Email authentication is an essential part of maintaining a secure and trusted email communication channel. SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) are two key protocols that help verify the legitimacy of your emails, prevent spoofing, and boost deliverability rates. This guide will walk you through everything you need to know about authenticating your domains with SPF and DKIM using Mailjet.

Why Authenticate Your Domain?

Email authentication serves two critical purposes:

1. Protect Your Brand: By verifying that your emails originate from authorized servers, SPF and DKIM prevent unauthorized senders from impersonating your domain. This helps safeguard your brand against phishing attacks and domain spoofing, by making illegitimate emails easier to identify.
2. Improve Email Deliverability: Internet Service Providers (ISPs) use SPF and DKIM to verify incoming emails. By implementing these protocols, your emails are more likely to reach the recipient's inbox instead of being flagged as spam.

What is SPF?

SPF is an email authentication protocol that enables domain owners to specify which mail servers are allowed to send emails on behalf of their domain. It works by publishing an SPF record, a specific type of DNS TXT record, in the domain's DNS settings.

How SPF Works

When an email is sent, the receiving server checks the SPF record to ensure the email was sent from an authorized IP address or hostname. If the sending server matches an IP address or hostname listed in the SPF record, the email is considered authentic.

Setting Up SPF with Mailjet

To set up SPF for your domain with Mailjet, follow these steps:

1. Log in to your domain provider's DNS settings.
2. Add a new TXT record with the following value:
   • Name/Host: Use @ or leave it blank to apply to the root domain.
   • Value: v=spf1 include:spf.mailjet.com ~all

The include:spf.mailjet.com directive tells recipient servers that Mailjet's servers are authorized to send emails on behalf of your domain. The ~all at the end means any server not listed in the SPF record should be considered suspicious.

If you need multiple SPF records for a domain, you are required to consolidate them into a single record to ensure proper functioning. Here's an example of how to do this:

Original SPF Records:

• v=spf1 include:spf.example1.com ~all
• v=spf1 include:spf.mailjet.com ~all

You should keep a single TXT entry for this domain and delete the other entries. The consolidated TXT record should look like this:

After Merging: 

• v=spf1 include:spf.example1.com include:spf.mailjet.com ~all

What is DKIM?

DKIM is an email authentication technique that adds a digital signature to your email messages. This signature allows the receiving email server to verify that the email content has not been altered and that it was sent from an authorized domain.

How DKIM Works

DKIM works by using public-private key encryption. When you send an email, Mailjet signs it with a private key, and the recipient's server verifies it using the corresponding public key, which is published in your domain's DNS records. If the signatures match, it confirms that the email is legitimate and has not been tampered with during transit.

Setting Up DKIM with Mailjet

To set up DKIM for your domain with Mailjet:

1. Log in to your domain provider's DNS settings.
2. Add a new TXT record with the following value:
   • Name/Host: mailjet._domainkey.yourdomain.com.
     (replace yourdomain.com with your actual domain name).
   • Value/Target: k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD.... 
     (Input the DKIM key provided by Mailjet. This key can be found in your Mailjet account under the SPF/DKIM Authentication section).  

This configuration ensures that all outgoing emails are signed with Mailjet's DKIM key, providing extra assurance to receiving servers about the legitimacy of your emails.

Keep in mind that some domain providers may require the entire TXT value to be enclosed in double-quotes. If you're unsure, it's best to consult your provider's support team for guidance.

Additionally, some providers may automatically add the domain name to the end of the text value in the Host Field. Be sure to double-check the text in the Host Field after saving the record.

DKIM Bit Rate Considerations

The bit rate of a DKIM (DomainKeys Identified Mail) key refers to the strength of the encryption used for email authentication. Typically, DKIM keys are generated with different bit rates, such as:

• 1024-bit: This is the most common bit rate for DKIM keys and is considered secure for most purposes. It provides a good balance between security and performance and is widely accepted by email providers.
• 2048-bit: This bit rate offers stronger encryption and enhanced security compared to 1024-bit keys. Many organizations now use 2048-bit keys to future-proof their email security against potential cryptographic advances.
• 4096-bit: This is an even stronger bit rate, but it's less common due to its potential impact on performance and DNS size limits. Most domain providers can handle 1024-bit and 2048-bit DKIM keys, but 4096-bit might require special consideration and could be overkill for most use cases.

Recommendation: It is generally recommended to use a 2048-bit DKIM key for enhanced security, especially given the increasing sophistication of cyber threats. Ensure that your domain provider supports 2048-bit keys, and update your DKIM key periodically to maintain security.

However, existing authenticated domains will not be impacted automatically. Users interested in upgrading to 2048/4096-bit keys must regenerate their DKIM records and update the DNS settings on their domains accordingly. This ensures that their email traffic remains trustworthy to email providers and clients.

Updating DKIM Bit Rate

1. Navigating to Account > Domains & Sender addresses > SPF/DKIM Authentication > Setup SPF/DKIM Authentication.
   
2. Click on Regenerate Key under the DKIM section and choose the desired key size.
   
3. Confirm the change and click Regenerate Key again to proceed.
   

Verifying SPF and DKIM Records

After adding SPF and DKIM records, it's important to verify that they are correctly configured. You can do this from your Mailjet account:

1. Log in to Mailjet and navigate to Account Settings > Domains & DNS.
2. Select your domain, and you'll see if the SPF and DKIM records are correctly configured.

If your domain is properly authenticated, you will see a green checkmark next to SPF and DKIM.

SPF and DKIM Authentication Across Different Providers

Step 1: Log into Gandi.net

1. Open a new tab in your web browser and log in to your Gandi account.
2. In the left-side panel, select Domains.
3. Select the domain you want to authenticate for sending with Mailjet.
   
4. Go to the DNS Records tab.
   

Step 2: Validate Your Domain in Maljet

1. In your Mailjet account, navigate to the Domains and Senders page (found in Account Settings).
2. Under Domains and Sender Addresses, you'll see a list of all your sending domains along with their status. Whenever you add a new sender email address or domain, it will automatically appear on the Sending Domain Authentication page.
   
3. To validate a specific domain, simply click on the cog wheel next to it and choose 'Validate'.
   
4. Keep your window open as you'll need to copy this information into your DNS records.
   
5. Go back to your Gandi account and select Add Record.
   
6. From the Type dropdown, choose TXT.
   
7. On Mailjet, copy the value (we will use the second option in the example) from the Host field and paste it into the Name field on Gandi.
8. Copy the value from Mailjet's Value field and paste it into the Text Value field in Gandi.
   
9. Click Create to add the record.
10. Back in Mailjet, click Validate my domain.
    

Note: DNS changes can take a few minutes to propagate. If you don’t receive a success message immediately, wait a few minutes and click Validate my Domain again.

Step 3: Authenticate Your Domain with SPF and DKIM Records

You’ll need to add both SPF and DKIM records to authenticate your domain:

Create an SPF Record

1. In Gandi, click Add Record and select TXT as the record type.
2. In the Name field, input @ (or the subdomain name if you’re authenticating a subdomain).
3. Copy the SPF value from Mailjet and paste it into the Value field in the TXT record.
4. Click Create to add the SPF record.
   

Create a DKIM Record

1. In Gandi, click Add Record and select TXT as the record type.
2. Copy the Name field value from Mailjet and paste it into the Name field in Gandi.
3. Copy the Value field from Mailjet and paste it into the Text Value field in Gandi.
4. Click Create to add the DKIM record.
   

Step 4: Refresh and Verify DNS Records

After adding both records, refresh your DNS settings to validate your domain:

Note: DNS changes may take some time to update. If you don’t see success messages immediately, wait a few minutes and refresh again.

When both records are correctly set up, you will see green status notifications for each record. Once you see these green banners, your domain is ready for sending! 

Best Practices for SPF and DKIM

• Use a SoftFail (~all), HardFail (-all), or Neutral (?all): A ~all mechanism means unauthorized servers are marked as suspicious but still accepted, while -all rejects unauthorized emails outright. The ?all mechanism specifies that servers not listed should be treated neutrally, meaning no positive or negative bias is applied. Choose based on your risk tolerance and the level of strictness you want to enforce.
• Combine with DMARC: Adding a DMARC (Domain-based Message Authentication, Reporting & Conformance) record in conjunction with SPF and DKIM further protects your domain from spoofing and phishing. DMARC helps you set policies on how to handle emails that fail SPF or DKIM checks, providing an added layer of protection.
  
  Learn more about DMARC by visiting our detailed guide: Understanding DMARC.
   
• Monitor Reports Regularly: Use DMARC reports to get insights into any failed SPF or DKIM checks and understand any unauthorized use of your domain. Analyzing these reports will help you identify potential abuse and take appropriate action.
• Ensure Consistent DNS Records: Make sure that all domains used for sending emails have consistent SPF, DKIM, and DMARC records. Inconsistent records can lead to lower deliverability rates and can even cause emails to be flagged as spam.

Troubleshooting Common Issues

• Propagation Time: DNS changes can take anywhere from a few minutes to 48 hours to propagate. Verify your SPF and DKIM setup after sufficient time has passed.
• SPF issues troubleshooting: Identifying and rectifying misconfigurations or errors in SPF records is crucial for preventing delivery issues. The following guide will assist you in troubleshooting common SPF configuration problems.
  • SPF record is a TXT record: Not be confused with the SPF type. Although the SPF type could be used, it is not recommended in the industry.
  • Multiple SPF Records: You can only have one SPF record for a domain. If your domain already has an SPF record, modify it to include Mailjet (include:spf.mailjet.com) instead of adding a separate record.
  • SPF Record Too Long (Max 10 SPF entries limit): Sometimes, SPF records can become too long if you have many email services. To solve this, you may need to consolidate the records or use subdomains for different services. 
    The 10 SPF lookup limit poses a challenge when DNS queries hit this threshold, resulting in SPF permanent errors such as too many DNS lookups or permerror. It's crucial to note that the DNS query for the SPF policy record does not contribute to this limit. Validators on the recipient's end sequentially evaluate the SPF policy, and the assessment process halts upon discovering a match with the sender's IP address. Depending on the sender, a validator might not reach the 10 SPF lookup limit, even if the policy demands more than 10 SPF lookups for a thorough evaluation. This complexity adds to the challenge of identifying email deliverability issues associated with SPF record limits.
• DKIM Not Authenticating: Ensure that the TXT record is configured exactly as provided by Mailjet, with no additional spaces or errors.
• DKIM record is a TXT record: It is published in the DNS (Domain Name System) as a TXT record and contains the public key used to verify that an email message was indeed authorized by the domain owner.
• Email Rejected Despite Proper Setup: Some receiving servers use additional authentication checks. Consider combining SPF, DKIM, and DMARC for a more comprehensive authentication approach.

Additional Security Measures

In addition to SPF and DKIM, you should consider implementing the following security measures:

• DMARC: Adding a DMARC record will allow you to set policies for handling emails that fail SPF or DKIM checks. DMARC provides valuable reports that can help you monitor email activity and identify potential issues with domain spoofing. SPF and DKIM are important for identifying whether an email truly comes from a trusted source, but only DMARC can enforce actions that prevent the delivery of spoofed emails. To fully protect your domain and recipients from email spoofing, all three protocols should be implemented, with DMARC acting as the control mechanism that enforces security policies.

Conclusion

Setting up SPF and DKIM authentication is crucial for protecting your domain and improving email deliverability. By following the steps outlined above, you can confidently send emails through Mailjet, knowing they are less likely to be flagged as spam and more likely to be trusted by your recipients.

To further enhance your domain’s email security, consider implementing DMARC. That protocol works in tandem with SPF and DKIM to provide a comprehensive email authentication and security framework.

For further guidance, please visit Mailjet's detailed documentation or reach out to our support team for assistance.