authenticated domain(s).

To set up DMARC you can add the following DNS records:

TXT record name

_dmarc.mydomain.com

TXT record value

v=DMARC1;p=quarantine;sp=quarantine;pct=100;rua=mailto:someone@mydomain.com;ruf=someone@mydomain.com

Here are some of the most useful tags:

You want to configure your DMARC policy a bit loosely first, so you can see if there are problems with your email delivery. Reviewing the aggregate and forensic reports, you can determine if additional configuration is needed. Over time, you can modify your DMARC policy from quarantine to reject. A quarantine policy tells the receiver to treat a suspect email with caution; most of the time this means your email is treated as spam. A reject policy will result in suspect emails being discarded, and the email will not be received.

Useful Resources

Verifying and setting up DKIM, SPF, and DMARC can be a bit daunting. Luckily there are several free tools you can use to validate what you have, configure what you need, and even monitor DMARC reports.

• Dmarcian has a number of free tools to check your domain’s email setup. You can quickly use their Domain Checker to see what might need to be set up or improved.
• EasyDMARC has free tools to check your DKIM, SPF, and DMARC records, as well as tools to generate records for you to add or update. You can also sign up for free monitoring.
• DMarcly also has free checkers and generators for DKIM, SPF, and DMARC records.

DMARC aggregate reports have lots of feedback, but they are in XML. They can be difficult to read and interpret. Check out the Dmarcian’s free Report Analyzer to convert these reports into something more human-readable.

We have covered these mechanisms briefly. If you are interested in learning a lot more, Wikipedia has extensive information on DKIM, SPF, and DMARC.

Summary

DKIM provides a way to digitally sign your email, preventing tampering and spoofing. SPF help to prevent spoofing through a relay. DMARC improves DKIM and SPF and helps you to fine tune your email sending setup.

Ultimately, implementing DKIM, SPF, and DMARC on your website improves your email-sending reputation and helps avoid the spam filter. If you haven’t added these to your site yet, what’s holding you back?