SPF, DKIM, and DMARC Authentication

When you send emails, mailbox providers (such as Gmail, Outlook, AOL and Yahoo) need to identify whether the message is a legitimate email sent from the owner of the domain name or email address, or a forged email sent by a spammer or phisher. This includes emails sent from ActiveCampaign.

There are three established methods used to verify a sender's identity. These are SPF, DKIM, and DMARC. We recommend setting up these email authentication methods for several reasons. The most common reasons are:

  • Remove the “via...” header from Gmail
    Doing so will reenforce branding (see image below). A positive side effect of setting up DKIM authentication is that this header disappears.
  • Build reputation as an email sender on your own domain name
    Sending email without authentication is like turning in homework without your name on it. You may have aced the assignment, but you can't take credit for it without your name on it. DKIM authentication in particular helps build your reputation as an email sender.
  • Enforce stricter security on your domain name
    Authentication standards such as DMARC help protect your domain name from fraudulent use by spammers and phishers who want to hurt your reputation or scam your customers.

Email authentication is not a silver bullet to solve deliverability problems. Authentication solves the problem of determining who the email is coming from, not whether the email is wanted by the recipient.

A sender who follows best practices, such as sending high quality, personalized emails to an opt-in list and performs regular list hygiene will typically see higher deliverability when using email authentication. Their domain will build a reputation as a good sender with recipients who want to engage with their emails.

A sender who does not follow best practices, such as using a rented or purchased list, not having clear messaging during the opt-in process about what kind of emails will be sent and at what frequency, or who never performs any list hygiene will typically see lower deliverability with email authentication. Their domain may build a reputation as a sender of unwanted emails.

Authentication allows good senders to further solidify their reputation and protect their domain from bad senders who may try to hijack their domain.

As such, we encourage you to set up authentication, but you are not required to do so. 

SPF

SPF (Sender Policy Framework) records are TXT records on your domain that authorize certain servers to send mail using your domain name. ActiveCampaign automatically configures SPF for all customers. This means that you don't need to create an SPF record or modify an existing one to to work with ActiveCampaign. This applies even if you are using a Custom Domain.

If you would still like to add ActiveCampaign to your existing SPF record (even though it is unnecessary), you can do so by adding “include:emsd1.com” to your existing SPF record or by creating a new one. For example, if you send email from both G Suite and ActiveCampaign, your SPF record might look like this:

v=spf1 include:emsd1.com include:_spf.google.com ~all

You can only create one SPF record for your domain name. If you have an existing SPF record, you will need to modify your existing record instead of creating a new SPF record.

DKIM

DKIM (Domain Keys Identified Mail) is essentially a signature any sender can apply to their email messages. This signature makes clear that the purported sender of the message is actually the sender of the message. Any domain can be used as the signature. For example, a company called "Dog Bandanas" will sign their messages with the dogbandanas.com domain to confirm that the message was actually sent by "Dog Bandanas."

This is accomplished by inserting a hidden, cryptographic signature into your email header (ActiveCampaign will do this) and then placing a public key on your website that verifies the authenticity of this signature.

All mail sent from ActiveCampaign will use ActiveCampaign's DKIM signature by default. ActiveCampaign's DKIM signature has a very good reputation and it is sufficient for most senders. However, it is easy to setup DKIM for your own domain if you want to.

To setup DKIM:

1. Click "Settings."

2. Click "Advanced."

3. Click the "I will manage my own email authentication" option.

sarahnicholaev

4. Type your sending domain into the DomainKeys Identified Mail (DKIM) field and click the "Generate" button.

sarahnicholaev

We'll generate a TXT Record Name and TXT Record Value.

sarahnicholaev

Note that the values generated here will not save on the page. You will need use these values to configure a TXT record at your DNS host.

Your DNS host is typically the company you registered your domain with or host your website through. Most DNS hosts will require the following items to set up your TXT record:

  • Type
    Choose TXT.
  • Name or Host
    Enter dk._domainkey (most common), or the full TXT Record Name shown inside ActiveCampaign (less common).  Which one you should use depends on whether your DNS provider automatically appends the domain name to DNS records you create. If you are unsure which to use, look at the format of other DNS records in your settings (do they include the domain name in the Name or Host field?) or ask your DNS host.
  • Value or Record
    Enter the TXT Record Value shown inside ActiveCampaign.
  • TTL 
    This is "Time Till Live." Use the recommended or default setting of your DNS host. If there isn't a default setting, we recommend 3600 (one hour).

To find specific instructions for your host, use your preferred search engine to look up "Add TXT record at _____", replacing the blank line with your DNS provider. For convenience, we've included some common DNS providers below:

Once you're finished, you can use our authentication tool or test a live email with mail-tester.com to ensure that DKIM is working.

DMARC

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a standard that builds on top of SPF and DKIM. It allows the domain owner to create a policy that tells mailbox providers (such as Google or Microsoft) what to do if email fails SPF and DKIM checks. 

DMARC supports three main policy configurations:

  • "None"
    Indicates that emails should be treated normally if DMARC fails. It is equivalent to not having a DMARC record at all, although you can still take advantage of DMARC's reporting features.
  • "Quarantine"
    Indicates that emails should be delivered to the spam folder if the DMARC check fails.
  • "Reject"
    Indicates that emails should be bounced (not delivered to the recipient) if the DMARC check fails.

Using a DMARC policy of “Quarantine” or “Reject” will require that you have a proper DKIM record setup for your sending domain, or else all your mail from ActiveCampaign will fail the DMARC test. This will filter it to the spam folder (“Quarantine”) or block it entirely (“Reject”). Make sure you have set up DKIM for all of your sending domains before setting up a strict DMARC record.

DMARC is not a tool to enhance deliverability and you are not required to set up DMARC to send emails from ActiveCampaign. However, you should use DMARC if:

  • Someone is actively spoofing your domain, sending fraudulent mail, and tarnishing your reputation. DMARC would let you identify this malicious activity and shut it down
  • Your organization has an email security policy that requires DMARC authentication, such as a governmental entity or financial organization
  • You want to display a BIMI logo for your emails

To get started with DMARC, we recommend you begin with a policy of “None” so that you don't impact your deliverability in case of a misconfiguration. You can then monitor your DMARC reports to see what the impact would be if you use a stricter policy.

We have a recommended initial DMARC policy below. You can set it up by creating a TXT record with a Host or Name of _dmarc at your DNS provider and entering the value below for the Value or Record. Please be sure to replace the email address below with your own email address:

v=DMARC1; p=none; pct=100; rua=mailto:youremail@example.com

If you don't replace the email address in the example above with your own email address, you will not receive DMARC reports.

If you want to implement stronger security on your domain, you can set up a stricter DMARC record using a policy of “Quarantine” or “Reject." To set up a strict DMARC record, we would advise you to visit dmarc.org for recommendations on how to configure the record properly.

Additional authentication methods

BIMI

BIMI (Brand Indicators for Message Identification) is a new, experimental standard that builds on top of DMARC. It allows domain owners who have implemented DMARC to purchase a Verified Mark Certificate (VMC) to display a BIMI logo for their brand in email messages. This gives recipients an easy way to visually identify trusted messages.

As BIMI is such a new standard, it does not yet have widespread adoption by domain owners or mailbox providers, and you do not need to set up BIMI. However, if you are interested in learning more, you can review the following sites:

SenderID

SenderID is an authentication standard that was created by Microsoft and intended as a replacement for SPF. However, Sender ID has since been deprecated and is no longer used by the vast majority of email services and you do not need to configure it.

If you do send to legacy email systems that rely on Sender ID, then we recommend configuring an empty Sender ID to avoid potential conflicts with SPF:

spf2.0/pra

Additional Reading

In this article, we didn't attempt to explain the technical process of how SPF, DKIM, and DMARC work. Each of these authentication protocols has a public website where the technical specification is explained at depth:

Have more questions? Submit a request