Are You SURE Your Emails Get Delivered?

Email deliverability for optometrists. DMARC. DKIM. SPF.

Are you sure those important emails you send to your optometry patients aren’t ending up in the spam folder? Or worse yet, silently not being delivered at all? They might be getting incorrectly labelled as junk because you haven’t “validated” your sending website domain.

Just like an eye test for your patients, it might be time for a quick “email health checkup”.

Enter your website domain name (e.g. yourdomain.com) in the input box below to find out if all your email security policies are correctly in place.

See your score immediately. (red=fail, yellow=needs attention, green=pass)

From 1st February, 2024, Gmail and Yahoo Mail will strictly apply spam filtering rules to ALL emails that haven’t been validated with either an SPF record or DKIM record.

Google and Yahoo are tightening email rules, emphasizing the need for proper email authentication. Previously a best practice, it’s now crucial as insufficient security allows for easy domain impersonation and phishing, damaging senders’ reputations. To protect users from spam, Gmail and Yahoo require adherence to strict authentication and anti-spam measures. Compliance with these practices is essential for ensuring email deliverability.

You can read the full announcement on Google’s Help forum.

So what do SPF and DKIM records look like, where do you get them, and how do you use them to make sure email that you send out to patients actually arrives in their inboxes?

I’m glad you asked! Read on for more details.

What Are SPF and DKIM? (and DMARC)

SPF, DKIM and DMARC are all single line text entries that you can add to your domain name registration DNS entries.

Let’s back up a second. What’s a “DNS”?

When you registered your website domain, you (or maybe your hosting company) had to install some directions to tell “the internet” how to find your website on Planet Earth, how to manage email accounts associated with your website, and more. Those are called “DNS” entries.

So your SPF, DKIM and DMARC are additional entries to help ensure the integrity of email purportedly coming from your email account. Up until now have been recommended, but optional.

SPF Record (Sender Policy Framework):

  • Purpose: Helps prevent spammers from sending emails on behalf of your domain.
  • How it Works:
  • Lists the servers that are authorized to send emails from your domain.
  • When receiving servers get an email, they check this list.
  • If the sending server is not on the list, the email could be marked as spam or rejected.
  • Key Benefit: Reduces the chance of your domain being used for email spoofing (where someone sends emails pretending to be you).

DKIM Record (DomainKeys Identified Mail):

  • Purpose: Ensures that the content of your emails remains trusted and unchanged during transit.
  • How it Works:
  • Your outgoing emails are signed with a digital signature.
  • This signature is linked to your domain.
  • Receiving email servers verify this signature to confirm that the email hasn’t been altered.
  • Key Benefit: Increases email trustworthiness and helps in authenticating that the email genuinely came from your domain.

In summary, SPF authorizes which servers can send emails on your domain’s behalf, while DKIM ensures that the emails sent from your domain are unchanged and authenticated.

Both are used to improve email security and deliverability.

Gmail and Yahoo Mail are now saying that it is mandatory to have at least one of these.

Best practice is to have BOTH along with a DMARC.

From 1st February, 2024, Gmail and Yahoo Mail will strictly apply spam filtering rules to ALL emails that haven’t been validated with either an SPF record or DKIM record.

What is DMARC?

DMARC Record (Domain-based Message Authentication, Reporting, and Conformance):

  • Purpose: Helps email senders and receivers work together to better secure emails, enhancing SPF and DKIM protocols.
  • How it Works:
  • Provides instructions to the receiving mail servers on how to handle emails that fail SPF and DKIM checks.
  • Allows domain owners to receive reports on email delivery, including details on failed SPF and DKIM checks.
  • Helps domain owners identify and address vulnerabilities in their email authentication practices.
  • Key Benefit: Enhances email security by ensuring consistent handling of failed authentication checks and provides insights into email delivery issues. Helps in preventing email spoofing and phishing attacks using your domain.

Do I REALLY Need DMARC, Too?

Technically, DMARC is still optional but it’s a very good idea to have it anyway.

DMARC gives receiving email accounts the highest level of confidence that your account hasn’t been “spoofed” (impersonated by bad actors as part of a phishing scam, for example).

And What is BIMI ?

BIMI Record (Brand Indicators for Message Identification):

  • Purpose: Enhances email trust and brand visibility by displaying your brand’s logo in supported email clients.
  • How it Works:
  • Allows you to specify a logo that should be displayed alongside your emails in recipients’ inboxes.
  • Requires that you have a strong DMARC policy (p=quarantine or reject) to ensure email authenticity.
  • Email services that support BIMI will show your logo, making your emails more recognizable and trustworthy.
  • Key Benefit: Increases brand presence and trust in email communications, helping your emails stand out in crowded inboxes and reducing the risk of them being mistaken for spam or phishing attempts.

While BIMI records are gaining traction, especially among larger organizations and those highly focused on brand and security, they are not yet a standard practice across all businesses. The trend, however, is towards increased adoption, particularly as awareness of its benefits grows and more email clients begin to support it.

BIMI is nice to have, too. But I wouldn’t lose any sleep if you don’t have it yet.

SPF, DKIM and DMARC are what you need to focus on, to maximize your email deliverability.

Where do I get SPF, DKIM and DMARC and how do I use them?

If you aren’t across all the technical details, it’s quite normal to feel intimidated by the alphabet soup of email security terms!

Start by talking to whoever manages your email platform (it may be the same as whoever manages your website). Ask them to give you the necessary SPF, DKIM and DMARC records.

Then, either add the records to your Domain Registrar DNS yourself, or ask your website technical support person to add them for you.

Example SPF record:

RECORD TYPE: TXT
RECORD NAME: [your domain name e.g. yourdomain.com]
RECORD CONTENT: v=spf1 include:_spf.google.com include:mailserver.com ~all

or perhaps something like this:

RECORD TYPE: TXT
RECORD NAME: [your domain name e.g. yourdomain.com]
RECORD CONTENT: v=spf1 +a +mx +ip4:35.391.284.23 include:mailserver.com ~all

Breaking this down:

  • v=spf1: This indicates the version of SPF used, which is SPF version 1.
  • include:_spf.google.com: This means that the domain allows email to be sent from servers defined in the SPF record of _spf.google.com. This is commonly used for domains that use Gmail for sending emails.
  • include:mailserver.com: This includes another domain (in this case, mailserver.com) whose SPF records should be checked. This is useful if you use an additional email service provider or a third-party mail server. You can add multiple “include:” mechanisms BEFORE the final ~all or -all.
  • +a: This allows emails from servers whose A record (in DNS) matches your domain. Essentially, if your domain points to a specific IP address for web hosting, that IP is authorized to send emails on behalf of your domain.
  • +mx: This includes the mail servers specified in your MX records as authorized senders. MX records are used for receiving emails, but this clause means that these servers are also authorized to send emails.
  • +ip4:35.391.284.23: This explicitly authorizes the IP address 35.391.284.23 to send emails for your domain. This is useful if you have a specific server (other than the ones identified by your A or MX records) that sends out emails.
  • ~all: The ~ indicates a SoftFail. This means that emails from your domain that don’t come from the listed servers should not be treated as fully legitimate, but they won’t be outright rejected either. This setting is often used because it’s less disruptive than a HardFail (-all), especially during initial setup.

Each organization’s SPF record will differ based on their specific email sending sources and policies. The record should be carefully tailored to include all authorized sending IPs and domains, and to specify the right policy for handling mail that doesn’t align with these rules.

Example DKIM record:

RECORD TYPE: TXT
RECORD NAME: default._domainkey.yourdomain.com
RECORD CONTENT: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0GmxlSxY5Jm5E

Breaking this down:

  • default._domainkey.yourdomain.com: This is the name of the DKIM record. The default part is a selector which is used to differentiate between multiple DKIM keys, if you have more than one. The _domainkey is a fixed part of the syntax. Replace yourdomain.com with your actual domain name.
  • v=DKIM1;: This indicates the version of DKIM being used (DKIM1 is standard).
  • k=rsa;: This specifies the encryption algorithm used to generate the key, typically RSA.
  • p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0GmxlSxY5Jm5E: This is the public key itself, which is a long string of characters. This key is used by receiving email servers to verify the DKIM signature of the emails sent from your domain.

Remember, the actual DKIM public key (p= value) will be a unique string generated for your domain. The example here is truncated for simplicity. When setting up DKIM, it’s crucial to use the specific key generated by your email service provider or your own email server.

NOTE: Some email service providers may give you more than one DKIM record. You need to add all of them to your DNS. Also, some Email Service Providers may ask you to add DKIM as a CNAME record rather than a TXT record, so check their instructions carefully.

Example DMARC record:

RECORD TYPE: TXT
RECORD NAME: _dmarc.yourdomain.com
RECORD CONTENT: v=DMARC1; p=reject; rua=mailto:[email protected]

Breaking this down:

  • _dmarc.yourdomain.com: This is the name of the DMARC record for the domain yourdomain.com. Replace yourdomain.com with your actual domain name.
  • v=DMARC1;: Specifies the version of DMARC being used. DMARC1 is the current standard.
  • p=reject;: This is the DMARC policy. The reject policy tells receiving email servers to reject emails that fail SPF and DKIM checks. Other common policies are none (monitoring mode, no action taken on emails that fail) and quarantine (emails that fail are placed in the spam/junk folder).
  • rua=mailto:[email protected]: This specifies an email address where aggregate reports of DMARC failures are sent. These reports provide insights into emails that are failing DMARC, which can help in identifying and addressing authentication issues or unauthorized use of the domain.

This DMARC record example instructs email servers to reject emails that don’t pass SPF and DKIM checks and to send reports on these rejections to a specified email address. The specific policy and reporting preferences should be tailored to each organization’s needs and capabilities.

It’s generally considered best practice to start with a p=quarantine policy when first implementing DMARC. Starting with p=quarantine allows you to monitor and understand how your emails are being treated without immediately rejecting emails that fail DMARC. This is less disruptive to your email flow compared to starting with a p=reject policy.

Example BIMI record:

RECORD TYPE: TXT
RECORD NAME: default._bimi.yourdomain.com
RECORD CONTENT: v=BIMI1; l=https://yourdomain.com/logo.svg;

Breaking this down:

  • default._bimi.yourdomain.com: This is the name of the BIMI record for your domain. Replace yourdomain.com with your actual domain name. The default part is a selector, similar to selectors used in DKIM records, which allows for different BIMI configurations if needed.
  • v=BIMI1;: Specifies the version of BIMI being used. BIMI1 is the current standard.
  • l=https://yourdomain.com/logo.svg;: The l parameter specifies the URL of your logo. This URL must be HTTPS and should point to an SVG file. Replace https://yourdomain.com/logo.svg with the actual URL of your brand’s logo.

This BIMI record example instructs supported email services to display the specified logo next to emails from your domain, enhancing brand visibility and trust in your email communications. Remember, successful implementation of BIMI also requires a strong DMARC policy.

If you’re still confused, watch the following video from Stewart Gauld’s YouTube channel where he walks us through using SPF, DKIM and DMARC on a Google Workspace email account.

Optics Digital Marketing SITE CARE Plans

At our agency, we don’t manage your email directly. For that, we recommend using a dedicated Email Service Provider (EPS) like Google Workspace.

However, we are happy to assist with advice on setting up your email security correctly.

And of course we do all the other website hosting, routine maintenance, security monitoring and minor site tweaks necessary to keep your optometry website humming … and letting you focus on what you do best; serving your patients.

Let’s Talk

If you would like to know more about how Optics Digital Marketing can help with maintaining your website or general digital marketing, BOOK A FREE CONSULTATION call today.

Need a plan to

GROW your OPTOMETRY BUSINESS?

Scroll to Top