- SPF & DKIM Authentication
- Setup Overview
- SPF & DKIM Values
- DNS Records
- Checking your DNS Status
- Troubleshooting Checklists
SPF & DKIM Authentication
SPF & DKIM are authentication systems that tell Internet Service Providers (ISPs), like Gmail and Yahoo, that incoming mail has been sent from an authorized system, and that it is not spam or email spoofing.
To set Mailjet as an authorized sender, you will need to setup your SPF & DKIM authentication for each of your sending domains. Once setup, SPF & DKIM will also help with your deliverability – meaning your emails have a better chance of being delivered to the recipient’s inbox and not their spam folder.
As you need to configure your domain for SPF & DKIM authentication, it can only be done on custom domains or domains that you own. It also means SPF & DKIM authentication cannot be done for free webmail accounts like Google, Yahoo, and Hotmail.
To setup SPF & DKIM authentication for your domain, you will need access to your DNS records in your domain hosting account (GoDaddy, 1&1, HostGator, OVH, ….). If you cannot find, or do not have access to your DNS records, please contact your domain hosting provider for assistance.
In summary, to authenticate your domain, you will need to copy the SPF & DKIM values from your Mailjet account to setup SPF & DKIM DNS records in your hosting account.
Here is an example SPF record setup:
And an example DKIM record setup:
SPF & DKIM Values
From your Sending Domain Authentication page, you will find all your sending domains and their SPF & DKIM statuses. (Every time you add a sending email address or domain, the domain will be added to the Sending Domain Authentication page.)
For the domain you want to authenticate, click on ‘Manage’ to view the SPF & DKIM values.
Please keep your SPF & DKIM window open as you will need to copy information into your DNS records.
Open a new window and log into your hosting account or where your DNS records can be accessed.
Go to the section where you can create and view your DNS records. (If you are unsure where to find your DNS records, please contact your hosting provider for assistance.)
For this example, we will be using a GoDaddy account.
Please keep in mind that your DNS records may have different labels and displays. But essentially every DNS has a name, value (data) and record type.
To setup your domain authentication, you will need a TXT DNS record for your SPF and one for your DKIM.
DNS Record for SPF
There are three main points to know about the SPF records:
- SPF record is a TXT record; not be confused with the SPF type. (Although the SPF type could be used, it is not recommended in the industry.)
- Each domain should have just one SPF record. (Having multiple SPF DNS records can be confusing to ISPs and might result in authentication problems.)
- Max 10 SPF entries limit - The 10 SPF lookup limit poses a challenge when DNS queries hit this threshold, resulting in SPF permanent errors such as "too many DNS lookups" or "permerror". It's crucial to note that the DNS query for the SPF policy record does not contribute to this limit. Validators on the recipient's end sequentially evaluate the SPF policy, and the assessment process halts upon discovering a match with the sender's IP address. Depending on the sender, a validator might not reach the 10 SPF lookup limit, even if the policy demands more than 10 SPF lookups for a thorough evaluation. This complexity adds to the challenge of identifying email deliverability issues associated with SPF record limits.
If you find the need for multiple SPF records within a domain, it's best to consolidate them into a single record. Here's an example of how to do this:
Original SPF records
You will need to keep a single TXT entry for this domain and delete the other entries. The TXT should look like this:
- "v=spf1 include:spf.example1.com include:spf.mailjet.com ~all"
Go to your domain hosting account and view your current DNS records. If you see no SPF record, you will need to create a new record; otherwise, you will edit the existing SPF record:
- Create a new SPF Record
- Add a new DNS record of type TXT
- Copy the hostname from your Mailjet page to the Host Field
In some cases, the domain provider may already populate the host name with your domain name. Please just double check that host name ends with a period.
To authenticate a subdomain, simply add the subdomain followed by a period to the start of the Host field.
Tip: Did you know that @ can be used in the Host Field as it represents your domain name? Instead of copying your values over, just use: @
The @ can be used for authenticating sub-domains as well:
- Copy the SPF value from your Mailjet page to the TXT Value Field. (Some providers may require double quotes around the value field. It is best to contact your provider for assistance if you are unsure.)
- Save your record
Edit an existing SPF Record
In the case you already have an SPF record, simply add the “include” part of your SPF value to the SPF’s TXT value field, and save your changes.
In this example, copy include:spf.mailjet.com to the existing SPF record...
And the new TXT value will be:
Once you have saved your SPF records, the last step is to check the DNS status from your Mailjet page.
SPF issues troubleshooting
Identifying and rectifying misconfigurations or errors in SPF records is crucial for preventing delivery issues. The following guide will assist you in troubleshooting common SPF configuration problems.
DNS Record for DKIM
To setup DKIM authentication, you will be creating a new DKIM record. (Unlike SPF records, there are no issues with having multiple DKIM DNS records in your domain.)
From your domain hosting account, create a new DNS record of type TXT.
In the Host Field, add the value: mailjet._domainkey.yourdomain.com.
(and replace yourdomain with the domain name you are authenticating.)
The second step is to copy the very long DKIM value into the TXT Value Field.
Please note that some domain providers may require double quotes " " around the entire TXT Value. (If you are unsure whether to add the quotes, please contact your provider’s support team for clarification).
Also, some providers will automatically add the domain name to the end of the text value in the Host Field. Please double check the text in the Host Field after you saved the record.
Once you have saved your new DKIM record, the last step is to check the DNS status from your Mailjet page.
Checking your DNS Status
Once you have completed and saved your SPF & DKIM records, jump back to your Mailjet page and click the ‘Force Refresh’ button.
Once your domain has been authenticated, you will see the green ‘looks good’ message.
Please note, you need to force a refresh to check the status as Mailjet does not automatically check for SPF & DKIM changes. It may take up to 24 hours for your DNS changes to reach the Mailjet system.
If your domain is still not authenticated after 24 hours, please check our troubleshooting checklist below or contact your domain hosting provider for help.
Please review the summary checklists for your DNS records:
- SPF is a TXT record
- Only one SPF record for your domain
- Host Name ends with a period
- Depending on your domain hoster, double quotes may be needed around the TXT value
- DKIM is a TXT record
- Multiple DKIM records can exist for your domain
- Host Name ends with a period
- Some providers may require double quotes around the TXT value
If your authentication is not working after 24 hours, please contact your domain host provider for assistance.