System Administration

Sunday, 31 October 2021 09:23

Configure your SPF DKIM and DMARC for your Newsletter

Written by 

So here is the explanation of what these three elements are, and how we should configure them to appear, even at a technical level, as "handsome as possible" in the face of anti-spam filters.

 

FIRST STEP: THE SPF

Sender Policy Framework (SPF) is an email validation system designed to prevent spam by detecting techniques commonly used by cybercriminals such as spoofing, a common vulnerability, by verifying the sender's IP address.

What this element tries to prevent is that anyone can usurp our identity with the use of our domain to send content of any kind to third parties. Something that I already told you is as simple to do as preparing a short script in PHP with the mail () function (EN) and executing it on a server.

With the SPF what we define is which IPs and / or domains can impersonate us, so that all email that comes from those addresses will theoretically have our approval, and everyone who comes from another place will not.

To configure it, it is as simple as entering our domain manager, in the advanced DNS zone section (or whatever name it has, that each provider is a world), and create, if it does not already exist, a new TXT type record, with the name our domain.extension. (eye to the end point) and content "v = spf1 ip4: IPOurServer include: DomainODdomainsAAuthenticate? all"

In my case, and as I use Mailchimp, the sentence was as follows:

cneris.com. TXT v = spf1 ip4: MiIP include: servers.mcsv.net? All

The servers.mcsv.net is the domain that Mailchimp uses to send. With this sentence I am informing the mail providers that any mail sent from an @ cneris.com account will have my approval as long as it comes from the IP of my server or the servers.mcsv.net domain. The? All thing that prevents is that the rest of domains and undefined IPs are considered unverified.

By default, domain providers usually include their own SPF linked to the domain of the hosting or server. Each email marketing system will use its own domain, so we simply have to search its page or ask support what it is.

By the way, like any DNS change, it may take up to 72 hours to propagate, so be patient.

 

NEXT STEP: THE DKIM

DomainKeys Identified Mail (DKIM) is a method of associating a domain name with a message, allowing a person or organization to take responsibility for it.

It is usually accompanied by the SPF, these two being the main technical aspects of email authentication. And again, for its configuration we depend on the email marketing provider that we are going to use.

In the case of Mailchimp, and as explained in their advanced configuration page, just create a domain k1._domainkey.ourdomain.extension. (eye to the end point) of type CNAME with the content dkim.mcsv.net.

The result, in my case:

k1._domainkey.cneris.com. CNAME dkim.mcsv.net

 

THIRD VALIDATION: THE DMARC

A DMARC policy allows a sender to indicate that their emails are protected by SPF and / or DKIM, and to give instructions if neither of those authentication methods pass. This means that in order to have DMARC in our emails it is necessary that at least one of the two above is already working (they have propagated properly).

And really, as a policy, it is not strictly necessary. Just check the way providers would contact you in case of problems. In fact, the two previous ones each drop 3 points the value that mail-tester gives to the final delivery, while a non-existent or badly configured DMARC I think I remember that it only dropped 1 point.

But now it is not difficult for us to leave it well configured.

To do this, this time we will need to create the appropriate DMARC in a provider such as UnlockTheInbox (EN). In all these services they will ask us, via form, to complete a series of fields with our domain, with the SPF and / or the DKIM that we have, and then return a code that we will have to include again in the advanced DNS configuration, under the domain _dmarc.ourdomain.extension. (full stop…) and with the TXT type.

In my case there has been a thing like this:

_dmarc.cneris.com. TXT v = DMARC1; p = none; sp = none; rua = mailto: This email address is being protected from spambots. You need JavaScript enabled to view it.; ruf = mailto: This email address is being protected from spambots. You need JavaScript enabled to view it.; rf = afrf; pct = 100; ri = 86400

Just by doing these three simple steps we have guaranteed up to 7 points out of 10 in mail-tester.

Still, I emphasize. Criteria of the content (that our shipments have very little text and a lot of code or images), of the use that the shipments receive by the recipient (open rate, click rate, marked as spam, domain added to the agenda ...) or that one of the large providers has marked us as spam (normally

Read 8250 times Last modified on Sunday, 31 October 2021 09:31