| ✻ Available on Scale and Enterprise plans. Click here to upgrade your account. |
Essential email authentication protocols
SPF (Sender Policy Framework) creates the ability to specify which servers are allowed to send email on behalf of your domain.
DKIM (DomainKeys Identified Mail) adds a digital signature to the emails you send, allowing the recipient's server to verify the authenticity of the email.
DMARC (Domain-based Message Authentication, Reporting & Conformance) builds upon SPF and DKIM by providing a policy that instructs receiving servers on how to handle emails that fail SPF and/or DKIM checks. It also provides a reporting mechanism for email authentication results.
SPF, DKIM and DMARC are essential email authentication protocols that help protect your domain from email spoofing and phishing attacks. Setting them up correctly is vital for improving email deliverability and building a positive domain reputation.
As one of the many perks of being a customer, beehiiv automatically handles the SPF and DKIM records on your behalf by creating CNAME records that you will need to add to the DNS settings of your domain.
DMARC is an additional verification point that you must add to your account if you are using a custom domain or are a high-volume sender — and coming in early 2024, DMARC will be required for all such beehiiv accounts as an added layer of security.
Tech Note: To configure SPF, DKIM, or DMARC records, you'll need access to your website's domain DNS settings, typically requiring domain ownership or authorized access.
DMARC records, in particular, are sensitive and their accurate setup is important. To assist you with this delicate matter, we've provided step-by-step guidance in this article. Should you require additional assistance beyond this resource, we recommend seeking help from an email deliverability expert or checking out Dmarcian and/or Agari as additional DMARC resources.
How to set up DMARC authentication
- You’ll first need to define your DMARC policy because it specifies how the receiving server should treat emails that fail SPF and/or DKIM authentication.
The policy options are:- 'none': Do nothing, just collect and report data
- 'quarantine': Move unauthenticated emails to the spam or junk folder
- 'reject': Reject unauthenticated emails outright
- Next, you’ll need to decide on your DMARC policy's percentage. This determines the percentage of your domain's email traffic to which the DMARC policy should be applied.
We suggest starting with a low percentage (10% for example) and gradually increase it as you monitor the reports and gain confidence in your email authentication setup. - Create a DMARC record as a TXT record to be added to your domain's DNS settings. The record should have the following format:
v=DMARC1; p=[policy]; pct=[percentage]; rua=mailto:[aggregate_report_email]; ruf=mailto:[forensic_report_email]
Replace the placeholders with your chosen policy, percentage, and email addresses for receiving aggregate and forensic reports. - Add the TXT record that you created in Step 3 to your domain's DNS settings and save it.
For example, if you choose ‘none’ as the policy with a 50% application rate and report emails as "dmarc-reports@yoursite.com", your DMARC record would look like this:
v=DMARC1; p=none; pct=50; rua=mailto:dmarc-reports@yoursite.com; ruf=mailto:dmarc-reports@yoursite.com
After setting up DMARC, be sure to monitor the reports you receive and adjust your policy and percentage as needed. This will help to optimize your email deliverability and further protect your domain from spoofing and phishing attacks.