There are a lot of big change that’s happening all over emails with SPF,  DKIM and DMARC settings. All of this has been started from Google taking the initiative. There has been lots of information coming out about these email changes and we’ve seen lots of people saying oh we’ve got to get things done by 1st of February or hang on there’s something about a 1st of April there’s another date of 1st of June. Why is Google enforcing all these changes? Why are we having to do this with our emails when everything was working fine before?

All of these things are going around and nobody’s actually sat down and seemed to explain what it actually is, what the actual truth of it is. It just reminds me of GDPR days where you having people talking from a very technical point of view and doing things as it is for large organizations where it’s like emails have to be encrypted, well all emails are encrypted as long as you know you’re use an up to-date service, you didn’t need to buy extra levels of encryption, except in specific situations, so the talks weren’t going quite right.

I’ve decided I’m going to do this about what the SPF, the DKIM and the DMARC actually are. Now one thing that I’m often told is we need to get explain the acronyms as they don’t tend to mean too much. However because we hear the acronyms so much, that’s what we are used to. But to make sure you know what they stand for.

SPF is Sender Policy Framework
DKIM is Domain Key Identified Mail
DMARC is Domain-based Message Authentication Reporting and Conformance

These likely still mean nothing to you and that’s what this webinar/blog is going to go through.

What is actually going to happen?

Google and Yahoo have started putting out some changes and they’re a long time coming. Please don’t think it is them interfering, it’s brilliant what they’re doing. What I would look at from your own point of view is these changes are fantastic because what they’re going to do is help stop a load of the scams, a load of the spoofs, and a load of the spam emails.

If you remember years and years ago very early 2000s we were going on with our lives quite happily logging on to web pages and then suddenly Google said if you don’t put a padlock at the top corner of your website with an SSL certificate we’re going to lower your ranking on Google, so people started doing that and the web became more secure. Do you realize people used to log into Facebook it was an option to turn on that https, but the default was HTTP that meant you sent your Facebook password through all the servers from your computer in your home to the Facebook server non-encrypted. We didn’t even think about that even large companies like that didn’t do it until Google sat there and said come on pull your finger out, SSL certificates can be free, there is no excuse. The only people who need to pay for an SSL certificate are the ones who need the insurance. What we always need to do is make the internet a safer place and Google are doing the same again for emails, so these things should be embraced. Google has started to help push this along and other companies are following through, they’ve all wanted to do it but Google’s the one who stood up in the firing line to say this, and to get all the the people commenting about it to say, oh you know what’s going on? Why are you doing this? and getting the the flack and the abuse on it.

What these settings are to to do will actually mean that mailboxes on the receiving servers will get less spam, will get less scams and will get less spoofed emails which means the people that they look after, the people whose emails they receive, will be less susceptible to those things that could steal money from them. Likewise to the businesses that send emails, embracing this technology you will be less likely to blame for some of the scams that go out there the spoofed ones because at the moment anyone on the internet can actually send an email claiming to be from nearly anyone. It’s these settings that will actually make sure the receiving servers reject the emails that actually haven’t really come from the correct person.

We’ve got two types of emails that exist;

1. Normal E-Mail

These are communication emails these are ones when we talk back and forth, that direct conversation. Those emails are the ones you send from your email application so your Apple mail, your Outlook, possibly your web mails. Those normal emails for will continue without any impact whatsoever, you just need the SPF or the DKIM record set up on the system. Google already for the last few months have been rejecting emails from domains without any SPF record set up.

Emails come from three types of systems. You can have your Microsoft 365 or your Google Workspace. Those types of email systems are very professional and they’ll have that SPF record and they do give you the options for setting up your DKIM. The DKIM usually needs going in to that bit more technical level, again you can look it up. My recommendation actually speaks your IT person, they should be able to sort that for you.

The other place we get emails or we send emails from is when they’ve brought web hosting and they’ve got what’s called IMAP emails. These are very bare basic emails they literally will do emails and only emails. No contacts, no calendar, nothing extra.  They don’t synchronize the calendar with your outlook to the the web, you can’t look at your calendar on your phone and on your email application. Some webhosting will set up an SPF record, many others don’t they leave these these settings for you to configure. SPF is the bare basic requirement. DKIM is a bit more advanced and will never be set up by default. As long as you’ve got one of those and you’re doing normal email communication those will go through.

2. Marketing / CRM / Automated E-Mails

With these they get a bit more complicated and there is a limit before their rule kicks in. The limit is 5,000 emails a day to Google mailboxes. So as long as you are under 5,000 emails a day the SPF and the DKIM are all that is needed. If you are sending 5,000 or more emails a day to Google, so like GMail accounts or Google Workspace accounts or Yahoo you will need to have a couple of other things in place.

  • You will need SPF and DKIM both set up for the mailing system
  • You will need a DMARC policy.
  • As of 1st of June there must be an single click unsubscribe option so you must ensure the person who receives the marketing email will see a pure link that can click on that will unsubscribe them. They will allow something that is a reply email to say please unsubscribe me, but it generally should be a single click where they click it and it loads up the point to unsubscribe, or they click it and it loads up the email to click Send on which says unsubscribe.
  • Finally, and I can’t imagine why anybody would do this, but I have seen some systems allow it. Do not spoof gmail.com or yahoo.com emails. If you’ve got a marketing system like Active Campaign, MailChimp or MailerLite, they do sometimes allow you to authenticate your email by receiving an email clicking a link and going yes that’s my email. Then they will try and send out as that email. Don’t use this and most of them are turning that feature off now because of the these requirements, but if you’re getting a marketing email and it comes from something at gmail.com or somebody at gmail.com even if it’s a business name at gmail.com, It can easily look like a scam so it’s not worth doing.

Marketing emails should come from your proper domain. Ideally a sub-domain, that means something beforehand so if you’re if you’ve got your domain.com, you should have something like sub.domain.com. If you look at some of the newsletters you get from other people where it might say, mail dot their domain or it might say mg dot their domain or it might be marketing dot or m dot all these different things are the subdomain.

One other thing Google and Yahoo is not liking, and they are going be filtering out is when an email goes out and it says from mcsv.net (MailChimp) on behalf of the email. So if I was doing it that way it would say from mcsv.net on behalf of Tristan@TLmartin.ltd.uk. If that’s what is happening to those emails, those Services have been bought but not fully configured, because they’re a bit more Technical. If you’re not sure on the technicality go talk to your IT person and they will sort that for you. Please be warned these settings do all need to be done right, because if you do make a mistake on those settings you can affect all your emails.

From the 1st of February, what’s going to happen is if you don’t comply with those rules, and they’re not really difficult rules, you’ll start getting temporary errors so stuff will still go through generally but you might get some bounce back with information back saying you have an error on those non-compliant emails.

From the 1st of April they’re going to reject a percentage of non-compliant emails, so if you send 75% of emails that are fully compliant they will all get through, the 25% that are non-compliant a percentage of those will get rejected they will not land in the receivers inbox.

From the 1st of June, looks to be the date that it will be full enforcement because that’s where they’re looking at having the unsubscribe button in place.

I will put as a side note at this stage, if you are somebody who has to do PCI compliance so if you’ve got a credit card machine where you take the the 16-digit number and you process it yourself not using something like stripe or PayPal but you actually are using a proper payment Gateway you will need to be DMARC compliant and have it fully set up for PCI compliance in 2025. They’re bringing that rule in because the DMARC stops where scammers can spoof your e-mail address.

What is SPF?

There are too many scams going on and that is what SPF starts to address. SPF is what servers out there are authorized to send emails on behalf of your domain so typically when you take out hosting that’s a default one because a lot of web hosts provide emails with it. If you’ve got Microsoft 365 or Google workspace you’ll need an SPF record you add because your domain is pointing at your web server but your emails are coming from Microsoft or Google servers. You’ve actually got to say Microsoft is authorized to send emails from my domain or Google is authorized.

You might have other systems in place where you send emails from

  • Marketing systems (Mailchimp, Mailerlite, ActiveCampaign)
  • Sales CRM (Sales Force, High Level, HubSpot)
  • Job CRM (Capsule, SeviceM8, AutoTask, Hubspot)
  • Specialist CRMs (for Recruitment, Job Boards, Medical, Clinical)
  • Your website (Don’t forget a contact form will be sending emails)

They will all have an SPF setting to add to the record (Do note they will each tell you their SPF record, you’ll need to be able to combine them together as you can only have 1 SPF record in your DNS). SPF is the bare minimum everybody should absolutely have.

What is DKIM?

DKIM is where each email that gets sent, is digitally signed as it’s sent out so that actually authenticates the sending mailbox where it has come from the email is digitally signed, it’s a lot more secure to use. DKIM often has to be set up on your normal emails by going through into the administration console of the webserver or Microsoft or Google Workspace.

Microsoft 365, in the admin console there’s a security area that you can go to, in the policies and threats section and inside that there is the setup for the DKIM and it will give you the records and then you have to put the two selectors in and rotate the keys every six months that’s the best practice.

Google Workspace, in the admin console and go into the App and email settings you’ll get to the section for setting up the DKIM TXT record.

If you send emails from any other systems the DKIM records from each of those places need to applied to the nameserver and DNS settings, just like with the SPF records.

Do note, this can be complicated to set up on webservers. Although where it can be set up, it still doesn’t apply to many of the website contact forms as they use PHPMailer to send the email, which it outside of the mailbox, so will never get DKIM applied. If you have a website contact form, get a service like SMTP2GO that will do the emails for you (This is also useful if you have Scan2Email set up on your printer). You maybe tempted to try and set up the webform to send through your Microsoft 365 or Google Workspace, do not do this, as to connect to them for those purposes you have to lower the security of your main email and data store.

What is DMARC?

With the SPF and DKIM set up, this is enough information to tell the receiving servers if an email has come from a genuine sender or not. The problem this has though is most receiving email servers are basic when it comes to spam filtering, and most recipients do not pay for an extra spam filtering service. While it might seem common sense that if an email fails SPF or DKIM it should be rejected, but because so many senders do not have these records in place or incorrectly configured the receiving servers have just got into the habit of letting the emails through, but putting them into the Junk folder. There is a huge problem with this, if the receiver gets the scam email, they still have the ability to fall for it, and if it looks like it came from you… then it will be you they want to blame.

If you go back 18 years, DHL was a typical one, emails would be received claiming to be from DHL and it actually looked like it came from DHL, it had their email address in the from. It had a zip file and the email says we’ve missed delivery if you want to rearrange delivery please open the attachment follow the instructions and the attachment was actually malware. People fell for these because it looked genuine. People really fell for these if they were expecting a delivery that day, and were in fear that it hadn’t been delivered, especially if it was business critical or really wanted. The zip file would contain malware that would allow the scammer access to the PC, and the files on it, and the route into the company network, or even ransomware.

It still happens today where emails will go to someone in the company where it will appear like it’s come from the boss saying to quickly pay some invoices which the member of staff will look to do, and then the company has paid several thousands to the scammers.

DMARC helps solve this, having your DMARC set up will mean that no one can successfully spoof your domain, because it removes the reliance upon the receiving server following common sense. You setting the DMARC policy get to dictate what the receiving server must do if emails it receives from your domain fail SPF and DKIM. Ultimately this will be set to “Reject” policy, the danger with this though is if there are any mistakes on your SPF or DKIM record then you could end up with emails not getting through to the recipient. This is why we recommend working with IT to set these up, and having a form of DMARC monitoring going on.

So when you set up the DMARC policy, the first thing you do is set the policy to “None”, this makes no difference what so ever to how the receiving servers handle your emails, except there should be a an email address added to the record, for where the reports go. Every day you will receive an email from each server receiving emails from you, telling you how many emails they received, from what servers and whether it passed SPF or DKIM, and if the emails would have been delivered should you have the policy fully turned on. The difficulty you’ll have with these reports is they are an XML file that is not easy to read as a human – see the youtube video at 45:56 for an example. Ideally you want to be using a tool to monitor this and show it in a graphical form, see the youtube video 46:55 to 57:27.

Once the emails have been monitored for a month, then you can be assured that everything is fully configured, then you can turn on DMARC to the “Reject” policy. At that point absolutely any email that fails SPF and DKIM will be rejected by the recipient server. This will make sure that people cannot spoof your email, it also means that you have the highest domain reputation so your genuine emails are more likely to be in the inbox rather than junk.

There is a “Quarantine” policy, I don’t see the point of this because if an email is quarantined, then those scam emails will not be rejected, they will still be available for the receiver to “release” and therefore end up falling for, so I would never recommend using this option.

On a side note we’d recommend that you always have a DMARC monitoring tool, even after you move to “Reject”. The reason being that the monitoring will alert your IT if suddenly a batch of emails fail SPF and DKIM, to see were these scams, or have you suddenly taken on a new tool, or has an existing tool changed their required settings, and the notification has been missed. Without the continued monitoring, you’d have to have faith that they would be getting through never knowing they were being rejected.

Proud BNI Member Cyber Essentials Certified Kaseya & Datto Silver Partner Datto Certified SAAS Protection PractitionerMSP Dark WebMicrosoft Silver Partner