SPF, DKIM and DMARC are email security protocols, that once set up, prove your emails are legitimate, thus preventing them from being marked as Spam.
SPF
Step 1: Find your Domain DNS management page
If you don't have access to the login credentials, share this guide with someone in your organization who does, usually the IT team, or the person that bought the domain.
You'll need access to the domain management page to set up SPF, DKIM and DMARC.
- Go to https://console.aws.amazon.com/route53/v2/hostedzones#, find your domain and click on it.
- You will enter a page that looks like this
Step 2: Update or create an SPF record
Search for a TXT record starting with v=spf1:
- If you find one: jump to the Update an SPF record section.
- If you do not find any SPF record, go to section below.
Create an SPF record
- Press the Create Record button
- Add the new SPF record and save changes
Type Host Value TTL TXT Record
@
v=spf1 include:spf.protection.outlook.com ~all
5 min
- Make sure you Save Changes.
- Your record is now created, move to Step 3: Validate your SPF setup.
Update an SPF record
To update the existing SPF record, you will need to add include:spf.protection.outlook.com to the record's Value field.
For example, your current record value may look like this:
v=spf1 ip4:1.2.3.4 include:thirdparty.com ~all
After the update, it should be this:
v=spf1 ip4:1.2.3.4 include:thirdparty.com include:spf.protection.outlook.com ~all
Step 3: Validate your SPF setup
If the validation fails, it may be because DNS changes can take a while to propagate. Try again in a couple of minutes.
Within Amplemarket
- Go to the Domain Health Center
- Find a mailbox for the domain you just configured, and press the Authentication cell
- Press Run tests to run an Authentication check
- Once completed, the SPF should now show as pass
Outside Amplemarket
If you don't have access to Amplemarket you can verify if your SPF is correctly setup on a free tool like: https://mxtoolbox.com/spf.aspx
Common SPF Error Cases
Multiple SPF Records
You can not have multiple spf records for the same Host.
If you do, you will need to merge them into one.
For example, if you have 3 SPF records:
Type | Host | Value | TTL |
---|---|---|---|
TXT Record |
@ |
v=spf1 include:spf.protection.outlook.com ~all |
5 min |
TXT Record |
@ |
v=spf1 ip4:1.2.3.4 ~all |
5 min |
TXT Record |
@ |
v=spf1 include:thirdparty.com ~all |
5 min |
You will need to transform them into just one, be editing one of them and deleting the others, the final result should be only record with the v=spf1 for the @ Host.
Type | Host | Value | TTL |
---|---|---|---|
TXT Record |
@ |
v=spf1 ip4:1.2.3.4 include:thirdparty.com include:spf.protection.outlook.com ~all |
5 min |
Malformed SPF Record
This could be a typo or a misplaced element.
Copy and paste the record you have to this SPF syntax checker to help you find the issue: https://vamsoft.com/support/tools/spf-syntax-validator
DKIM
Step 1: Find your Domain DNS management page
If you don't have access to the login credentials, share this guide with someone in your organization who does, usually the IT team, or the person that bought the domain.
You'll need access to the domain management page to set up SPF, DKIM and DMARC.
- Go to https://console.aws.amazon.com/route53/v2/hostedzones#, find your domain and click on it.
- You will enter a page that looks like thisKeep this page opened as you'll need it later
Step 2: Generate DKIM keys for Microsoft 365
- Go to https://admin.microsoft.com/Adminportal/Home#/Domains, search for your domain and press Manage DNS.
- Pick Add your own DNS records, then press Continue
- Go to Advanced Options and make sure you check the DKIM records option
Step 3: Create the DKIM DNS Records
-
- Copy the DKIM records you just generated from Microsoft's
- Add them as new CNAME records in Amazon's DNS management page that you opened earlier.
- Go back to Microsoft's admin panel and press the Continue button to complete the setup
- Continue may fail as it can take a couple of minutes (at worst hours) for Microsoft to recognize the new DNS records you just created. Please try again if that's the case.
- Finally you should see this page
Step 4: Validate you DKIM setup
If the validation fails, it may be because DNS changes can take a while to propagate. Try again in a couple of minutes.
Within Amplemarket
- Go to the Domain Health Center
- Find a mailbox for the domain you just configured, and press the Authentication cell
- Press Run tests to run an Authentication check
- Once completed, the DKIM should now show as pass
Outside Amplemarket
If you don't have access to Amplemarket you can verify if your DKIM is correctly setup on a free tool like: https://mxtoolbox.com/dkim.aspx
Use selector1 and selector2 as the selector values
Common DKIM Error Cases
Malformed DKIM Records
This means the DKIM record has an incorrect format, usually caused by mistakenly adding an extra character. Please double check your records, and/or copy/paste them again.
Email body altered after DKIM signature
This can happen when there's special configurations on your email servers to change outgoing emails. It's best to contact your IT department with this issue, since it will affect deliverability.
DKIM Signed from different domain
Your emails have a DKIM signature that did not originate from your domain. This means you haven't performed the DKIM setup for your domain, go to the DKIM setup section of this guide.
DKIM Signed with default Microsoft signature
Microsoft automatically signs all outgoing email with their default DKIM signature.
If you'd like to have an optimal setup for deliverability you can go to the DKIM setup section of this guide, to set up a DKIM signature coming from your domain.
DKIM Signature did not match
Your DKIM record is outdated and it does match the one that Microsoft is using.
Complete the steps in the DKIM setup section of this guide.
DMARC
Step 1: Find your Domain DNS management page
If you don't have access to the login credentials, share this guide with someone in your organization who does, usually the IT team, or the person that bought the domain.
You'll need access to the domain management page to set up SPF, DKIM and DMARC.
- Go to https://console.aws.amazon.com/route53/v2/hostedzones#, find your domain and click on it.
- You will enter a page that looks like this
Step 2: Create a DMARC Record
- Press Create Record
- Add a new DMARC record and save changes
Type Host Value TTL TXT Record
_dmarc
v=DMARC1; p=none;
5 min
- You can learn more about different DMARC policies on microsoft's documentation.
Step 3: Validate your DMARC setup
If the validation fails, it may be because DNS changes can take a while to propagate. Try again in a couple of minutes.
Within Amplemarket
- Go to the Domain Health Center
- Find a mailbox for the domain you just configured, and press the Authentication cell
- Press Run tests to run an Authentication check
- Once completed, the DMARC should now show as pass
Outside Amplemarket
If you don't have access to Amplemarket you can verify if your DMARC is correctly setup on a free tool like: https://mxtoolbox.com/dmarc.aspx
Common DMARC Error Cases
Multiple DMARC Records
Keep only one of records, delete the others.
DMARC records are TXT type records, with _dmarc on the Host option.
Malformed DMARC Record
This could be a typo or a misplaced element.
Copy and paste the record you have to this DMARC syntax checker to help you find the issue: https://vamsoft.com/support/tools/dmarc-policy-validator
Malformed Email on the rua and/or ruf option
Your DMARC record has a rua and/or ruf option with a malformed email address.
Please check the syntax of the email address.
Copy and paste the record you have to this DMARC syntax checker to help you find the issue: https://vamsoft.com/support/tools/dmarc-policy-validator