Summary
- SPF & DKIM Authentication
- Setup Overview
- SPF & DKIM Values
- DNS Records
- Checking your DNS Status
- Troubleshooting Checklists
SPF & DKIM Authentication
SPF & DKIM serve as authentication systems informing Internet Service Providers (ISPs), such as Gmail and Yahoo, that incoming mail originates from an authorized source, minimizing the risk of spam or email spoofing.
Configuring SPF & DKIM for each of your sending domains is essential to establish Mailjet as a trusted sender. Once set up, SPF & DKIM will enhance deliverability, increasing the likelihood of your emails landing in recipients' inboxes rather than spam folders.
Setup Overview
To set up SPF & DKIM authentication for your domain, you'll require access to your DNS records within your domain hosting account (such as GoDaddy, 1&1, HostGator, OVH, etc.). If you're unable to locate or access your DNS records, please reach out to your domain hosting provider for guidance.
In summary, authenticating your domain involves copying the SPF & DKIM values from your Mailjet account and configuring SPF & DKIM DNS records within your hosting account.
Here is an example of SPF record setup:
And an example of DKIM record setup:
SPF & DKIM Values
On your Sending Domain Authentication page, you'll see a list of all your sending domains along with their SPF & DKIM statuses. Whenever you add a new sending email address or domain, it will automatically appear on the Sending Domain Authentication page.
To authenticate a specific domain, simply click on the cog wheel next to it and choose 'Setup SPF/DKIM Authentication'.
Keep your SPF & DKIM window open as you'll need to copy this information into your DNS records.
DNS Records
Open a new browser window and log in to your hosting account or the platform where your DNS records are accessible.
Navigate to the section where you can create and view your DNS records. If you're uncertain about locating your DNS records, please reach out to your hosting provider for guidance.
For this example, we'll use a GoDaddy account.
It's important to note that while DNS records may vary in their labeling and display across platforms, they typically consist of three main components: name, value (data), and record type.
To set up domain authentication, you'll require a TXT DNS record for your SPF and another for your DKIM.
DNS Record for SPF
There are three main points to know about the SPF records:
- SPF record is a TXT record, not be confused with the SPF type. Although the SPF type could be used, it is not recommended in the industry.
- Each domain should have just one SPF record. Having multiple SPF DNS records can be confusing to ISPs and might result in authentication problems.
- Max 10 SPF entries limit - The 10 SPF lookup limit poses a challenge when DNS queries hit this threshold, resulting in SPF permanent errors such as "too many DNS lookups" or "permerror". It's crucial to note that the DNS query for the SPF policy record does not contribute to this limit. Validators on the recipient's end sequentially evaluate the SPF policy, and the assessment process halts upon discovering a match with the sender's IP address. Depending on the sender, a validator might not reach the 10 SPF lookup limit, even if the policy demands more than 10 SPF lookups for a thorough evaluation. This complexity adds to the challenge of identifying email deliverability issues associated with SPF record limits.
If you find the need for multiple SPF records within a domain, it's best to consolidate them into a single record. Here's an example of how to do this:
Original SPF records
- "v=spf1 include:spf.example1.com ~all"
- "v=spf1 include:spf.mailjet.com ~all"
You will need to keep a single TXT entry for this domain and delete the other entries. The TXT should look like this:
After merging
- "v=spf1 include:spf.example1.com include:spf.mailjet.com ~all"
Navigate to your domain hosting account and check your current DNS records. If you don't find an SPF record listed, you'll need to create a new one. Otherwise, you can edit the existing SPF record.
Create a new SPF Record
-
- Add a new DNS record of type TXT
- Copy the hostname from your Mailjet page to the Host Field
To authenticate a subdomain, simply add the subdomain followed by a period at the beginning of the Host field.
Tip: Did you know that @ can be used in the Host Field as it represents your domain name? Instead of copying your values over, just use: @
The @ can be used for authenticating sub-domains as well:
- Copy the SPF value from your Mailjet page to the TXT Value Field. Note that some domain providers may require enclosing the entire TXT Value in double-quotes. If uncertain, consult your provider's support team for clarification.
- Save your record
Edit an existing SPF Record
In the case you already have an SPF record, simply add the “include” part of your SPF value to the SPF’s TXT value field, and save your changes.
In this example, copy include:spf.mailjet.com to the existing SPF record...
And the new TXT value will be:
Once you have saved your SPF records, the last step is to check the DNS status from your Mailjet page.
SPF issues troubleshooting
Identifying and rectifying misconfigurations or errors in SPF records is crucial for preventing delivery issues. The following guide will assist you in troubleshooting common SPF configuration problems.
DNS Record for DKIM
Setting up DKIM authentication involves creating a new DKIM record, which unlike SPF records, allows for multiple DKIM DNS records in your domain.
To begin, access your domain hosting account and create a new DNS record of type TXT. In the Host Field, input the value: mailjet._domainkey.yourdomain.com (replacing yourdomain with your actual domain name).
Next, copy the lengthy DKIM value into the TXT Value Field.
Note that some domain providers may require enclosing the entire TXT Value in double-quotes. If uncertain, consult your provider's support team for clarification.
Additionally, some providers may automatically add the domain name to the end of the text value in the Host Field. Be sure to double-check the text in the Host Field after saving the record.
Finally, after saving your new DKIM record, check the DNS status from your Mailjet page.
However, existing authenticated domains will not be impacted automatically. Users interested in upgrading to 2048/4096-bit keys must regenerate their DKIM records and update the DNS settings on their domains accordingly. This ensures that their email traffic remains trustworthy to email providers and clients.
To enable the regeneration of the DKIM key, ensure that the domain itself is validated in your Mailjet account.
You can perform these updates in your Mailjet account by navigating to Account > Domains & Sender addresses > SPF/DKIM Authentication > Setup SPF/DKIM Authentication.
Once there, click on 'Regenerate Key' under the DKIM section and choose the desired key size.
Confirm the change and click 'Regenerate Key' again to proceed.
Exploring the Difference: 1024-bit vs. 2048-bit vs. 4096-bit DKIM Keys
While 1024-bit keys are offering good security, they're expected to become vulnerable in the near future. Opting for 2048-bit keys, with double the length, ensures better protection against tampering and remains secure for an extended period.
Choosing a 4096-bit key isn't necessary, as 2048-bit keys are sufficient, avoiding potential performance drawbacks. Additionally, some servers may not yet support 4096-bit keys, leading to compatibility issues. It's best to use what's needed now and adapt as security standards evolve.
Checking your DNS Status
Once you have completed and saved your SPF & DKIM records, jump back to your Mailjet page and click the ‘Refresh’ button.
Once your domain has been authenticated, you will see the green ‘looks good’ message.
Please note, that you must force a refresh to check the status, as Mailjet does not automatically detect SPF & DKIM changes. It may take up to 24 hours for your DNS changes to propagate to the Mailjet system.
If your domain is still not authenticated after 24 hours, please check our troubleshooting checklist below or contact your domain hosting provider for help.
Troubleshooting Checklists
Please review the summary checklists for your DNS records:
SPF:
- SPF is a TXT record
- Only one SPF record for your domain
- Host Name ends with a period
- Depending on your domain hoster, double quotes may be needed around the TXT value
DKIM:
- DKIM is a TXT record
- Multiple DKIM records can exist for your domain
- Host Name ends with a period
.
- Some providers may require double quotes around the TXT value
.
If your authentication is not working after 24 hours, please contact your domain host provider for assistance.