Contents
- 1 What is SPF?
- 2 Why is SPF important for email deliverability?
- 3 How to check if your SPF settings are correct?
- 4 Checking SPF from the command line
- 5 How to read SPF records?
- 6 How to set up the SPF in your DNS?
- 7 What are the tools to verify the SPF record?
- 8 What is DKIM?
- 9 Why is DKIM important?
- 10 How can you check if DKIM is configured?
- 11 How to set up the DKIM in your Domain Server?
- 12 How to verify the Domain Key Record?
- 13 Final thoughts
When sending cold emails, SPF and DKIM may sound formidable and scary. But, if you don’t know, they provide the ultimate defense against spaam filters. If you ignore them too long, you can seriously mess up your chances of landing in the inbox.
But guess what? Setting up SPF and DKIM is not challenging as you may think. So now let’s talk more about it.
Let’s first understand how SPF and DKIM work together for email deliverability. Understanding the impact of SPF and DKIM is critical to ensuring that your efforts to create compelling cold emails and target the right audience are well-spent.
To make things easier, let’s take it step by step. So let’s explore SPF in the first part of the blog and later dig deeper into DKIM.
What is SPF?
Imagine you’re sending cold emails to your prospect. When your email reaches the recipient’s inbox, their DNS plays a crucial role.
Well, DNS stands for Domain Name Server. It is a repository of lists that maps domain names (example.com) to IP addresses. So, whenever you hit the send button, the DNS of the recipient will look up its list of SPF and verify if your SPF is present.
What exactly is SPF? SPF (Sender Policy Framework) is a piece of information that you add to your DNS records. This primary step helps prevent phishers from fraudulently pretending to be you and sending messages using your domain.
From the illustration below, you can see how SPF works and the mechanism in place to decide whether you’ll land in the primary folder.
You may ask, what’s the big deal if you fail to set up SPF? The answer is straight. You may get blocked or marked spam. So, if you want to avoid your emails ending up in spam, the next section is for you.
Why is SPF important for email deliverability?
SPF is the key to passing through a pool of emails awaiting the door of the spam filters. When you’re emails get a pass from the filters, it has an immediate positive effect. Your email reputation increases, and you get rewarded for being the original sender. Ultimately, these all have a direct impact on your email deliverability.
Let’s see how preventing spoofing (it means authenticating your domain through SPF) can get an edge over sending cold emails.
SPF boosts trustworthiness
A correctly configured SPF serves as a digital signature. It is evident when you’re the originals sender of the cold email, your Email Service Providers (ESPs) and your prospects have good reasons to believe you and respond to your offers. You establish authenticity, and SPF helps build trust to gain authority over your cold emails.
Enhanced email reputation
When you send a cold email setting up your SPF, ESPs take it seriously because you show them how committed you’re to follow the best practices. This gives your email account or domain a reputation that can remain intact if you’re consistent with cold emailing practices, positively affecting your email deliverability.Â
Branding becomes strong
If you’re selling a service or product, everything you see in your cold emails and domain names is a substantial part of your brand. If you’re selling a service or product, everything you see in your cold emails and domain names is a significant part of your brand. This is a blow to your cold emailing efforts.
SPF is the extra layer of protection that protects your authentication and gives you an edge in maintaining a good and consistent reputation.
Prevents fraudulent activities
Along with branding, it is equally essential to safeguard your identity. For example, your services sell well with particular domain names you pitch to your prospects. Now, no shortage of scammers in the digital space rides on your reputation to make a gain.
They may impersonate you and pitch your services by spoofing your domain names. SPF ensures no one steals your identity and protects your brand recognition.
Avoids spam filters
Spam filters are the most aggressive barrier to getting high email deliverability. However, when you have an SPF setup, there is one less reason for the spam filters why they should block you. This reflects decently into your email reputation, brand preservation, and trust enhancement, strengthening your email deliverability.
How to check if your SPF settings are correct?
After discussing why SPF is important and how it works, where should you begin?
You can start by testing whether your SPF configuration is correct. There are two ways to ensure everything is working correctly.
Checking SPF through email
Checking your emails is one of the easiest ways to see if SPF works correctly. See how it works with Gmail in the example below.
Sending a Test Email
- Send a test email to yourself. It should come from the domain you want to check SPF for.
- You can see the message source by opening the email and clicking “Show details” (it may vary by email client).
- Click “Show details” or “View message source” for basic email information.
- Find the “mailed-by” header that displays your domain name.
- Verify the “signed-by” header corresponds to the domain that sent the email.
Seeing both “mailed-by” and “signed-by” headers with the correct domain information indicates that your SPF and DKIM (DomainKeys Identified Mail) are correctly configured.
Gmail’s “Show Original” feature
- Check your Gmail account for the email you want to check.
- In the top-right corner, click the vertical three dots.
- Choose “Show original” from the dropdown menu.
- It will open a new window or tab displaying the full email headers.
- Please look for the sections about SPF, DKIM, and DMARC (Domain-based Message Authentication, Reporting, and Conformance).
- These sections include information about SPF, DKIM, and DMARC alignment and policies.
If your IP and domain are passed, your SPF & DKIM are correctly configured. (We will deal with DKIM in the next section in detail).
Don’t worry if your SPF settings are not set up. You’ve got covered with self-explanatory steps to set them up properly. Your emails will pass through spam filters without a problem if you follow these instructions.
You don’t need to create SPF if another record is already set up. It would be suspicious to have multiple SPFs because it creates authorization issues.
Checking SPF from the command line
Another method to check whether your SPF record is already there, use the nslookup method from your command line.
- Run the command line interface (Start > Run > cmd).
- To check a domain or hostname, enter the command “nslookup -type=txt” followed by a space (e.g., “nslookup -type=txt saleshandy.com”).
- It will display something like the following if an SPF record exists: “v=spf1 include:_spf.google.com ~all”.
No results are returned if the “v=spf1” is missing, meaning the domain’s SPF record does not exist.
How to read SPF records?
It is crucial to comprehend the meanings of SPF records’ different components to read them correctly. Here is a breakdown of the SPF record:
Let’s do it for v=spf1 include:_spf.example.com ~all.
- The “v=spf1” (SPF Type & Version)
Typically, SPF records begin with the “v=spf1” part, indicating that they are SPF records and follow version I of the SPF specification. For SPF records, the prefix “v=spf1” is mandatory.
- The “include” (mechanism)
Various mechanisms are available under the “v=spf1” prefix to specify the server or IP address authorized to accept emails on behalf of a domain.
“Include” indicates that a domain can send emails only if it includes servers or domains that are allowed to do so. SPF checks continue when a domain is included in the SPF list. Through this mechanism, domain owners can appoint trusted third-party services or providers to send emails on their behalf.
- The “~all” (qualifiers)
Qualifiers are added to SPF records after the mechanisms are specified to refine the behavior of the SPF check further. There are two standard qualifiers:
“+all” (Pass): It indicates that the recipient server should accept the email if the SPF record matches any part of the message (e.g., the IP address or server).
“~all” (SoftFail): If any part of the message does not match the SPF record, the recipient server will likely accept it but will flag it as spam or phishing.
This indicates a “soft” failure, meaning the email might be genuine but doesn’t adhere to SPF rules. (Using this qualifier is less common because it can impact legitimate email delivery.)
How to set up the SPF in your DNS?
SPF records are DNS TXT records that determine which mail servers are permitted to send emails on behalf of your domain to make your email communications more secure and reliable.
SPF records can be implemented by adding a TXT record containing appropriate SPF information to your domain’s DNS settings.
In this section, you learn how to set up SPF for different types of Email Service Providers (For the tutorial, you’ll find Godaddy as the domain host here, the basics are the same as any other provider too).
But let’s first start with an overview of how you can do it for any general ESP.
General SPF Setup
You can generally follow the setup for SPF regardless of any ESP in below-mentioned simple steps.
Step 1: Log in to your domain account
Step 2: Locate your TXT records
Step 4: Create the TXT records
Now, let’s have a look at every step in detail.
Step 1: Log in to your domain account and identify your host.
Step 2: Locate your TXT records under the Domain name or Domain Management page.
Step 3: Verify that the SPF record already exists. SPF records begin with v=spf1.
Step 4: Create the TXT record with the help of the below variables:
- Name/Host/Alias: Enter @ or leave it blank. Your other DNS records might indicate which entry is correct.
- Time to Live (TTL): You can enter 3600 or leave it blank
- Value/Answer/Destination: Enter v=spf1 include:_spf.google.com ~all ( This is the Variable for Google Accounts. In case of any other service users, you need to check from their admin blog.)
SPF in Google Workspace
Google Workspace is the most popular option, and you can start with just $6 per user per year. However, if you use GoDaddy as your domain host, you must set up some DNS records to send emails from your Google Workspace accounts.
Step 1: Go to your Google Workspace Admin console.
Step 2: Go to the “Account” tab and select the “Domains” tab. You will click on “Manage domains“. You can add a domain by clicking “Add a domain.”
Step 3: Now that you have obtained your domain name from GoDaddy/Namecheap or another registrar, you can verify it by clicking “ADD DOMAIN & START VERIFICATION.”
Step 4: After activating Gmail, MX records will be automatically created. Click on “Activate Gmail” to activate in Google Workspace.
It will open the following dialog. Select “Set up MX record” and click “NEXT.” You’ll have to wait a few minutes for it to finish automatically activating.
Once you’ve connected and verified your domain with Google Workspace, Google will set up SPF records automatically.
Upon checking the records, you’ll find the following:
TXT record
Host:@
Value: v=spf1 include:_spf.google.com ~all
SPF in Zoho Workspace
Zoho’s MaiLite plan is available at a cheap cost to start with. If you’re using Zoho, it’s easy to set up SPF. Follow these steps:
Here you’ll see that GoDaddy is used as the domain host. You can follow the same steps for your provider.
Note: If you don’t want to go with the manual feeding of records, you can also use the one-click verification from Zoho.
Let’s see how one can set up SPF in Zoho.
Step 1: Add your domain to Zoho
Step 3: Add SPF to DNS records
Now, let’s explore every step in detail.
Step 1: Add your domain to Zoho
The first step is to add your domain and verify its ownership. Then, having logged into the admin console, click “Domains” to add your purchased domain. Next, you can navigate to the “Add” button and enter your domain name.
It’s a good practice to check the plan limitations on the number of domains you can add before proceeding with the setup.
Zoho verifies your ownership as it adds an extra layer of security, and only authorized owners can use the domain to send emails. GoDaddy DNS requires entering a TXT record to verify your domain ownership.
Don’t worry. Zoho provides you with the necessary information to set up.
Remember, don’t close that tab because you’ll need it later.
So, go ahead and log in to your GoDaddy account. Then, open the list of domains.
To access your domain’s DNS records, click “Manage” and then “DNS.”
Click “Add New Record” to activate your domain with Zoho.
Copy the TXT record provided into your Zoho account.
- Put the value from Zoho into a new TXT record in your DNS settings with the record type TXT and the host as “@.”
- Save all changes and set the TTL to “Automatic.” Return to Zoho once you’re done.
- You can verify your domain ownership by clicking “Verify TXT record.”
You will see the above message when Zoho has verified your domain, and you can now proceed to confirm your domain’s MX and then set up the SPF to add an extra layer of protection for your cold emails.
Step 2: Verify your MX record
After you’ve proceeded, you will be presented with a list of the records you need to add. The first on the list is MX, followed by the SPF and DKIM.
Mail Exchanger (MX) refers to a DNS record that facilitates the routing of email messages. Simply put, the MX record navigates the email server and ensures that mail delivers to the right place.
Firstly, log into your DNS again, and ensure that you delete any prior MX records. Otherwise, multiple MX records will conflict. Your email delivery gets seriously hampered, as the DNS won’t know where to deliver your messages.
Now, follow these steps to verify your MX.
- From the top right of your existing DNS records, select Add. A list of existing DNS records will appear.
- Choose MX from the Type dropdown menu.
- You can enter @ in the Name field to indicate your default domain for the delivery of emails.
- Enter mx.zoho.com in the Value field and 10 in the Priority field.
- You can choose the shortest time possible in the TTL.
- Click on “Add Records.”
You can repeat the same steps other two MX records and set their priorities as given in the Zoho list.
Step 3: Add SPF to your DNS records.
To add the SPF records, follow these steps:
- First, search for the option to add new DNS records.
- Then, in the top-right corner of the page, click the “Add” button. Next, you can see the DNS records you currently have.
- Choose TXT as the record type from the “Type” menu.
- Next, enter “@” (without quotation marks) in the “Name” field. It represents the root domain.
- Enter “v=spf1 include:zoho.com -all” (without quotes) in the “Value” field. This SPF record directs zoho.com as the allowed sender; all other senders would get rejected.
- Choose the minimum time for the “TTL” (Time to Live) setting. This will enable DNS to determine the cache time.
- Click on the “Add record.”
You’ve now successfully added SPF records for Zoho to your domain provider.
SPF in Microsoft/Office 365 accounts
If you want to use MS Office 365 accounts, sign up and subscribe to a plan, then the first step is to add the domain you purchased into MS Workplace.
Step 1: Add domain in MS Workplace
Start by logging into your Microsoft 356 admin account. Then, click the search bar on the Home page and type “Get your custom domain setup.”
Then you can proceed pretty straightforwardly. You will be asked to enter your domain name on this page and click “use this domain.”
Next, it will show you options to verify your domain. Select “Add a TXT record to the domain’s DNS records” and click “Continue.”
Next, open the DNS manager of your domain host (GoDaddy/NameCheap, etc.), add these records to your DNS setting, and verify in Microsoft Workplace.
After confirming ownership, proceed to DNS records in your domain host to add MX, CNAME, and SPF records.
Step 2: Add the DNS records.
You will see a list of DNS records you need to update when you’ve proceeded. As discussed, the MX helps navigate your emails to the right place. And CNAME allows you to create an alias for your domains in the DNS.
Therefore, copy the data for MX and CNAME records and update your DNS for the domain you have added in Microsoft Workplace.
The steps for adding an SPF record are as follows:
- In your DNS settings, navigate and add a new record.
- Copy Microsoft’s Name, Value, and TTL, and set the record type to TXT.
- Confirm the DNS record addition by clicking “Add new record.”
- In Microsoft 365, click “Continue.”
You have successfully added SPF to your DNS, and your email accounts are spoof-free.
After the SPF setup, you must verify whether the records are propagated and duly verified. For this, we will use some popular tools.
What are the tools to verify the SPF record?
There are several tools available to help you verify SPF records. Here are some helpful options to consider:
EasyDMARC
EasyDMARC offers SPF record verification as part of its comprehensive email authentication and deliverability solutions. Besides checking the validity of your SPF record, it also provides you with detailed reports on email authentication, allowing you to identify and resolve any issues.
- Scroll to visit the form where you need to type your domain.
- Click Show Results.
- It would show DMARC, SPF, DKIM, and BIMI results. Also, it would give you a score basis on the configuration. For example, if your score is 10, it is a sign that your configuration is proper.
MX Tools
The MX Tools is among the most famous record verification tools. You can check your SPF records by entering your domain name and verifying if they are correct. In addition to providing feedback on potential errors or warnings, this tool allows you to check the configuration of your SPF record.
When you search your domain, the MX tool will show you results. It means you’re verified, and SPF is appropriately set up.
DNS Checker
Besides providing checks for DNS records, DNS Checker also offers SPF record verification. With a simple domain name entry, you can quickly analyze your SPF record and receive a detailed report. In addition, this tool helps you detect any problems or misconfigurations that may affect the delivery of your mail.
Other ways
It is also possible to manually verify SPF records and use dedicated tools. In this case, you will need to perform DNS lookups and analyze the SPF record using the command line or online resources. As discussed in the beginning, you know how to do it through emails and the command line.
Now that we’ve covered SPF, let’s discuss another email authentication for high deliverability, i.e., DKIM.
What is DKIM?
Imagine you receive an email from someone pitching you a branded product, but you need to check if it’s actually from them. That’s where DKIM (DomainKeys Identified Mail) comes to your help.
DKIM is another authentication record like SPF that helps verify email addresses, fights spam and protects against spoofing and identity theft.
How does DKIM work?
When you set up DKIM, you get a special signature attached to your email header. It means you sign your emails, ensuring the original content, and you are the authenticated sender.
Here in the illustration, you can see that DNS in between matches the key (digital signature), which is encrypted so that no one can tamper with the message. Upon your key being matched, you get a relaxed way to proceed into your inbox.
Why is DKIM important?
DKIM is the next step in authenticating your identity, directly impacting your email deliverability. If you’ve both SPF and DKIM, DNS ensures that the sender has sent emails from the listed server and the message is sent from the original sender.
Let’s see how DKIM is crucial in ensuring good email deliverability in detail.
Next step authentication
You can add an extra layer of authentication to your emails using DKIM. The DKIM digital signature verifies that an email has not been modified during transit and comes from the claimed sender.
Reputation and Trust
Domains with DKIM have a positive reputation. You are committed to secure and legitimate communication by consistently authenticating your emails with DKIM. Doing so strengthens your domain’s reputation, making it easier for your emails to bypass spam filters.
Domain Spoofing Prevention
Using DKIM, you can protect your domain from spoofing by unauthorized senders. In addition, a digital fingerprint proves your legitimacy by signing your emails with DKIM. Consequently, malicious individuals will have difficulty impersonating and sending you fraudulent emails.
How can you check if DKIM is configured?
Similar to the steps we discussed to ensure that SPF is correctly configured or present in your technical setup, you can follow the same steps for DKIM.
Checking SPF through email
Checking your emails is a quick and easy way to ensure DKIM is working correctly. You can see how to do it with Gmail in the example below.
- Test an email to a recipient, and make sure the domain is identical to the one you check DKIM.
- Open the email and click “Show details” (the method may vary depending on your email client).
- Click “Show details” or “View message source” for raw email information.
- Your domain name should appear in the “mailed-by” header.
- Ensure the “signed-by” header corresponds to the email’s domain.
Seeing “signed-by” headers with the correct domain information indicates that your DKIM (DomainKeys Identified Mail) is correctly configured—Gmail’s “Show Original” feature
- You can check the email in your Gmail account.
- Choose the three dots in the top-right corner of the email.
- The dropdown menu will allow you to choose “Show original”.
- The full email headers will be displayed in a new window or tab.
- In the sections below, you can find information on SPF, DKIM, and DMARC (Domain-based Message Authentication, Reporting, and Conformance).
In addition, you can see that DKIM is referred to as “PASS.” If you find that your email identifies this, then DKIM is correctly configured.
You can also scroll down and check the email header. Here, you will find the DKIM signature included and the encrypted key.
This indicates that your email is encrypted and signed by an authenticated owner.
Checking DKIM from the command line
Follow these steps to check DKIM using nslookup:
- Start by opening the command prompt (Start > Run > cmd).
- Start a command window and type “nslookup”> Enter.
- Put “set q=txt” in the command line.
- Type “selector._domainkey.domain.com”> Enter. Replace the selector and domain with the DKIM selector and domain you seek.
Let us understand how to set up DKIM in your DNS system.
How to set up the DKIM in your Domain Server?
We now know that DKIM is the encrypted key in your email headers that prevents spoofing. You need to generate keys from your ESP and update them in your domain’s DNS settings to set up DKIM.
Let’s see how you can do it for different providers.
DKIM in Google Workspace
If you’re using Google Accounts, these are the easy steps to set up DKIM (Remember that you can generate DKIM only 24 hours of activating a new account:
Step 1: Look for “Authenticate Email” in Settings for Gmail
Step 4: Log in to your DNS provider account, and add a new record
Step 5: Go to Google Admin Console and click “Start Authentication”.
Let’s explore every step in detail.
Step 1: First, log in to your Google Admin console. Go to the top left menu, select > Apps > G Suite > and finally Settings for Gmail, followed by “Authenticate Email.”
Step 2: The next step is to select the domain for which you want to generate the domain key. This will be your primary domain by default. In other cases, click the down arrow next to Domain to select the domain.
Step 3: Now, you can generate a new record.
If your registrar does not support 1024-bit keys, you will need to change the key length from 2048 to 1024.
If possible, always use 2048-bit domain keys. 1024-bit domain keys need to be more secure. Then select Generate.
Upon generation, an encrypted key would appear in the dialogue box. This is the public key that helps ESPs identify incoming messages.
Once you have generated the domain key, add it to your DNS.
Step 4: Now, log in to your DNS provider (Namecheap, Cloudflare, Bluehost, etc.). Find your domain list and navigate to the advanced settings to add a new record.
Select the option for a TXT record and enter the DNS hostname you copied from Google in the “Name” field. Then, paste the TXT record value in the “Value” field.
Make sure your DNS settings are saved.
Step 5: When updating the DNS records, return to the Google Admin console and click “Start Authentication.”
It’s now just a matter of waiting for the DNS to update. The changes may take effect after a while.
DKIM in Zoho Workspace
If you’ve been following since the setup of SPF and opted for one-click verification, then DKIM would be automatically created by Zoho.
If so, click on DKIM under the “Email Configuration” tab to confirm. For your domain, you will see the DKIM record.
As you can see that the status is verified (green color), and the DKIM is already set up. To cross-verify, you can go into your DNS settings and search the record zoho. _domainkey, you will find it there.
If DKIM is not automatically verified, you need to do it manually. Here are the simple steps:
Step 1: First, create a new DKIM in Zoho by clicking the “ADD” button.
Then, enter these values. Selector name: Zoho and keep the key length: 1024.
Upon adding the key, Zoho will generate a key for you. However, it would help if you verified the key by updating it in the DNS settings and again confirming with Zoho.
You will generate a new DKIM record that needs to be copied into your GoDaddy DNS.
Step 2: To add a DNS entry, click “ADD.” As shown in the image above, copy and enter the data from Zoho’s generated DKIM. Once the changes have been made, click “Add record.”.
You can then go back to Zoho and verify the DKIM. It may take minutes or sometimes a few hours to pro[gate changes. Then click “Verify.”
When your DKIM is confirmed, the status will appear green.
DKIM in Microsoft/Office 365 accounts
The following steps will guide you through configuring DKIM for your domain in MS Workplace.
Step 1: First, click on DKIM page for your domain. Select the domain you wish to configure.
Step 2: Switch DKIM to the “Enable” position by sliding the toggle switch. You will be presented with a pop-up window. Next, you need to generate DKIM by clicking on “Create DKIM keys.”
Step 3: You need to copy the provided CNAME-type records and add them to your GoDaddy domain. Once added, return to the DKIM page.
Step 4: Make sure both CNAME records are updated with GoDaddy DNS.
Step 5: Click “Enable” DKIM on the Microsoft page.
How to verify the Domain Key Record?
It’s essential to verify whether your Domain Key Record is propagated. To confirm that DKIM signing is turned on, send an email message to a test recipient who is using Gmail or G Suite. Sending yourself a text message won’t work for this test.
As discussed above in the section to rectify your setup, you can find you will find on opening the original message, you will find a keyword called “DKIM-Signature.”
This proves that your emails are now signed with the key.
You can also use tools like MX tools, DNSChecker, and EasyDMARC to check your domains’ authenticity further.
Final thoughts
Setting up SPF and DKIM for your domain is crucial to enhance your email deliverability and prevent your emails from going o into spam. It not only helps gain trust but, on the other hand, helps you strengthen your domain branding.
Follow the step-by-step guide and understand the importance of SPF to ensure that your cold emails reach the recipient’s inbox and achieve the desired results. Maintain your SPF records regularly to ensure optimal email delivery and ensure they stay up-to-date.
Learn the depths of email deliverability in our cold email masterclass to reach your prospect’s inbox continuously. 📧