What Are SPF And DKIM and How Do I Set Them Up?
Authentication is a way to prove an email isn’t forged. MailChimp's transactional email automatically authenticates all emails sent through our servers, but by adding DNS records to your domain, MailChimp can send on your behalf and digitally ‘sign’ your emails.
If you’ve ever received an email claiming to be from your bank, PayPal, or a company you do business with but it’s really from someone else, then you’ve seen first-hand how easy it is to forge email. Authentication helps legitimate senders prove that their email isn’t forged, and can help receiving servers like ISPs and corporate email servers control inbound spam.
There are a variety of authentication methods, and there’s no best method. SPF and SenderID allow a domain owner to add a file or record on the server that the recipient server cross-checks. These are easy to implement, but some suggest they aren’t as secure. DKIM and DomainKeys embed information within the email, making it harder to forge (but they can also be harder to implement for senders and receivers).
Since there are pros and cons to the various methods, Mandrill automatically adds authentication for all of the methods mentioned above. By default, email is authenticated for the mandrillapp.com domain, but all Mandrill accounts support adding SPF and DKIM for your domain so you can authenticate as your domain instead.
When you add authentication information to your domain, an added benefit is that many ISPs use authentication to track sending reputation. With authentication handled by your domain, reputation with the receiving ISPs is influenced by your domain and the emails sent on behalf of your domain. This means you maintain control over the emails that affect deliverability for your domain. A positive reputation for your domain builds trust and improves deliverability, affecting whether your emails are caught by spam filters and how quickly the receiving servers will accept mail from your domain.
Now that you’ve added a new sending domain, you can also add the appropriate records to your domain’s DNS settings. To add the SPF and DKIM records for your sending domains, you’ll need to add records of type ‘TXT’ through your hosting provider, domain registrar, or DNS provider. We recommend referring to your provider’s help documentation for specific information on adding TXT records.
SPF: If you don’t have an SPF record yet, you’ll need to add one for your domain. At a minimum, the value should be the following if you’re only sending mail through Mandrill for that domain:
v=spf1 include:spf.mandrillapp.com ?all If you already have a TXT record with SPF information, you’ll need to add Mandrill’s servers to that record by adding include:spf.mandrillapp.com in the record (before the last operator, which is usually ?all, ~all, or -all).If you don’t have an SPF record yet, you’ll need to add one for your domain. At a minimum, the value should be the following if you’re only sending mail through Mandrill for that domain:
DKM: Add a new TXT record with the name mandrill._domainkey.yourdomain.com (just replace yourdomain.com with the domain you’re setting up). The value for the record should be one of the options listed below. There are two options because the record contains semicolons. Some DNS providers escape semicolons for you, while others require you to do it when setting up the record. With Semicolons escaped:
v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55 zd/IQ/J/mRwSRMAocV/hMB3jXwaHH36d9NaVynQFYV8NaWi69c1 veUtRzGt7yAioXqLj7Z4TeEUoOLgrKsn8YnckGs9i3B3tVFB+Ch /4mPhXWiNfNdynHWBcPcbJ8kjEQ2U8y78dHZj1YeRXXVvWob2Oa KynO8/lQIDAQAB\; With semicolons unescaped: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55 zd/IQ/J/mRwSRMAocV/hMB3jXwaHH36d9NaVynQFYV8NaWi69c1 veUtRzGt7yAioXqLj7Z4TeEUoOLgrKsn8YnckGs9i3B3tVFB+Ch /4mPhXWiNfNdynHWBcPcbJ8kjEQ2U8y78dHZj1YeRXXVvWob2Oa KynO8/lQIDAQAB;