DIGITAL HUB

YOUR ONLINE JOURNEY MADE EASIER THROUGH THE TWO PATHS CO. BLOG

A Guide to SPF: Email Authentication in 2024

As online business owners, bloggers, and others using email marketing platforms or CRMs such as Kartra, ActiveCampaign, HubSpot and more, it is crucial to remain compliant with email service provider (ESP) regulations. While this article will specifically provide a comprehensive walkthrough and detailed instructions on implementing Sender Policy Framework (SPF), it’s important to understand what email compliance in 2024 means. 

Click here to jump straight to the walkthrough and avoid the technical explanation ↠

Overview of Google and Yahoo’s February 1st, 2024 update for email validation

In the fall of 2023, both Google and Yahoo released information about upcoming changes to their email inbox service. To understand these policies better, I recommend that you head to the update yourself and review:

With more than 50% of inboxes provided by Google alone, this update is sure to change the email deliverability landscape for many of us. What was previously a “best practice” is now mandatory, and that is a win-win for us all.

The main requirements for email authentication

  1. Add or edit existing DKIM, SPF, and DMARC records in your DNS
  2. Allow for easy one-click unsubscription from mailing lists
  3. No more spam. Send only messages that are wanted. A spam % threshold will be applied

What are DKIM, SPF, and DMARC and how do they affect the average user?

  • DKIM (Domain Keys Identified Mail): This creates a sort of “signature” that is inserted into the header of your email. The header is read by email service providers before the body and represents that the sender is who they say they are (and hasn’t been spoofed or otherwise altered in the process)
  • SPF (Sender Policy Framework): Similar to DKIM, SPF records verify who is allowed to send messages from your domain-registered email address on your behalf. It works differently by checking the IP address of the sending server. DKIM and SPF compliment each other by validating both the source and the content. Together, they prevent spoofing, phishing and other malicious email-related attacks
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance): This record is a little different than the above two and relies on them to be accurately recorded. It is a policy that simply informs the receiver on what to do in case DKIM or SPF fails. For example, if both DKIM and SPF fail, DMARC can do nothing, it can stop the email from being delivered altogether, or it can move the message into a spam folder. (Generally, if DKIM and SPF have failed, you do not want the email to be received since it was not a legitimate email).

Click here to view the guide to setting up DMARC ↠

A Step-by-Step Guide to Implementing SPF

Now that we’ve explained why you’re doing this and how important it is for your deliverability, let’s walk through the process of implementing SPF for your domain:

Step 1: Figure out what platforms you need to add SPF for

Identify all the platforms that you want to send emails from your domain. This includes your email marketing platform and CRM. Anything that uses your email address needs to have these records.

Step 2: Access your DNS (Domain Name System)

Wherever you purchased your domain from is who your domain provider is, and that is where you’ll locate your DNS. Popular examples include:

  • Namecheap
  • GoDaddy
  • Google Domains (now Squarespace)
  • Host Gator
  • Bluehost

Sometimes, you might not be managing your DNS from who you purchased the domain from. I often recommend that my clients integrate Cloudfare, a free DNS hosting service. If Cloudfare is used within your structure, you will manage these records there instead.

Step 3: Filter for TXT records or search“SPF”

Before you jump into adding new records, it’s best to quickly review your DNS to see if those records already exist. Often, you’ll find that SPF is there, it’s just incomplete. If this record already exists, you do not want to add a second one on top of it.

Most DNS have the ability to filter based on the record or the type:

Screenshot showing the DNS area from GoDaddy, specifically highlighting the “filter” button and the drop down. In the screenshot, I have TXT (Text) selected and am ready to hit “apply.”
Screenshot showing the DNS area from GoDaddy, specifically highlighting the “filter” button and the drop down. In the screenshot, I have TXT (Text) selected and am ready to hit “apply.”
Screenshot from Cloudfare DNS services, depicting the area where you can add a filter or type into the search bar.
Screenshot from Cloudfare DNS services, depicting the area where you can add a filter or type into the search bar.

Step 4: Add a new record or edit the existing one

After you locate the filter or search of your DNS, see if you find a TXT record that mentions “SPF.” If not, you can proceed with the next step and add the record. If you do see one, do not add a new record. Instead, simply edit the existing one.

Examples of existing SPF records:

v=spf1 include:anemailplatformsender.com -all

If you’re using Google Workspace for your email, yours might look like this:

v=spf1 include:_spf.google.com include:anemailplatform.com ~all

You can edit this record so that your email provider is after the “include” according to their specific sender (Kartra uses sendgrid, Keap uses infusionmail, etc). For many, they will have multiple senders to verify. You can add all of them under 1 TXT record.

Here is an example of your TXT record with multiple verified senders:

v=spf1 include:_spf.google.com include:anemailplatformsender.com include:yourcrmprovider.com include:yourcalendarapp.com ~all

My email service has not provided SPF information

If this is the case, then I have a little hack for you. You can review the DKIM CNAME record that they provided to you and that you ideally already set up. They have already given you the sender details here and you just need to update the SPF to match.

For example, let’s review these 3 CNAME records. Notice what I have outlined in green:

Screenshot from Keap showing DKIM records. In this screenshot, I have redacted sensitive client information under “host.” Under “value,” I have outlined where the sender information is located.
Screenshot from Keap showing DKIM records. In this screenshot, I have redacted sensitive client information under “host.” Under “value,” I have outlined where the sender information is located.

Notice that there are three CNAME records. To find the sender, check any one of them under “Value” and after “domainkey”. This is who the email sender is. You’ll add that to your SPF record. 

In this example, your SPF record would look like the following:

v=spf1 include:infusionmail.com -all

Some additional information about SPF records

  • Some records might include an IP address. If yours has this, do not delete it. Simply edit the record and add “include:SENDER.COM” before “all”
  • Records can have the following qualifiers:
    • “-all” – this is preferred
    • “~all” – this is acceptable 
    • “?all” – do not use this, change the ? to one of the above options
    • “+all” – absolutely do not use this, change the + to one of the above options

Step 5: Test and confirm the records are accurate

The platform you are authenticating should have a way to verify that your records are complete and configured properly. Unfortunately, what I have encountered so far is that they will confirm DKIM and DMARC, but not SPF.

This free service will check SPF and DMARC for you: Valimail Domain Checker

If you are one of the many whose platform does not provide DMARC or DMARC is failing or not accurate enough, please review my guide to DMARC which talks about using Valimail’s free DMARC service.

What to do if it fails

If you’re experiencing technical difficulties setting up any of these compliance records (DKIM, SPF, or DMARC), then please do not panic! The last thing you should do is start editing or deleting records. Instead, take stock of your DNS and figure out what was there prior to you editing these records (pro tip: ALWAYS take a screenshot of your full DNS before doing any work inside).

You can also reach out and I would be happy to assist you with this task. I am offering free email authentication for all of my past clients, and for any future clients when they book any of my packages. Review my services here ↠

For support, contact me by email or send me a DM on Instagram @two.paths.co

SHARE TO CARE

Hey, I'm Michelle 👋🏼

Your digital trailblazer at Two Paths Co., specializing in SEO and shaping user-centric experiences. Boost your online presence and engagement through SEO strategies, website and blogging tips, technical walkthroughs, and so much more here inside the Digital Strategy Hub!

IMPORTANT NEWS:

Is Your Email Address 2024 Compliant?

Google and Yahoo have made significant changes to their policies around accepting email marketing messages. These are actions that affets everyone sending emails that come from third-party platforms, such as email marketing platforms and CRMs.

To help you with this, click here to view my services. I’m offering to add these compliance records to your DNS as a FREE bonus when you purchase any of my available packages.