SPF, DKIM, and DMARC are key email authentication methods that prevent spam and other fraudulent emails. Including DKIM and SPF records in your emails, as well as DMARC policy, allows you to send email marketing without ending up in spam.

PROTECT YOUR SENDER’S REPUTATION

Every day, email inbox providers filter out millions of malicious messages. That means inbox providers, such as Google, constantly tighten their inbox security with strict requirements for distinguishing spam. As a legitimate marketer, you need to adapt quickly to engage in effective email marketing.

Increasing deliverability and building your sender reputation become critical to good emailing. Writing quality content and maintaining good email list hygiene are essential. But many marketers forget about the “back end.” To keep a healthy email domain (your emailing ID), you need to include SPF, DKIM, and DMARC.

These methods not only allow you to pass providers’ spam filters but also protect you from fraudulent messages being sent on your behalf (spoofing).

Let’s take a closer look at them.

SPF (Sender Policy Framework)

Here is a straightforward yet effective solution: an SPF record contains a list of all the authorized IP addresses that can send emails within your domain. The receiving provider analyzes your DNS to see if the IP address is actually authorized by your domain. If it is, the email comes from a legitimate source, adding credibility to your message.

Again, the setup may vary a bit according to your ESP, but the process goes like this:

• List ALL the email providers you use to send from your domain
• Access your DNS settings and create/edit your SPF record. If there already is an SPF record, look for: “v=spf1”. Then, simply add your ESP with the “include” statement. For example, Google looks like this: v=spf1 include:_spf.google.com
• If you have multiple ESPs, include them all

---

• To correctly set the SPF records for the cortex domain, this record is needed:

v=spf1 mx include:_spf.cortex.cz ~all”

Note: even though you use multiple providers, you need to only have one SPF record!

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC policy combines DKIM and SPF methods. It basically tells the receiving provider what to do if the email fails to pass DKIM or SPF: send it anyway, quarantine it to spam, or automatically reject it. DMARC has become a best practice for bulk email senders, as it adds another layer of email security to ensure optimal deliverability. 

Correction: not only a best practice but a necessity! For example, Google and Yahoo email providers automatically bounce bulk senders’ emails if they do not have a DMARC policy. Therefore, to send a newsletter to a customer’s Gmail means you need to have DMARC.

Again, DMARC policy is set in your domain’s DNS:

• Access your domain’s DNS settings
• Create a TXT record in your DNS. Put “_dmarc” in the “Host” field, put “ v=DMARC1” in the “Value” field, and set the specific policy – “p=xxx”
  • p=none (even if the email fails DKIM and SPF checks, it is still sent)
  • p=quarantine (if the email fails the checks, it goes to spam)
  • p=rejection (if the message fails the checks, it is not accepted at all)

---

• The following entry is needed to properly set up DMARC for the cortex domain:

v=DMARC1; p=none; sp=none;

DKIM (DomainKeys Identified Mail)

DKIM is an encrypted digital signature added to the email’s header. It is verified by two DNS (identification of your branded domain) records: decryption key and selector. Upon receiving your email, the receiving provider looks at your domain’s DNS, where a public decryption key is located. If the key works and the signature is decrypted, you pass the provider’s check. Having DKIM significantly increases deliverability.

Here’s the general setup process: 

• Generate a DKIM key and selector from your email service provider’s (ESP) account. Copy both entries
• Add the DKIM record to your domain’s DNS settings by creating a TXT record. Paste the selector in the “Host” or “Name” field and the generated key itself in the “Value” field
• Go to your ESP provider and allow DKIM

---

• You need this record for the correct DKIM settings:

dkim._domainkey.domain.com IN CNAME dkim._domainkey.cortex.cz

“domain.com” is your domain name, and it must be set and confirmed by Cortex after you set it on your side.

Note: Set a DKIM record for each of the email providers you use to send emails.

CARECLOUD TAKES EMAIL DELIVERABILITY SERIOUSLY

In essence, DKIM and SPF validate email authenticity, and DMARC decides how to deal with unauthorized emails. We strongly encourage adding all three if you want to optimize deliverability and build a strong sender reputation. Your email marketing must be legitimate and follow the latest requirements to be profitable.

The CareCloud platform places email security as the top priority. For a final recap, we will list proper SPF, DMARC, and DKIM settings:

• v=spf1 mx include:_spf.cortex.cz ~all”

• v=DMARC1; p=none; sp=none;

• dkim._domainkey.domain.com IN CNAME dkim._domainkey.cortex.cz, where domain.com should be replaced with your domain name. It must be set on your side first and then confirmed by Cortex.

Apart from providing Email Designer and bulk sending, we also offer a separate CareCloud Onboarding Service. With it, you will gain the necessary insight, know-how, and best practices to jumpstart your marketing with the CareCloud platform. Needless to say, email security and deliverability are also part of the service. With CareCloud Onboarding, you will get the message through.