This guide explains how to setup SPF and DKIM/DomainKey on your DNS. We recommend having your IT person implement these configurations.
Authentication is a way to prove an email isn’t forged. Lead Liaison automatically authenticates all emails sent through our network, but by adding DNS records to your domain, Lead Liaison can send on your behalf and digitally ‘sign’ your emails.
If you’ve ever received an email claiming to be from your bank, PayPal, or a company you do business with but it’s really from someone else, then you’ve seen first-hand how easy it is to forge email. Authentication helps legitimate senders prove that their email isn’t forged, and can help receiving servers like ISPs and corporate email servers control inbound spam.
There are a variety of authentication methods, and there’s no best method. SPF and SenderID allow a domain owner to add a file or record on the server that the recipient server cross-checks. These are easy to implement, but some suggest they aren’t as secure. DKIM and DomainKeys embed information within the email, making it harder to forge (but they can also be harder to implement for senders and receivers).
Since there are pros and cons to the various methods, Lead Liaison automatically adds authentication for all of the methods mentioned above. By default, email is authenticated for the llsend.com domain, but all Lead Liaison accounts support adding SPF and DKIM for your domain so you can authenticate as your domain instead.
Authentication and sending reputation
When you add authentication information to your domain, an added benefit is that many ISPs use authentication to track sending reputation. With authentication handled by your domain, reputation with the receiving ISPs is influenced by your domain and the emails sent on behalf of your domain. This means you maintain control over the emails that affect deliverability for your domain. A positive reputation for your domain builds trust and improves deliverability, affecting whether your emails are caught by spam filters and how quickly the receiving servers will accept mail from your domain.
You can add the appropriate records to your domain’s DNS settings. To add SPF and DKIM records for your domains, you’ll need to add records of type ‘TXT’ through your hosting provider, domain registrar, or DNS provider. We recommend referring to your provider’s help documentation for specific information on adding TXT records.
Setting up SPF
If you don’t have an SPF record yet, you’ll need to add one for your domain.
If you already have a TXT record with SPF information, you’ll need to add the servers provided by Lead Liaison to that record by adding something like include:spf.exampleserver.com in the record (before the last operator, which is usually ?all, ~all, or -all).
Setting up DKIM/DomainKey
Add a new TXT record with the name similar to (this is an example) exampleserver._domainkey.yourdomain.com (just replace yourdomain.com with the domain you’re setting up). The exact record will be emailed to you.
The value for the record should be one of the options listed below. There are two options because the record contains semicolons. Some DNS providers escape semicolons for you, while others require you to do it when setting up the record.
The below keys are example keys. The exact key will be emailed to you.
v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/IQ/J/mRwSRMAocV/hMB3jXwaHH36d9NaVynQFYV8NaWi69c1veUtRzGt7yAioXqLj7Z4TeEUoOLgrKsn8YnckGs9i3B3tVFB+Ch/4mPhXWiNfNdynHWBcPcbJ8kjEQ2U8y78dHZj1YeRXXVvWob2OaKynO8/lQIDAQAB\;
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/IQ/J/mRwSRMAocV/hMB3jXwaHH36d9NaVynQFYV8NaWi69c1veUtRzGt7yAioXqLj7Z4TeEUoOLgrKsn8YnckGs9i3B3tVFB+Ch/4mPhXWiNfNdynHWBcPcbJ8kjEQ2U8y78dHZj1YeRXXVvWob2OaKynO8/lQIDAQAB;
Validating SPF and DKIM/DomainKey
Type: exampleserver in the selector field
Type: yourdomain.com in the domain field
Once you’ve added the appropriate DNS records, it can take up to 24 hours for the changes to take full effect. If there’s an error validating your records, let Lead Liaison know. There are also some third-party resources you can use to check your records or for other details if needed:
Verify your SPF record using an online SPF record testing tool. Enter your domain name in the first text box and click Get SPF Record (if any) for a diagnostic of your SPF records.
Check whether your DKIM record is valid using the DKIMCore validator.
Only One SPF Record Needed in your DNS
If you already have an SPF record, edit that record instead of adding a new one. The specs for SPF require that there only be one TXT record with SPF information.
If you’ve added the DKIM record and are still seeing that it’s missing, your DNS provider may require the record be formatted differently. The DKIM record typically could require semicolons escaped with a backslash, so the record starts with this: v=DKIM1\; k=rsa\; and ends like this: \;.
Some DNS providers don’t require semicolons be escaped. If you’re seeing issues, try removing the backslashes right before semicolons at the beginning and end of the record.
Some DNS providers take longer than others to publish and push the record. If you’re adding a completely new record, those often validate within 10-15 minutes. Changing records can take longer, but can vary based on your DNS provider and TTL for the record.
Lead Liaison doesn't currently validate DMARC records for your sending domains, but you're welcome to use DMARC in addition to SPF and DKIM. How you implement DMARC is independent of your using Lead Liaison. For details on setting up DMARC for your domain, we recommend using a guide like this one from Google or Kitterman.
We recommend running DMARC in notification mode only (with p=none in the DMARC record to indicate that mail that fails should be delivered normally) to get an idea for how much mail would be affected by switching to a stricter policy.