“The advance of technology is based on making it fit in so that you don’t really even notice it, so it’s part of everyday life.” - Bill Gates

Getting your email rejected is frustrating. Understanding why this happens and how to resolve it is key to business resilience.

Google's Gmail and other providers have enforced stricter requirements for email authentication starting this month. If you have experienced email rejections, or just want to ensure your email is set up correctly read on. We take a look at the requirements to get your business email delivered and why they have been put in place.

Being set up to send and receive is not enough

In the advent of ever increasing Spam and Phishing emails, proving you really are a genuine sender for your business is critical to getting your email delivered. Requirements for this type of sender validation are now more strict than ever, and if you don't have them in place you can expect to start seeing more and more of your emails being rejected (bounced) instead of delivered.

Two main verification methods

There are two main methods of verifying an email really is from your business. These are SPF and DKIM and they work by verifying your email domain i.e. yourcompany.com. Any email sent by an address at yourcompany.com would be subject to SPF and DKIM validation checks. Now, these may sound confusing already, but they really are not too bad once you look at what they really are. So, let's take a look:

SPF

SPF or Sender Policy Framework simply identifies valid email servers which can send email for your domain, so for example if I use office 365 I would have a record which states that microsoft's email servers can send mail for mycompany.com. These records are stored in the DNS settings of your domian, which in this example is mycompany.com. If that sounds alien to you, don't worry, we'll take a look at DNS and how to set it up for SPF further down this post. The thing to understand about SPF is, it's a bit like a nightclub bouncer, if your name (server) isn't on the (SPF) list, then your (email) isn't coming in. This means that fake emails posing as your domain will be blocked, which is a good thing!

DKIM

DKIM or DomainKeys Identified Mail is a method where the email server places an encrypted header on to your email as it is being sent. This encryption is created using a (private) key which only exists on your email server (so it is the only one which can write this record). The receiving email server looks up a (public) DKIM key from your domain records (yep, DNS again!) to decrypt the header and validate that the email really came from your genuine email server, and therefore you/your business. We will take a look at how to set up DKIM further down in this post.

Do I need SPF or DKIM?

Actually, it really is best if you can set up both. This way your email has the best chance of correctly validating and being delivered. If you can't do both for any reason, at least have one of these configured.

Ok, how do I do it?

A quick disclaimer: The below information is intended as a guideline only. Before you begin, please make sure you fully understand the below content, and if required do further research. Changing your DNS records can negatively affect your email delivery if done incorrectly. Bitwise-IT cannot accept liability for any DNS records you change. If you do need direct help, we are soon to launch a professional business email health check service. If this is of interest to you, please let us know here and we can inform you as soon as the service is available to book.

Go to your DNS admin settings. Usually this will be with the provider you purchased your domain name from under DNS management. Once there, check if you have SPF and DKIM records. SPF records can be of the type TXT or with some providers there is a specific type of SPF. DKIM will be set as a TXT, or in some cases a CNAME record.

Setting/Checking SPF

Ensure you have a single record with the following setting:

Type: SPF (if not possible choose TXT)

TTL (if you have the option): 1 hour, or 60 minutes, or 3600 seconds

Host: @

Value: [see below]

The value should consist of:

v: setting the record type, this should be: v=spf1

include: this is optional and can be added more than once if required. You should add any sending email server domains (you should be able to get this value from your email provider). e.g include:_spf.google.com

ip4: this is optional and can be added more than once if required. You should add the external ip address of any sending email server if you cannot add an include record for it. e.g. ip4:20.76.201.171

The record should also be terminated with a command for SPF failure, either -all (fail) or ~all (soft fail). We recommend using ~all (soft fail) as SPF failure policy should now be handled by DMARC (see below).

An example SPF value if you are sending via google mail should be: v=spf1 include:_spf.google.com ~all

You will need to adjust this to add the correct include and/or ip4 sections to include your own mail server(s). If you are not sure on what to do here and need help, please register your interest for your professional business email healthcheck service and will be in touch very shortly when the service goes live.

Setting/Checking DKIM

DKIM is stored as a TXT record and you can have more than one of them if you have different email servers (note in some circumstances a CNAME record is used instead of TXT). In short, each email server/service should generate DKIM record details for you to enter in to your DNS.

There aren't any special configurations to worry about here as they are generated for you, but you do need to get the settings from your email provider. For example, if sending email via Office 365 the Microsoft guide is here.

Type: TXT (unless instructed to use CNAME)

TTL (if you have the option): 1 hour, or 60 minutes, or 3600 seconds

Host: [your provider will give you this value, it may be something like email._domainkey]

Value: [your provider will generate and provide this value. It will likely be a long string of seemingly random characters like: k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/IQIfqn7EhRNcEa/k0HBlDApZOapu3P9Evam+DuYA+HRwVRyp78FIvr2/WqyP+MsTeaJkgIccRWtaS8Yy/kenGseJEDXtgjOaAhidgMTCAkx0pJukqP5iT1eTBs7QRHPrpVZ481Gz0o/ZMMfvmUbsKcTJ2NBYXJMCSntuF32VSai3I4a0ShkErdNlpANjw3nHQps12DvuB6Oj0865IgrtnaqFy5krcT]

Again, if you are not sure on what to do here and need help, please register your interest for your professional business email health check service and will be in touch very shortly when the service goes live

I'm done, so I'm all good now, right?

Well, no, not really. There is one more bit of setup to do against your domain to give your email the best chance of being delivered. DMARC. Ok, what is DMARC?

DMARC

DMARC or Domain-based Message Authentication, Reporting, and Conformance (don't worry, there won't be a test on this) is another DNS record which tells the email server receiving your email how to handle messages which fail SPF or DKIM validation. Stricter enforcements on email validation now mean having a DMARC policy is essential and if you don't have one your email may be rejected just for the fact you have no policy in place, harsh, but understandable with the super-high levels of Spam and Phishing emails going around these days.

Thankfully, although the name may sound complicated, understanding and setting it up is not. Let's take a look:

DMARC setup is a simple text record in your domain's DNS setup.

Key parts are:

Type: TXT

TTL (if you have the option): 1 hour, or 60 minutes, or 3600 seconds

Host: _dmarc

Value: [see below]

The value field denotes the actual policy you are setting. This field is comprised of several values. We will look at the main ones you can set, then create an example policy you can use in your value field.

Dmarc Policy Values

v: this is a dmarc policy, and it's version. Set this to: v=DMARC1;

p: this tells the receiving email server how to handle email which fails validation on SPF or DKIM. Possible values are none, quarantine, reject. none tells the receiving email server to still deliver the email, i.e. take no action. quarantine tells the receiving email server to place the email in the user's spam folder. reject tells the receiving email server to fully reject (bounce) any message which does not pass SPF or DKIM validation. To start with, it is recommended you use a policy of none. This allows you to make sure genuine email is not being blocked. Recommended starting setting: p=none;

rua: this setting tells the receiving email server to send you a daily report of messages which triggered your policy. Set this value to: rua=mailto:yourname@yourdomain.com;

aspf: this setting tells the receiving email server how to handle SPF validation if a valid SPF record is found. Options are: s and r which stand for strict or relaxed. Strict validation means the domain must be identical to what is in the SPF record, so if the SPF record validates mycompany.com then the email address must be someone@mycompany.com to pass validation and be delivered. If relaxed is used, then subdomains will also pass validation, so as an example someone@marketing.mycompany.com would pass validation along with someone@mycompany.com. someone@mycompany.co.uk or someone@marketing.mycompany.co.uk would fail if they are not in the SPF record. Recommended setting is: aspf=s; (provided you do not email from subdomains)

adkim: this setting tells the receiving email server how to handle DKIM validation if a DKIM record is found. Options are s and r, which are the same as in the aspf record and stand for strict and relaxed. Settings work the same as in aspf and the recommended setting is: adkim=s; (again, provided you do not email from subdomains)

Therefore our recommended starter dmarc policy value is: v=DMARC1; p=none; rua=mailto:youremail@yourdomain.com; aspf=s; adkim=s;

Wrapping Up

To ensure email deliverability you really should have SPF, DKIM and DMARC records correctly set up for your business. If these are incorrectly set up, or not set up at all, you risk email not being delivered. If you would like help with setting up your business email DNS please feel free to register your interest for our soon to launch professional business email health check service here.