DNS & Email Authentication

Deliverability Gatekeeping

Configuring Your DNS​

Before you make headway with the abundance of comprehensive content marketing concepts, you must first ensure that the essential DNS records are set up and propagated properly in order to get mail accepted for delivery. The DNS system is responsible for translating IP addresses to domain names. When you enter a domain in your web browser or send an email from a domain a DNS Query is run against the hostname to confirm the legitimacy of your entry or in the case of email, the query confirms the legitimacy of the domain you are sending from. When DNS records are not properly set up and the DNS Query fails a webpage fails to load or mail transmission is not accepted for delivery.
Before you make headway with the abundance of comprehensive content marketing concepts, you must first ensure that the essential DNS records are set up and propagated properly in order to get mail accepted for delivery. The DNS system is responsible for translating IP addresses to domain names. When you enter a domain in your web browser or send an email from a domain a DNS Query is run against the hostname to confirm the legitimacy of your entry or in the case of email, the query confirms the legitimacy of the domain you are sending from. When DNS records are not properly set up and the DNS Query fails a webpage fails to load or mail transmission is not accepted for delivery.

Authentication Best Practices​

In most cases your system administrator or the technical party responsible for setting up your website and mail server will have the basic DNS configuration covered. However, when sending mass email there are additional DNS records that must be configured for the purpose of deliverability. Here are the top four DNS records you should know for the basis of good email delivery:

      • Reverse DNS (PTR)
      • SPF (Sender Policy Framework)
      • DKIM (DomainKeys Identified Mail)
      • DMARC (Domain Message Authentication Reporting Conformance)
In most cases your system administrator or the technical party responsible for setting up your website and mail server will have the basic DNS configuration covered. However, when sending mass email there are additional DNS records that must be configured for the purpose of deliverability. Here are the top four DNS records you should know for the basis of good email delivery:

– Reverse DNS (PTR)
– SPF (Sender Policy Framework)
– DKIM (DomainKeys Identified Mail)
– DMARC (Domain Message Authentication Reporting Conformance)

Sender Policy Framework (SPF)

Sender Policy Framework, or SPF, is an authentication protocol that specifies what servers may send email on behalf of your domain. The implementation of the SPF record is via text entry on your DNS. For marketing purposes the SPF record should include the sending IP address used to deploy marketing creative from your domain. Mail that is sent from a domain without an SPF record may not be accepted for delivery for security reasons.

Sender Policy Framework, or SPF, is an authentication protocol that specifies what servers may send email on behalf of your domain. The implementation of the SPF record is via text entry on your DNS. For marketing purposes the SPF record should include the sending IP address used to deploy marketing creative from your domain. Mail that is sent from a domain without an SPF record may not be accepted for delivery for security reasons.

DomainKeys Identified Email (DKIM)

Consider DomainKeys Identified Email, or DKIM, the younger, stronger brother of SPF. DKIM is an authentication protocol that is cryptographically secured to stop phishing attacks. When an email is composed, the headers and body are signed using a private key of the sender. This creates a digital signature. The receiving mail server retrieves the public key  (stored on the DNS) and verifies if the email was indeed signed by the sending domain. If the signature is successfully validated that proves that the sending domain sent the message and also that the headers and body of the message have not been modified during transmission.
Consider DomainKeys Identified Email, or DKIM, the younger, stronger brother of SPF. DKIM is an authentication protocol that is cryptographically secured to stop phishing attacks. When an email is composed, the headers and body are signed using a private key of the sender. This creates a digital signature. The receiving mail server retrieves the public key  (stored on the DNS) and verifies if the email was indeed signed by the sending domain. If the signature is successfully validated that proves that the sending domain sent the message and also that the headers and body of the message have not been modified during transmission.

Reverse DNS (PTR)

The reverse DNS lookup is a DNS query for the domain name associated with a given IP address. This accomplishes the opposite of the commonly used forward DNS lookup, in which the DNS system is queried to return an IP address.
The reverse DNS lookup is a DNS query for the domain name associated with a given IP address. This accomplishes the opposite of the commonly used forward DNS lookup, in which the DNS system is queried to return an IP address.

DMARC Record

DMARC is the first authentication protocol that provides instructions to the recipient mail server on how to treat mail that is not properly authenticated. DMARC is the ultimate DNS protection against phishing attacks. A strict DMARC record of p=reject provides instructions to the receiving server to reject all mail that fails the DMARC test. In order for mail to pass the domain and sending IP records must be properly aligned. The family of authentication (SPF and DKIM) are referenced and must be in alignment in order for the DMARC test to pass. At this point DMARC is not required for delivery but often desired for security.
DMARC is the first authentication protocol that provides instructions to the recipient mail server on how to treat mail that is not properly authenticated. DMARC is the ultimate DNS protection against phishing attacks. A strict DMARC record of p=reject provides instructions to the receiving server to reject all mail that fails the DMARC test. In order for mail to pass the domain and sending IP records must be properly aligned. The family of authentication (SPF and DKIM) are referenced and must be in alignment in order for the DMARC test to pass. At this point DMARC is not required for delivery but often desired for security.

When you need help, our deliverability experts are ready to assist!
Start Inboxing today!

Hey there!

come here often?

Share Your Success Story!
At Start Inboxing, we see every interaction as an opportunity to exceed our customer’s expectations. We understand how important email is our clients businesses and work hard to help them get results! If you've had a great experience working with our team, we would love to hear your feedback.