Better deliverability thanks to DKIM, SPF and DMARC entry - create quickly and easily
DKIM entry
You can genereate the DKIM entry directly in the eMail marketing system in the left folder navigation under Settings - Domain/DKIM. DKIM (DomainKeys Identifed Mail) is a technology for determining the authenticity of eMail senders. Using a private/public key procedure, eMails sent by the mail server are provided with a signature. The receiving servers can use this signature to check whether the certified sender is really hidden behind a sender address. If this authentication fails, the eMail can be sorted out accordingly. This is the best way to prevent phishing eMails and other manipulated sendings, such as those with forged sender names, from being sent. We are a member of the Certified Senders Alliance (CSA) and are therefore obligated to ensure that DKIM is set up for the domain of the sender address in all eMails sent through us. The DKIM entry must be set for all sender address domains that you use in your eMailings. So if you send an eMail with the sender address "beispiel@example.com", the DKIM must be set for the domain "example.com".
Please note that the DNS TXT entry displayed in the system must be entered into the DNS of your domain after your sender address domain has been created in the system. Unfortunately, there are no generally applicable rules for this. We therefore recommend that you do this in close consultation with the responsible administrator or domain service provider. You may have to ask your provider to set the DKIM entry for you. If you are using multi-client capability, please make sure that you make the necessary settings at global level (NOT at client level!). If you use the system for your customers, the settings should be made in the corresponding customer client. The eMail marketing system automatically activates the signature in the header of your eMails.
Create DKIM entry
In the folder navigation, go to Settings - Domain/DKIM and click on + New.
Enter sender domain
Enter and save the domain name of the shipping domain.
Create DKIM key pair
Click on "Generate DKIM key pair" to generate a new DKIM key pair. If you want to use a DKIM key other than the one generated by the system, please enter it in the "Private Key" and "Public Key" fields.
Copy DNS TXT record
You enter the DNS TXT entry (highlighted in yellow) in the DNS of the sender address domain. You must never pass on the private key or send it by eMail.
Important!
The DKIM-TXT entry must be stored on the domain path ems._domainkey.my-domain.de.
Check DKIM entry
You can view the validity of the entry directly in the system. However, this may take 1-2 days until "Valid" appears here (due to DNS propagation), even if the entry has been set correctly.
SPF entry
The Sender Policy Framework (SPF) is a method of distinguishing spam from legitimate messages. The SPF procedure works with reverse entries that tell the receiving mail servers that the eMail marketing system servers are allowed to send mail to these servers. For example, the eMail marketing tool's mail server sends mails with the sender domain "firma.de" to the mail server "firma.de". The entries are elaborated DNS-TXT records, which are marked by a trustworthiness level. This allows the recipient's eMail system to evaluate the authenticity of the source. SPF checks whether the sender and his address in the Simple Mail Transfer Protocol (SMTP) are allowed to send messages via the respective mail server.
The TXT entry specified below must be entered in the root directory of the domain server. Please use only an include statement to ensure that you have always entered the correct data automatically.
v=spf1 mx include:_spf.senders.scnem.com -all
If you want to use the shipping domain also for shipments over your own IPs, just add our include statement according to your data.
Example:
v=spf1 mx ip4:YOUR_OWN_IPs include:_spf.senders.scnem.com -all
You may have to ask your IT department to make the SPF entry for you or to extend the existing entry.
SPF entry
Everything behind the @ sign is your sender domain. For this the SPF entry must be set. If a sub-domain is used as the sender address domain (example.example.com) the Txt entry on the sub-domain must be set.
Check SPF entry
In the prompt/terminal you can use the command „dig txt your-domain. de“ to find out if an SPF record exists.
In addition, whitelisting can also help to improve the deliverability of your campaigns. In your DNS settings, store our shipping IPs in a TXT record for the shipping domains you use.
FYI!
If you send a newsletter from the system to your own domain, it may happen that this newsletter does not arrive. Your server refuses to accept it, because it knows that it did not send this newsletter, but the newsletter has registered your server as sender.
Whitelisting!
In some cases it is recommended to whitelist the IPs of our dispatch servers.
Sending IPs (status 2023)
scnem.com
80.190.129.137, 80.190.129.136, 80.190.129.135, 80.190.129.134
scnem2.com
80.190.129.142, 80.190.129.143, 80.190.129.144, 80.190.129.145
scnem3.com
80.190.118.18, 80.190.118.19, 80.190.129.216, 80.190.129.221
Further information on SPF can be found on the SPF project website: http://www.open-spf.org/.
DMARC entry
DMARC builds on the well-known techniques SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) by specifying how the e-mail recipient should perform authentication. While the aforementioned techniques describe who is allowed to send a mail (SPF), or that this mail originates from the sender unchanged in a certain way (DKIM), according to the DMARC specification the sender can additionally give recommendations on how the recipient should handle a mail that does not meet the requirements in one or both cases. If the eMail recipient applies the DMARC specification, this ensures consistent verification of the authenticity of this eMail.
You do not need to make any settings in the system to set up DMARC, since all information is already contained in the entries for SPF and DKIM.
The DMARC specification was developed on the initiative of Google, Yahoo, Microsoft, Facebook, AOL, PayPal and LinkedIn, among others.
Google announces from 01.02.2024 that the following three aspects will be in focus in the future:
- Email authentication using DKIM, DMARC and SPF.
- The complaint rate (percentage of Gmail users who mark your emails as spam) should be kept below 0.10% and not exceed 0.30%.
- Simple unsubscribe option via unsubscribe link ("One Click Unsubscribe") and list unsubscribe. Unsubscriptions must also be processed within two days. This is already guaranteed by the Evalanche systems.
Special criteria apply to recipients who subscribe to more than 5,000 Gmail accounts in one day. Further information on this can be found in the Google Email Sender Guidelines.
Ideally, all three standards should be set up now, regardless of the size of the mailing list, in order to avoid future delivery problems.
Structure of an entry
DMARC, like SPF and DKIM, uses the TXT records of the Domain Name System (DNS). In addition to the SPF and DKIM entries, a further RR entry is created there with, for example, the following structure (completeness of the parameters is not mandatory):
v=DMARC1;p=quarantine;pct=100;rua=mailto:postmaster@example.org;ruf=mailto:forensik@example.org;adkim=s;aspf=r
Structure of a DMARC entry | |
Abbreviation | Meaning |
v | Protocol version |
pct | Percentage of mails to be filtered |
ruf | Forensic report is sent to |
rua | Aggregated report is sent to |
p | Instruction on how to deal with mails from the main domain |
sp | Instruction, how to handle mails of the subdomain |
adkim | Adjustment mode for DKIM |
aspf | Adjustment mode for SPF |
Source of the parameters: Wikipedia
The adjustment modes are particularly important. For SPF, the specification requires firstly that the check is positive and secondly that the From: header of the mail has the same domain as stored in the SPF record. For DKIM, it is required that the signature is valid and that the domain named there is the same as in the From: header of the mail. s='strict' or r='relaxed' are provided as comparison modes. With 'strict' the domains must match exactly, with 'relaxed' the From: header may also contain a subdomain. The sender receives a daily report on the evaluation at the address given.
The policy (abbreviated here as 'p' or 'sp' for subdomains) finally determines how the recipient should proceed with the mail if the check fails. The modes provided for this are 'none', 'quarantine' and 'reject'. None' (also known as monitor mode) is usually used for testing and does not tell the recipient how to proceed. 'Quarantine' requires the mail to be marked as spam, 'reject' requires the mail to be discarded.