Maintain good deliverability

General DNS setup

Avatar
Growbots team
  • Updated

Before we get into the technicalities, let’s take a step back and explain what DNS is. It stands for “Domain Name Server” – the Internet's system for converting alphabetic names into numeric IP addresses. DNS has functionalities that enable defining important information about a domain or hostname, particularly its current IP address – DNS records/settings.

Make sure to correctly set up the below domain records to improve deliverability. You (or your IT admin) can do so in the settings section of your domain. 

Each time you send an email, multiple aspects of your email setup are tested. Based on the outcome of these tests, the decision is made whether your email should be delivered to the recipient or rejected (bounced).

Based on our recent research, SPF and DKIM records are the most important records that you should set up to keep your deliverability on track. We noticed that adding both of these can increase open rates significantly.

SPF

It’s a TXT record that lists all authorized host names/IP addresses that are permitted to send emails on behalf of your domain.

DKIM 

It’s an email authentication method that allows the receiver to check if an email that came from a specific domain was authorized by the domain’s owner.

DMARC 

It’s based upon the results of SPF and/or DKIM, which means that at least one of these has to be in place for the email domain. It controls what happens if a message fails authentication tests.

CNAME

It’s a DNS record that specifies that one domain name is an alias of another domain’s name. Given that the CNAME record is set up in the same way regardless of mailbox provider we didn’t include it in the instructions below. Check this article for more specific instructions on setting up CNAME and why it’s important. 

 

Find your mailbox and DNS provider

DNS provider: Before you start, please make sure that you know the DNS provider for your domain. You can check it here. Just enter your domain and scroll down to the Domain Information. The domain information is usually your DNS provider where you edit and manage your DNS settings.

Mailbox provider: You configure your DNS record in your DNS provider’s admin console however the next steps may differ depending on your email provider. The most popular mailbox providers are Google and Microsoft 365.

 

Here you can check the DNS setup rules for the most popular domain providers:

  1. Google
  2. MS Outlook
  3. Other providers

 

DNS setup if you use Google as mailbox:

In a new browser tab or window, sign in to your DNS hosting provider. Next, find where you manage your DNS settings (for example, Zone File Settings, Manage Domains, Domain Manager, DNS Manager). After logging in please make sure to follow the instructions according to your DNS provider.

 

SPF record:

  1. If you use Gmail for sending emails, the correct SPF is: v=spf1 include:_spf.google.com ~all
  2. Add a new TXT record in your DNS settings (not mailbox setting)

Check if it’s working correctly:

Proceed here and insert your domain name. If it says ‘pass’, it means that everything is set up correctly. Growbots will display a notification if there’s anything wrong with your SPF!

 

DKIM record:

How to set up DKIM for Gmail:

  1. From the Admin console homepage, go to Apps-> Google Workspace-> Gmail.

    image3.png


    image1.png


    image2.png

  2. Click Authenticate email.
  3. Your primary domain is selected by default. Click on your primary domain name and select another domain where you’ll be using DKIM.
  4. Click on Generate new record and the following options will be displayed:
    • Select DKIM key bit length —If your domain host doesn't support 2048-bit keys, change the key length to 1024.
    • Prefix selector—The default prefix selector for the Gmail domain key is google.
    • Click Generate.
  5. Now log in to your DNS service provider and go to the DNS management tab:
    • Add the public key to your domain's DNS records. Email servers can use this key to verify your messages' DKIM signatures.
    • In the first field, enter the text displayed in the Google Admin console under ‘DNS Host name’ (TXT record name).
    • In the second field, enter the text string displayed in the Google Admin console under ‘TXT record value’.
    • Save your changes.

      NOTE: If you recently set up Google Workspace or Gmail, you might see this error: "We are unable to process your request at this time. Please try again later. (Error #1000)." After you turn on Gmail, you must wait 24–72 hours before you can generate a DKIM key.

  6. Turn on DKIM signing in Google Admin Console to start adding a DKIM signature to all your outgoing messages:
    • From the Admin console homepage, go to Apps->Google Workspace->Gmail.
    • Click Authenticate email.
    • Select the domain where you want to start email signing. The page displays the status of email signing for the selected domain.
    • Click Start authentication. When the DKIM setup is complete, "Authenticating email" displays.

How to check if it’s set up correctly? 

Proceed here and insert your domain name and set the selector to “google”. If it displays ‘pass’, it means that everything is set up correctly. Growbots will also notify you if there’s anything wrong with your DKIM.

 

DMARC record:

  1. Go to your domain provider
  2. Add a DNS TXT record, or modify an existing record, by entering your record in the TXT record for  _dmarc:
    • TXT record name: In the first field, under the DNS Host name, enter: _dmarc
    • TXT record value: In the second field, enter the text for your DMARC record, add a TXT record in your domain settings with the name “_dmarc” and value “v=DMARC1; p=none; pct=90; sp=none”. 

How to check if it’s set up correctly? 

Proceed here and include your domain name. If it shows “pass”, it means that everything is set up correctly.

 

DNS setup if you use Microsoft 365 as mailbox:

In a new browser tab or window, sign in to your DNS hosting provider. Next, find where you manage your DNS settings (for example, Zone File Settings, Manage Domains, Domain Manager, DNS Manager). After logging in please make sure to follow the instructions according to your DNS provider.

 

SPF record:

  1. Create your SPF: If you use Office 365 for sending messages - the correct SPF is:
    v=spf1 include:spf.protection.outlook.com -all
  2. Publish your SPF: the TXT record indicated in the admin center to your domain (not mailbox settings)

How to check if it’s set up correctly?

Click here and insert your domain name. If it says ‘pass’, it means that everything is set up correctly. Growbots will also show you a notification if there’s anything wrong with your SPF!

 

DKIM record:

1. Publish two CNAME records for your custom domain in DNS:

  • Host name: selector1._domainkey
  • Points to address or value: selector1-<domainGUID>._domainkey.<initialDomain>
  • TTL:3600

  • Host name: selector2._domainkey
  • Points to address or value: selector2-<domainGUID>._domainkey.<initialDomain>
  • TTL: 3600

Where:

  • For Microsoft 365, the selectors will always be "selector1" or "selector2".
  • domainGUID is the same as the domainGUID in the customized MX record for your custom domain that appears before mail.protection.outlook.com,  you will find your MX records in DNS settings.

    For example, in the following MX record for the domain contoso.com, the domainGUID is contoso-com:
    contoso.com. 3600 IN MX 5 contoso-com.mail.protection.outlook.com
  • initialDomain is the domain that you used when you signed up for Microsoft 365.

    InitialDomain always ends with onmicrosoft.com. If you’re not sure what is your InitialDomain, just go to Email & Collaboration > Policies & Rules > Threat policies page > Rules section > DKIM. Or, to go directly to the DKIM page, use https://security.microsoft.com/dkimv2

2. Enable DKIM signing for your custom domain:

    1. Open the Microsoft 365 Defender portal using your account.

    2. Go to Email & Collaboration > Policies & Rules > Threat policies page > Rules section > DKIM. Or, to go directly to the DKIM page, use https://security.microsoft.com/dkimv2.

    3. On the DKIM page, select the domain by clicking on the name.

    4. In the details flyout that appears, change the Sign messages for this domain with DKIM signatures setting to Enabled (Toggle on)

      When you're finished, click Rotate DKIM keys

Microsoft is quite frequently changing their instructions on enabling DKIM signing, so if the above instructions don't coincide with your account settings - please, just take a look at their help page to find the latest instructions.

How to check if it’s set up correctly? 

Proceed here and include your domain name along with the selector. If it displays  “pass”, it means that everything is set up correctly. Growbots will also notify you if there’s something wrong with your DKIM.

 

DMARC record:

In the DNS Manager page, add a TXT record in your domain settings with a name “_dmarc” and value “v=DMARC1; p=none; pct=90; sp=none”.

 

How to check if it’s set up correctly? 

Click here and include your domain name. If it says  ‘pass’, it means that everything is working properly.

 

 

DNS setup for other providers

How to configure your domain with other domain providers?

  1. Find out who your domain provider is.
  2. Locate your domain management page.
  3. Go to the DNS records section.
  4. Add SPF, DKIM, DMARC and CNAME records according to the instructions below:

 

SPF record:

  1. Create your SPF: For other mailbox providers, the fastest way to check how SPF should look will be by searching on the Internet. The general rule is:
  1. Start with v=spf1 and add the IP addresses that are authorized to send emails. For example, v=spf1 ip4:1.2.3.4 ip4:2.3.4.5
  2. If you use a third party to send messages on your behalf, you have to add an “include” part in your SPF record (for example, include:third_party.com)
  3. End your record with an “~all” or “-all” part.

Here’s an example of a correct SPF:

v=spf1 ip4:1.2.3.4 ip4:2.3.4.5 include:thirdparty.com -all

 

4. Publish your SPF: This step varies depending on your domain provider. The general instruction is: 

    1. Go to the domain settings. 
    2. Add a TXT record with the SPF that you created. 

You can always ask your domain administrator for help with publishing!

How to check if it’s set up correctly?

Click here and insert your domain name. If it says  ‘pass’, it means that everything is set up correctly. Growbots will also show you a notification if there’s anything wrong with your SPF!

 

DKIM:

Below, you'll find the guides to the most common email service providers (ESP):

For other providers (if no specific instructions were provided):

  1. Generate DKIM: here are third-party tools that you can use to generate the DKIM record, for example, Sparkpost.  Recommended selector: “dkim”.
  2. Publish: You can do so by adding a TXT (or CNAME, for some providers) record with the generated DKIM to your DNS settings. 

Example: If you use Gmail as mailbox provider and Godaddy as DNS provider:

  1. Generate the domain key for your domain in Google Admin Console
  2. Publish DKIM record in the Domain Control Center in Godaddy:
    • Click the Add button in the Records section. You will see a form where you can enter the settings for your DKIM record.

    • Make sure the record type is TXT, Host is set to s1._domainkey where s1 is the DKIM selector, and Points to is set to the TXT record generated above
    • Click the Save button. The record has been added!!
  1. Turn on DKIM signing to start adding a DKIM signature to all your outgoing messages in the Google Admin Console by clicking on “Start Authentication”

How to check if it’s set up correctly? 

Click here and insert your domain name and selector. If you see ‘pass’, it means that everything is set up correctly. Growbots will also notify you if there’s anything wrong with your DKIM.

 

DMARC: 

It’s based upon the results of SPF and/or DKIM, so at least one of those has to be in place for the email domain.

How to set it up?

Add a TXT record in your domain settings with a name “_dmarc” and value “v=DMARC1; p=none; pct=90; sp=none”.

How to check if it’s set up correctly? 

Click here and insert your domain name. If it shows  “pass”, it means that everything is set up correctly.



Related articles

yes-white-svg no-white-svg play01 play02
Powered by Zendesk