Email Sender Authentication: SPF, DKIM, and DMARC

If you are using QPilot to send email notifications to your customers about their Scheduled Orders, and you are also adding your email address to the "Email Sender Address" field, then you will need to verify your domain (SPF) and implement additional verification protocols and policies for DKIM and DMARC to ensure that you can deliver emails successfully to the inboxes of your customers.

These steps are important to ensure high email deliverability and are especially important for merchants sending more than 5,000 email messages per day to their customers receiving email using Gmail or Yahoo mail, who recently increased the requirements for their Email Sender Guidelines in February 2024 to lessen the impact of malicious or low-value emails from hitting the inbox.

📘

Not using the "Email Sender Address" field? No additional steps needed!

If you are not adding your own email address to the "Email Sender Address" field, then you don't need any additional email sender authentication as your emails will be sent from [email protected] which already uses additional email authentication. Learn more here.

Basic Email Authentication: SPF

Sender Policy Framework (SPF) is an open standard aimed at preventing sender address forgery. This article from SendGrid©, the email service that powers the sending and delivery of QPilot's Customer Email Notifications, describes how SPF is configured.

How to implement SPF

Basic Email Authentication with SPF only requires that you can add a record to your DNS provider.

1. First, you should never use "no-reply" addresses for your Email Sender Address. These will hurt your reputation across all email servers and can result in emails being flagged as Spam.
2. To ensure basic email authentication, add the following SPF records as a TXT record to your domain's DNS:
   v=spf1 include:sendgrid.net -all
   1. This record means that along with the domain's own mail servers, emails sent through SendGrid's servers are also considered legitimate.

Already have an existing SPF record?

If you already have an SPF record setup on your DNS, you can simply update it by inserting include:sendgrid.net immediately before the terminating mechanism in the record.

For example, if your current SPF record looks like this:

v=spf1 a -all

... then update it to look like this:

v=spf1 a include:sendgrid.net -all

DomainKeys Identified Mail: DKIM

DomainKeys Identified Mail (DKIM) is an authentication standard adds a cryptographic signature to your emails' headers in order to prevent email spoofing. This article from SendGrid©, the email service that powers the sending and delivery of QPilot's Customer Email Notifications, describes how DKIM is used by receiving mail servers to verify each email message's DKIM signature.

How to implement DKIM

Setting up DKIM is a simple 2-step process that requires QPilot to generate unique records for you to add as CNAME records to your DNS provider.

To have DKIM setup for your account, simply send a support message to [email protected] with the following:

1. Your domain's DNS host provider (for example: GoDaddy, NameCheap, or Register.com)
2. The email address you are using to send emails to your customers from (for example: [email protected])

Once our team receives this from you, we will respond with 3 CNAME records for you to add to your DNS host provider.

How to confirm that DKIM is configured properly

There are several websites that will help you quickly check DKIM records are setup successfully with your DNS:

• Mxtoolbox.com | https://mxtoolbox.com/dkim.aspx
• EasyDMarc.com | https://easydmarc.com/tools/dkim-lookup

Domain-based Message Authentication, Reporting & Conformance: DMARC

Domain-based Message Authentication, Reporting & Conformance (DMARC) is a powerful way to verify the authenticity of an email’s sender and prevent malicious senders from damaging your sender reputation. This article from SendGrid©, the email service that powers the sending and delivery of QPilot's Customer Email Notifications, describes how DMARC provides a policy to email service providers, instructing them on the actions to take when they receive an email that fails either SPF, DKIM, or both... and appears to be from your domain—a sign it may be spoofed.

How to implement DMARC

1. Add a TXT record with the following parameters:
   1. host: _dmarc
   2. TXT Value: v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected];
   3. TTL: You can choose. The default TTL value is usually 1 hour or 3600 seconds.

How to confirm that DMARC is configured properly

To verify if DMARC and DKIM are working as expected, you can review an email from sent from your domain. For example, if you open a message sent from your domain in Gmail, you can open the email and click the three dots menu. From there, choose an option named "Show original" that will open the email in raw format to verify the following:

• Verify SPF shows as PASS
• DKIM shows as PASS
• DMARC shows as PASS
• Note: All should show your domain name

You can also use several websites that will help you quickly check that DMARC (and also DKIM and SPF) records are setup successfully with your DNS:

• EasyDMarc.com | https://easydmarc.com/tools/dmarc-lookup
• Mxtoolbox.com | https://mxtoolbox.com/dmarc.aspx
• Dmarcian.com | https://dmarcian.com/dmarc-inspector/

If your company relies on email to communicate with your customers and you don’t implement email authentication, these changes are going to significantly impact the deliverability of your messages to customers with Gmail and Yahoo accounts. If you send over 5,000 emails to these accounts daily and fail to have SPF and DKIM, or don’t have a DMARC policy implemented, these non-deliveries will have an even greater impact on your business.