In this post, we will talk about how to protect your domain against email spoofing, and how you can configure your domain to keep your emails out of your user’s spam folder.
We will also learn about BIMI Record and how to create BIMI records to show you brand logo in inboxes.
Imagine this, your customers reach out to you saying that they are not getting password reset emails. After some investigation, you find that you sent the email from your end but they are ending up spam folder.
You scratch your head, thinking about why your emails are going spam? you never spammed your customers.
This can happen to you due to missing SPF and DKIM configuration on your domain. Maybe you are a victim of domain spoofing and that’s why your emails are ending up in spam.
Maybe your emails are not landing in spam yet, but if you don’t have SPF and DKIM configured. it’s possible that they will land in your user’s spam folder.
Other than keeping emails out of spam, you also need to stay in the good books of your mail service providers. mail service providers will lock you out if they think you are spamming people.
Configuring SPF, DKIM and DMARC protects your domain against abuse, secures your emails, and improves email deliverability.
Gmail and other public email service provider uses these records are signals for spam classification. A domain with valid records is less likely to end up in spam because google and other email service provider can use SPF, and DKIM to verify the authenticity of the email.
Let’s talk about all the acronyms, what they are and how they can help you.
What is SPF?
SPF stands for Sender Policy Framework. In simple words, you use SPF to tell everyone the mail servers that are allowed to send an email for your domain.
SPF record is used by receiving mail servers to verify that emails for your domain are coming from a mail server that is allowed to send an email for your domain.
SPF records are defined as a TXT record on your domain
Here we are looking at SPF record for google.com and github.com using dig
$ dig google.com -t TXT +short | grep -i spf
"v=spf1 include:_spf.google.com ~all"
$ dig github.com -t TXT +short | grep -i spf
"v=spf1 ip4:22.214.171.124/22 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com include:spf.protection.outlook.com include:mail.zendesk.com include:_spf.salesforce.com include:servers.mcsv.net ip4:126.96.36.199 ip4:1" "188.8.131.52 ip4:184.108.40.206 ip4:220.127.116.11 ip4:18.104.22.168/28 ip4:22.214.171.124 ip4:126.96.36.199/31 ip4:188.8.131.52 ip4:184.108.40.206 ip4:220.127.116.11 ~all"
Why do you need SPF?
With an SPF record in place, spammers can’t spoof your domain and send emails pretending to be you because the mail server used by spammers is not an allowed mail server.
SPF protects you against spammers spoofing your domain and ruining the reputation of your domain.
What is DKIM?
DKIM stands for DomainKeys Identified Mail. It’s a way to sign your emails and protect against spoofing after an email leaves the sender’s server.
DKIM allows you to sign your email with a private key as it leaves sending mail server, and then recipient mail servers can use a public key to verify that the email was not changed in transit.
DKIM is also defined as a DNS record on your domain.
Let’s look at the DKIM record for google.
To see the DKIM record we need to find selector and domain in DKIM-Signature in an email we got from google. To find DKIM-Signature we need to look at raw email (in Gmail, click 3 dots, and then click Show Original in Gmail). In the Original email, look for the
Here is the DKIM Signature I found in an email I got from Google.
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
In this header, we see
s= tags along with few other tags like
d tag is for the domain, and
s tag is for the selector, so our full DNS record that contains DKIM public key would be
<s>._domainkey.<d>. In our case, It will be
Let’s look at it using dig
$ dig 20210112._domainkey.accounts.google.com -t TXT +short
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5jwZiY255HTBgFdh5lrINkcbwuymEytz4kkP1h5KojAVBwyxU42zN6FUwTAI+pq8H6zt77jUrPqh0IUN7m948pHEP0o6xGzKkhOrKuirrtvAKAm/JuRTfVMkrYzHdGbM6X" "hXJ1BFU79vDlNTAsResvhybbUM8FQz1/trnCdhQRka45ZhUpVi1RWdctnhajNwWMBf/FQ4qBVYNWXVaoZnRZp/AtGuwTVkFLQbGPaSmvLELa644g7yo/eCfCUtZpDEKHsDqcHFFg1VUzlnSChnmdyn4Nh61XVP35G18Szt6YT5iUddMPXX5kSKmZ26HSIs/vFHJe0zDDNLkRF3KSLGewIDAQAB"
Why do you need DKIM?
With SPF you can define which email servers can send emails for you but you are still vulnerable to someone modifying messages in between sender and receiver.
DKIM comes into play when you want to protect your emails during transit and protect against man-in-the-middle attacks on your emails.
What is DMARC?
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance
Now you must be asking, why do you need DMARC when you have SPF and DKIM.
As the full form suggests, it allows a domain owner to define what to do with emails that fail SPF or DKIM checks.
in your DMARC record, you can define an email address to get DMARC reports. DMARC reports are sent by receiving email servers and give you visibility into emails that are failing SPF or DKIM checks. you can use DMARC reports to see who is trying to spoof emails for your domain.
Let’s look at DMARC records for google.com and github.com using dig
What is BIMI?
BIMI (pronounced: Bih-mee) stands for Brand Indicators for Message Identification
https://bimigroup.org/ website says that:
For the brand’s logo to be displayed, the email must pass DMARC authentication checks, ensuring that the organization’s domain has not been impersonated.
BIMI is another tool for you to tell your users that email is coming from the real you, and it’s not spoofed. also, having a logo helps you stand out.
Let’s look at BIMI record for bimigroup.org using dig
$ dig default._bimi.bimigroup.org -t TXT +short
"v=BIMI1; l=https://bimigroup.org/bimi-sq.svg; a="
You can also use https://bimigroup.org/bimi-generator/ to look and generate BIMI records.
BIMI is relatively new and is only supported by Yahoo, Google, and Fastmail so far. It’s still being adopted by more companies.
This means that If you have a valid BIMI record on your domain, your users will only see the Brand Image if they use Yahoo, Google, or Fastmail products to view your emails.
Now that we have learned acronyms of the email world, let’s discuss some tools. You can use these tools to test your domain’s configuration, identify and fix issues.
- dmarcanalyzer.com/ - they have tools to test SPF, DKIM, DMRC, and BIMI records
- toolbox.googleapps.com/apps/checkmx/ - tool to check your email configuration.
- bimigroup.org/bimi-generator/ - tool to check MX, SPF, DMARC, and BIMI record. this tool can also be used to generate BIMI record.
Now you know why you need SPF, DKIM, and DMARC records or maybe a BIMI record if you want to be fancy and show your brand image. You can consult your mail server provider’s documentation on how to add these records for your mail server and domain.
In most cases, adding an SPF record is easy, compared to setting up DKIM, and DMARC records.
Some DNS or CDN providers have wizards to add these records. for example, Cloudflare (image attached) shows you an alert with a wizard when your domain is missing these records.
Those were technical things to improve your deliverability.
Let’s discuss some non-technical things to improve your email deliverability.
- Only send essential emails, and don’t spam your users, spamming quickly lands you into spam filters and ruins your reputations, it is very tempting to bombard users, but please don’t. if you spam your users, SPF and DKIM will not save you from ending up in the spam folder.
- Always provide an unsubscribe button, and make sure it works. users will mark your emails spam if your unsubscribe button doesn’t work
- Don’t resort to dark patterns, stay honest, and don’t use clickbait in email subjects. respect your user’s inbox.
- Don’t focus on shallow metrics, define and focus on core actions that you want your users to do.
- Sometimes a good old text email is better than the HTML email that doesn’t render properly on your user’s device.
I hope this was helpful and helped you secure your domains.
That’s all folks, have a good day and stay safe 👋