As online business owners, bloggers, and others using email marketing platforms or CRMs such as Kartra, ActiveCampaign, HubSpot and more, it is crucial to remain compliant with email service provider (ESP) regulations. While this article will specifically provide a comprehensive walkthrough and detailed instructions on implementing Sender Policy Framework (SPF), it’s important to understand what email compliance in 2024 means.
Overview of Google and Yahoo’s February 1st, 2024 update for email validation
In the fall of 2023, both Google and Yahoo released information about upcoming changes to their email inbox service. To understand these policies better, I recommend that you head to the update yourself and review:
New Gmail protections for a safer, less spammy inbox
More Secure, Less Spam: Enforcing Email Standards for a Better Experience (Yahoo)
With more than 50% of inboxes provided by Google alone, this update is sure to change the email deliverability landscape for many of us. What was previously a “best practice” is now mandatory, and that is a win-win for us all.
The main requirements for email authentication
Add or edit existing DKIM, SPF, and DMARC records in your DNS
Allow for easy one-click unsubscription from mailing lists
No more spam. Send only messages that are wanted. A spam % threshold will be applied
What are DKIM, SPF, and DMARC and how do they affect the average user?
DKIM (Domain Keys Identified Mail): This creates a sort of “signature” that is inserted into the header of your email. The header is read by email service providers before the body and represents that the sender is who they say they are (and hasn’t been spoofed or otherwise altered in the process)
SPF (Sender Policy Framework): Similar to DKIM, SPF records verify who is allowed to send messages from your domain-registered email address on your behalf. It works differently by checking the IP address of the sending server. DKIM and SPF compliment each other by validating both the source and the content. Together, they prevent spoofing, phishing and other malicious email-related attacks
DMARC (Domain-based Message Authentication, Reporting, and Conformance): This record is a little different than the above two and relies on them to be accurately recorded. It is a policy that simply informs the receiver on what to do in case DKIM or SPF fails. For example, if both DKIM and SPF fail, DMARC can do nothing, it can stop the email from being delivered altogether, or it can move the message into a spam folder. (Generally, if DKIM and SPF have failed, you do not want the email to be received since it was not a legitimate email).
A Step-by-Step Guide to Implementing SPF
Now that we’ve explained why you’re doing this and how important it is for your deliverability, let’s walk through the process of implementing SPF for your domain:
Step 1: Figure out what platforms you need to add SPF for
Identify all the platforms that you want to send emails from your domain. This includes your email marketing platform and CRM. Anything that uses your email address needs to have these records.
Step 2: Access your DNS (Domain Name System)
Wherever you purchased your domain from is who your domain provider is, and that is where you’ll locate your DNS. Popular examples include:
Google Domains (now Squarespace)
Sometimes, you might not be managing your DNS from who you purchased the domain from. I often recommend that my clients integrate Cloudfare, a free DNS hosting service. If Cloudfare is used within your structure, you will manage these records there instead.
Step 3: Filter for TXT records or search“SPF”
Before you jump into adding new records, it’s best to quickly review your DNS to see if those records already exist. Often, you’ll find that SPF is there, it’s just incomplete. If this record already exists, you do not want to add a second one on top of it.
Most DNS have the ability to filter based on the record or the type:
Step 4: Add a new record or edit the existing one
After you locate the filter or search of your DNS, see if you find a TXT record that mentions “SPF.” If not, you can proceed with the next step and add the record. If you do see one, do not add a new record. Instead, simply edit the existing one.
Examples of existing SPF records:
v=spf1 include:anemailplatformsender.com -all
If you’re using Google Workspace for your email, yours might look like this:
v=spf1 include:_spf.google.com include:anemailplatform.com ~all
You can edit this record so that your email provider is after the “include” according to their specific sender (Kartra uses sendgrid, Keap uses infusionmail, etc). For many, they will have multiple senders to verify. You can add all of them under 1 TXT record.
Here is an example of your TXT record with multiple verified senders:
v=spf1 include:_spf.google.com include:anemailplatformsender.com include:yourcrmprovider.com include:yourcalendarapp.com ~all
My email service has not provided SPF information
If this is the case, then I have a little hack for you. You can review the DKIM CNAME record that they provided to you and that you ideally already set up. They have already given you the sender details here and you just need to update the SPF to match.
For example, let’s review these 3 CNAME records. Notice what I have outlined in green:
Notice that there are three CNAME records. To find the sender, check any one of them under “Value” and after “domainkey”. This is who the email sender is. You’ll add that to your SPF record.
In this example, your SPF record would look like the following:
v=spf1 include:infusionmail.com -all
Some additional information about SPF records
Some records might include an IP address. If yours has this, do not delete it. Simply edit the record and add “include:SENDER.COM” before “all”
Records can have the following qualifiers:
“-all” – this is preferred
“~all” – this is acceptable
“?all” – do not use this, change the ? to one of the above options
“+all” – absolutely do not use this, change the + to one of the above options
Step 5: Test and confirm the records are accurate
The platform you are authenticating should have a way to verify that your records are complete and configured properly. Unfortunately, what I have encountered so far is that they will confirm DKIM and DMARC, but not SPF.
This free service will check SPF and DMARC for you: Valimail Domain Checker
If you are one of the many whose platform does not provide DMARC or DMARC is failing or not accurate enough, please review my guide to DMARC which talks about using Valimail’s free DMARC service.
What to do if it fails
If you’re experiencing technical difficulties setting up any of these compliance records (DKIM, SPF, or DMARC), then please do not panic! The last thing you should do is start editing or deleting records. Instead, take stock of your DNS and figure out what was there prior to you editing these records (pro tip: ALWAYS take a screenshot of your full DNS before doing any work inside).
You can also reach out and I would be happy to assist you with this task. I am offering free email authentication for all of my past clients, and for any future clients when they book any of my packages. Review my services here ↠