DKIM, SPF and DMARC: Ensure Email Delivery with DNS Records

No More Spam

Many email service providers have announced new requirements to ensure the delivery of messages. Now is a good time to check that your domain’s DNS records are in order! This article explains what DNS records are and how to modify them. By ensuring the DKIM, SPF and DMARC records are in order, the emails sent by your WordPress site won’t get lost in spam filers along the way to the recipient.

What is DNS?

The Domain Name System (DNS) connects domains and IP addresses on a global level. In simple terms, it tells you where or to which server your domain’s traffic should be directed.

When you type a domain – for example seravo.com – into your browser’s address bar, your device will perform a DNS query and direct you to the website. Web servers use numeric IP addresses, which are impractical to remember – this is why domains are used. In other words, DNS connects your domain to the desired server.

What Are DNS Records?

The global DNS system contains information about where and how to direct network traffic for each domain. These are called DNS records, and a file containing all records for a domain is called a zone file. A singular DNS record consists of three things: host (domain or subdomain), a time-to-live value (TTL), the record type and its target.

Host

The first part of a DNS record (host) indicates whether the record is about the domain itself (apex) or about a specific subdomain. For example, a DMARC record is always set for the _dmarc subdomain. Records can also be set for the whole domain.

seravo.com. 3600 IN TXT “example"

subdomain.seravo.com. 3600 IN TXT “anotherexample”

Above you can see examples of TXT records. The first is for the whole domain (seravo.com), while the lower record is defined for a subdomain only. Depending on the domain and service provider, the @ sign may also be used to refer to the whole domain (or the apex, often also referred to as the naked or root domain):

@ 3600 IN TXT “example

TTL

When modifying DNS records or the zone, you may observe that the changes are not immediately visible across the network, as the name servers operate within their own configurations. One of these is the TTL (time to live) of the record, which can be defined as anything from a few minutes to several hours. However, the TTL value does not tell you how long it takes for the DNS to update: it only tells you how long the record should be stored in the name server’s memory. TTL is expressed in seconds, so the number 3600 in the previous example record means one hour.

The record will then start to propagate in the DNS. If you have just recently updated the records for your domain, you can monitor the update with an online tool, for example. It usually takes a few hours for a DNS record to update, but sometimes the process can be faster. If it’s been a while since the record was updated and you don’t see the changes, you should check the record’s previous TTL. For example, the DNS cache of a device on your local area network may not show the changes yet, even if they appear to have been updated globally in the DNS.

Types of DNS Records

Previous examples were TXT records, which can contain only a string. There are many other types of DNS – here you’ll find a list of the most relevant ones for WordPress admins.

A and AAAA Records

The A and AAAA records are quintessential for DNS, as they are used to direct the domain’s web traffic to the desired IP address. An A record contains an IPv4 address, while an AAAA record contains a newer type IPv6 address, which are particularly popular for modern mobile networks.

@ 3600 IN A 0.0.0.0

The example A record above would redirect all the domain’s traffic to the imaginary IP address 0.0.0.0.

CNAME

If you only need to direct the traffic of a subdomain, A and AAAA records can be used if you wish. However, a more typical scenario is to use the CNAME record for subdomains. A typical example is to direct the “www” subdomain traffic to its desired destination. In the example below, any traffic from the www subdomain is directed to one of Seravo’s servers.

www 3600 IN CNAME fi-haarla.seravo.com.

TXT

A TXT record can contain any type of string. DMARC records are an example of records that are of the TXT type.

The length of a TXT record’s target value is limited to 255 characters. However, for example DKIM records are often longer than this. How to solve this, then? Luckily, a TXT record is a multi-value record that can contain multiple strings – instead of adding several records, we only need to split the string into sets of max. 255 characters.

@ 3600 IN TXT "example""anotherexample""thirdexample"

These separate strings would be seen as exampleanotherexamplethirdexample by the DNS.

What is a Wildcard DNS Record?

You may have noticed that by default, the DNS zone at Seravo’s hosting and upkeep includes a record starting with an asterisk (*). This is called a wildcard record. The purpose of this kind of record is to direct all subdomain traffic to the specified location, when the subdomain has not been defined in the zone file. This is useful in case of a typo in the domain: for example, if “ww” is accidentally typed in the address bar instead of “www”, as these two are seen as separate subdomains in the DNS.

If your WordPress site is hosted at Seravo, the use of the wildcard record is not mandatory and it can be safely omitted, if you do not wish to direct unmatched subdomains to your site. If you maintain your domain in an external service or wish to learn more about the DNS records required at Seravo, head over to our Knowledge Bank!

How to Authenticate Email Delivery with DNS Records

When you receive mail on your domain, all incoming messages get directed according to the MX records of your domain. The MX records tell you which service you’re using (such as Google Workspace or Microsoft Outlook), and the mail gets delivered in your inbox.

There are also plenty of emails sent by your WordPress installation, including (but not limited to) messages from contact forms, WooCommerce order notifications or WordPress user account management, such as messages about password resets.

Reduce Spam by Checking DNS Records

DKIM, SPF and DMARC are techniques designed to reduce the amount of spam arriving to your inbox. These technologies and their specifications complement each other, and by getting to know them just a little bit you can improve the flow of email traffic on your domain.

As Seravo’s customer, if you need any help with modifying your domain’s DNS records, you can contact us and let our WordPress experts help you out. Even if your domain is maintained in an external service, we’ll be happy to advise you on how to move forward!

DKIM

DKIM or DomainKeys Identified Mail is a digital signature added to the header of every outgoing email message. When the message reaches the recipient, the authenticity of the message is verified by a public key, which has been added to the domain’s zone file as its own record. The cryptographic method used is the same as for PGP keys and TLS certificates.

A DKIM key is always stored in a TXT record. In some cases, there may be a CNAME record which points to the TXT record containing the key. Sometimes records have a predefined host, also known as a selector, defined by the service provider.

How to Implement DKIM?

DKIM deployment depends on the service you are using, so it is advised to check out the documentation of the service you wish to use for sending mail. When you have acquired the DKIM information as DNS records from your service provider, they need to be added to your domain’s zone file.

SPF

SPF or Sender Policy Framework tells which servers or services are allowed to send email. Aside from your email service provider and WordPress site, these can be third-party services such as email marketing software or services (MailChimp, HubSpot, ActiveCampaign, etc.).

The purpose of SPF is to prevent spoofing, i.e. the falsification of the sender’s domain. SPF is used to check who sent the message and whether the sender is authorized to send the message. The receiving mail server checks the SPF record in the DNS. If an incoming message does not pass this SPF check, the message will likely end up in a spam filter along the way, and may not even make it to the recipient’s spam directory.

@ 10800 IN TXT "v=spf1 a mx include:example.com ~all"

In the example above, it is specified that domain (apex) is allowed to send emails from IP addresses found in the A and MX records for that domain. In addition, permission to send emails is granted to the fictitious example.com web service. The tag v=spf1 at the beginning of a record tells the DNS that it is indeed an SPF record. The setting ~all at the end of the record tells mail systems how to treat messages sent by a party not listed in the record:

  • ~all, “softfail”: messages from all other senders are probably not allowed, and should be marked as spam.
  • -all, “hardfail”: messages from all other senders are definitely not allowed and should be discarded.

How to Implement SPF?

Each domain or subdomain can only have one SPF record. It is also worth bearing in mind that the contents have limitations: for example, an SPF record can contain a maximum of ten include: addresses, also known as lookups.

Your own organization’s IT experts have the best information about the implementation of SPF, but as Seravo’s customer, you can always get in touch with us if you wish to edit the contents of your domain’s SPF record, or if you have any other questions about DNS records.

DMARC

DMARC, Domain-based Message Authentication, Reporting, and Conformance, complements DKIM and SPF. DMARC contains a policy with information and instructions on what to do with any email that fails SPF or DKIM tests. In addition, DMARC may be configured to send different kinds of reports of the rejected messages, so that the findings can be processed further.

If you’re sending email on your domain, it’s crucial to make sure it has a DMARC record defined in the DNS. Email service providers (such as Google and Yahoo in February 2024) now require that a valid DMARC record and at least some kind of a DMARC policy exists on the domain, if nothing more. More on DMARC policies later!

As a domain owner, the contents of a DMARC record and setting up a policy are up to you. DMARC tells email systems what to do with messages perceived as spam. If your site and domain are hosted at Seravo, your domain may contain a DMARC record by default, with a placeholder policy indicating that there is no set policy. You should check the record, its policy and make adjustments if you want to receive DMARC reports. Due to the large number of reports that may be generated, it is recommended that a separate address be set up to receive and process reports.

In the light of recent DMARC requirements, you should pay particular attention to ensuring your domain has a defined DMARC record. DMARC record should definitely exist in the DNS records of your domain, even if no special rules are defined for its content.

Example of a DMARC Record

A DMARC record is a TXT record set for the subdomain _dmarc. In its simplest form, a DMARC record could look like this:

_dmarc 10800 IN TXT "v=DMARC1; p=none;"

The example above contains everything that is mandatory for a DMARC record, but you can do a lot more with DMARC – the record can include much more specific rules and guidelines for handling spam.

Compulsory DMARC Tags

These tags should be found in the DMARC record:

  • v = DMARC protocol version information to indicate that this is not just any TXT type record, but indeed DMARC. The content is “DMARC1” and this part must be found in the record, or the recipient’s mail server will ignore the whole record.
  • p = policy for handling messages that do not pass DMARC authentication (p=none, p=quarantine or p=reject)
    • p=none – indicates that there is no policy
    • p=quarantine – the recipient’s mail server will treat as suspicious messages that do not pass authentication (the exact treatment of the message depends on the settings of the service used by the recipient of the message).
    • p=reject – messages should be rejected

Optional DMARC Tags

The tags listed below are optional in the DMARC record:

  • sp = A policy for subdomains, same syntax as in the mandatory “p” tag described earlier.
  • pct = Percentage of messages to which DMARC is to be applied. Allows the use of DMARC to be incrementally increased to test and monitor the impact of authentication.
  • rua = E-mail address to which DMARC aggregate reports are sent.
  • ruf = E-mail address to which more detailed reports of messages that do not pass the authentication are sent.
  • fo = Complements the contents of the ruf tag, i.e. contains instructions which errors are to be included in RUF reports.
  • rf = How RUF reports should be formatted.
  • ri = How often DMARC reports should be generated.
  • adkim = Whether to use strict (“s”) or relaxed (“r”) DKIM authentication: whether the domain in the d-tag of the message should match the “From” information. This affects whether a subdomain can pass authentication, for example. If not explicitly specified, defaults to “r”.
  • aspf = Whether strict or relaxed SPF is used. As above, affects the authentication of messages passing through possible alidomains. If not specified, defaults to ‘r’.

Source: IETF, RFC 7489: https://www.rfc-editor.org/rfc/rfc7489

How to Implement DMARC?

Once you have decided what kind of DMARC policy you want to implement on your domain, the record should be added to the DNS zone. Seravo’s customer service will happily help you to add or edit any DNS record, but for instructions on modifying records on your own, keep reading!

How to Edit DNS Records?

If your domain has been transferred to Seravo, you can edit DNS records simply by logging in to your WordPress site (wp-admin). A separate manager (such as cPanel) is not available nor required at Seravo, but all edits are possible with the Seravo plugin. Simply go to Tools > Domains and you will be able to edit DNS records of your domain.

If you are the technical contact for your site, you can also request changes to records by email (help@seravo.com) and we will make the necessary changes for you – as part of our service, at no extra charge.

Other DNS Provider

If your domain is maintained in another service, please follow the instructions of that provider for making changes.

Where’s My Domain At?

To find out where the domain is managed, you can use an use an online tool, or command line if you’re using Linux. The query will show you information of the domain contained in the WHOIS service, which lists information about the domain holder and any contact details.

The maintenance and automatic renewal of one domain is always included in a WordPress plan at Seravo. If your domain is not yet managed by Seravo, you can transfer it by providing us with the necessary information to transfer the domain, or simply contact our customer service to get started.

That’s it!

Hopefully this post helped to get started with the basic concepts of DNS and editing records on your own and win the battle against spam! Knowing how to edit your domain’s zone is worth it, albeit it can be a bit tricky: a single missing character can mean the record is not working. As Seravo’s customer, you’re always free to turn to us if you have any questions about domains, DNS, or records! The best way to contact us is by email.