Fix Bouncing Emails
SPF, DKIM & DMARC
An email I sent to a gmail address recently bounced, this is how I solved it.
I have my own domain that I use for email, so I need to set up certain DNS records to avoid my emails bouncing on for instance Google’s email servers.
The relevant acronyms are:
- SPF (Sender Policy Framework)
- DKIM (DomainKeys Identified Mail)
- DMARC (Domain-based Message Authentication, Reporting and Conformance)
I need to set up SPF and DKIM to avoid bouncing. DMARC is only necessary for sending email in bulk, so I don’t need that.
The purpose of SPF and DKIM is to stop people from “spoofing” my domain, which is when someone sends an email that looks like it came from my domain when it actually didn’t.
SPF and DKIM are set up as DNS records on the domain.
SPF
This DNS record lists which mail servers are allowed to send email on behalf of this domain.
This is the SPF entry for my domain:
- Type:
TXT - Subdomain:
@ - Data:
"v=spf1 include:hover.com -all"
For some reason I need to put " around the data. Not sure if that’s specific to my DNS provider.
hover.com hosts my email, so that’s the domain I include. I don’t write the entire domain which is mail.hover.com, because it doesn’t care about subdomains.
To check that it’s working I use an online SPF checker. I give it orsvarn.com and it verifies if my SPF record is valid.
DKIM
This entry contains a public key that my email server provider created. When I send an email, the email server signs the email with a private key on the mail server. The receiver uses the public key on this DNS record to verify the signature.
My email client doesn’t need to do anything, the signing happens on the mail server.
I had to contact my email provider’s support to have them generate a key pair for me, and they gave me the public key. It seems like some providers allow you to generate your own key pair.
This is the DKIM entry for my domain:
- Type:
TXT - Subdomain:
dkim1._domainkey - Data:
v=DKIM1;t=s;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3D3MoSCbPojBxQpXA0B5nKWi33uE+QmDlvtqfqBgFLVPj3hMQGMBTLKG9+VjZ60zy7waZZxHkpIGnqiP0q6kVRTE7oKTZyjSWjogaYp0Mxt9m21gjLbVqSE2gU+wJ1iGbunkNWU9ng0LLZJ6hT8j3DvAKoq0wlWGb5DuX/2ybYQIDAQAB
At first I didn’t understand that I needed to create a new subdomain for this entry. I tried to put it under @ like with the SPF entry, but that didn’t work.
The t=s does this according to the specification:
Any DKIM-Signature header fields using the "i=" tag MUST have the same domain value on the right-hand side of the "@" in the "i=" tag and the value of the "d=" tag. That is, the "i=" domain MUST NOT be a subdomain of "d=". Use of this flag is RECOMMENDED unless subdomaining is required.
I don’t understand what that means, but it’s recommended and seems to work so that’s what I’m doing.
To check that it’s working I use an online DKIM checker. I give the checker orsvarn.com:dkim1 and it tells me if it’s valid.
DMARC
Since I don’t send bulk email, I don’t have this set up. I read somewhere that having a “low level” DMARC entry can make it easier to spoof emails from my address than if I had no entry at all.
It isn’t necessary to set this up to be able to send emails to Google’s mail servers. Though some sellers of DMARC online say otherwise.
The final test
To check that it’s working in practice:
- Wait for the DNS to propagate.
- I use online SPF and DKIM checkers to check if it has propagated. The way my DNS is set up, this takes up to an hour.
- Send an email to a gmail address.
- If I don’t get an email telling me it bounced, it works!
Questions or comments? Contact me via email.