How do I stop my emails from going to SPAM? This is a question that comes many times in the web hosting world. SPF, DKIM and DMARC are email authentication records for your domain that work together to prevent spam, email spoofing, and malicious activity for your domain email. Regardless of your host, email deliverability is a complex issue contingent upon many factors. Spammers are always looking for new ways to get past even the most aggressive of spam filtering. This has resulted in Email Providers such as Google, Yahoo, Microsoft, and more having to double down on policies for incoming email and change how they accept incoming email messages in order to decipher between legitimate emails and spam. Unfortunately, for a domain holder (like yourself) this can result in legitimate emails sent from your domain being marked as SPAM – even if they aren’t.
One of the policies for handling incoming email most popular email providers have in place is the marking of all unauthenticated emails as SPAM regardless of message content.
In this Article: What is SPF? What is DKIM? What is DMARC?
How to Setup SPF, DKIM & DMARC
Why do you need SPF, DKIM and DMARC?
Without email authentication records in place, anyone can send email on behalf of your domain pretending to be you. This is why most receiving email servers will mark a message as spam or even discard messages from a domain that does not have these records in place.
What is Unauthenticated Email?
Simply put, an unauthenticated email is an email message that was sent without having to authenticate on a server (like logging in with your email address and password then sending an email). This might happen if you’ve submitted an email message through a contact form or have automated email messages set to send through your website without using an email address and instead using the PHP Post method alone. To help with this and to prevent abuse of contact forms and reduce outgoing SPAM, the server here requires SMTP authentication. This means any email sent from your website must be authenticated with an email address and password. An email may also be considered unauthenticated if the email authentication DNS records such as SPF, DKIM and DMARC are not present.
→ See our Guide on How to Configure SMTP Authentication in WordPress
What is SPF?
SPF (Senders Policy Framework) is a DNS TXT record that specifies which IP addresses and/or servers are allowed to send email “from” that particular domain. It works like a security guard or bouncer for your domain email. It helps prevent spoofing by ensuring that an email message being sent was sent from the actual IP address of your domain, which is listed in the SPF record. So if someone tries to send email pretending it’s from your domain and it’s not, the IP address will not match and in most cases the email will be rejected or discarded. The absence of an SPF record will make emails from your domain seem less secure and often times will result in mailservers automatically tagging emails from your domain as SPAM, since there is no way to tell if the email message was legitimate or not.
What is DKIM?
DKIM (Domain Keys Identified Mail) is an email authentication technique that allows the incoming mail server to check that an email was actually sent from the owner of the domain it claims to have been sent by. It gives an email a digital signature known as the DKIM signature. The DKIM signature is an encrypted header that is added to email messages.
DKIM allows the recipient email server (incoming mail server) to check that an email sent from your domain is signed with a valid DKIM signature. This let’s the incoming mail server determine that parts of the email such as the message body and attachments haven’t been modified.
Using the DKIM record together with DMARC and SPF will improve email deliverability and can also protect your domain against malicious emails sent on behalf of your domains which is a common tactic used in email spoofing.
What is DMARC?
DMARC (Domain-based Message Authentication Reporting and Conformance) is an email policy for your domain. It’s a validation system that is designed to protect email from your domain from being used in email spoofing, phishing scams, and other malicious activity. DMARC uses existing email authentication records (SPF, and DKIM) and adds the ability for domain owners to receive reports regarding who is sending email on behalf of their domain. As a website owner, you want to be sure that your visitors or customers will only see emails that you have sent yourself and not potential malicious emails sent by spammers using spoofing methods. DMARC is a way to secure your email and gives email receivers certainty in determining whether or not an email is legit and has originated from you. The result is a positive impact on email deliverability and also prevents anyone else from sending email using your domain when they aren’t supposed to.
→ See our Guide on how to Set up SPF, DKIM and DMARC for your domain