With instances of ransomware and phishing attempts on the rise over the past few years, email providers are becoming more and more strict about the emails they allow into their users’ inboxes. As of 2020, spam / phishing emails were by far the most common source for ransomware infections (source), so it makes sense that email providers would want to prevent that traffic as much as possible. Unfortunately, that can often mean that legitimate emails are identified as potential spam and land in recipients’ spam folders instead of their inboxes.
To reduce the likelihood that your emails are treated as spam, there are several types of DNS records you need to make sure you have set up for your domain (and any subdomains you use to send email). Beginning in early 2024, Google and Yahoo started requiring several of these for all senders (regardless of size), with additional requirements for businesses sending at least 5,000 emails / day. Microsoft announced their own requirement in 2025, making this setup necessary for all of the major email providers.
Unfortunately, early coverage of these requirements focused primarily on large-volume senders (those sending 5,000+ emails per day), leading to widespread confusion about what applies to all email senders. As a result, even 18 months after implementation, many small business owners are unaware they’re missing critical setup components, leaving them puzzled when their emails land in spam folders.
What are the new email authentication requirements announced in 2024?
There are a lot of detailed technical requirements in Google’s Email Sender Guidelines, but the ones that are most relevant for small business owners, specifically for 1:1 emails, are SPF, DKIM, and DMARC. While Google (and Yahoo) mention other requirements such as TLS, PTR, message formatting, etc., those technologies are handled by the infrastructure, apps, or tools you’re using, so we’re only covering the pieces here that business owners (or their support teams) need to configure.
What are SPF, DKIM, and DMARC and what do they do for you?
In a nutshell, SPF and DKIM tell other email servers how to identify what is legitimate email from you, vs. what is likely spam / spoofing (fake). DMARC tells the servers what to do with emails that fall into the “likely spam” category (whatever they want to do, quarantine, or reject). When there is any question whether or not an email is legitimate (i.e., when these records haven’t been defined), receiving servers err on the side of caution and classify it as spam.
Here is more detail on each type of record:
- SPF defines the list of servers that you authorize to send email on your behalf, using your email address / domain. You can only have one SPF record for each domain or subdomain (though you can daisy-chain when needed), and it must be a TXT record type. There are length and lookup limits when defining these, and sometimes you have to get creative (hence the daisy-chaining).
- DKIM is a “stamp” on outgoing email that receiving servers can check to make sure the message hasn’t been tampered with enroute. You should have at least one DKIM record for every system that sends email using your domain (e.g., your email provider, your email marketing tool, your photo gallery tool, your help desk system, etc. UNLESS the tool connects directly to your email account to send for you). These can either be TXT records or CNAME records, depending on how each tool is configured.
- DMARC sets your policy for emails that fail SPF and DKIM, and tells the servers where to send your result reports. Not all servers respect the policy you have set, but the big ones generally do. There is one DMARC record for each domain, and it must be a TXT record type. To be most useful, you’ll want a monitoring tool that receives the reports generated from recipients’ servers, so you can see the results of the emails going out. You don’t see what the servers do with your emails, but you do see whether they pass or fail the checks performed for SPF, DKIM, and DMARC. Failing emails generally go to spam or get rejected altogether, depending your policy.
It’s important to make sure you’ve identified all the systems that send email on your behalf and account for them in your records. Generally, each tool that uses your email address as the sender should give you instructions on how to define each of your records with them in mind. They may call it domain authentication (not just verification, but one step beyond), custom domain, custom return path, or you may find it in their help documentation under SPF and DKIM.
Need help?
If any of this has made your eyes cross, I understand! I’ve helped many business owners with their setup so they know their emails are going to inboxes instead of spam folders, and I’m happy to help you. Click here to get started!
