If your application sends transactional or marketing emails, you must setup both DKIM and SPF. Failing to do so will hurt your email deliverability. Your messages will end up in spam.
I've recently had to setup DKIM/SPF for Boutique. The application uses Amazon SES, which has pretty straightforward steps. I'll be using Amazon SES as the email service provider in this article.
What are DKIM and SPF?
DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) are both email authentication methods. They let email receivers know that an incoming email from that domain has been authorized by the domain owners.
DKIM uses asymmetric cryptography to sign the email before it's sent out. The public key is listed on the domain's DNS records, where email clients can find it to verify any emails.
SPF adds a list of authorized IP addresses to a domain's DNS records. When an email client receives an email, it can check the domain's DNS to verify the sender's IP address is on that list.
What domains should I send email from?
The best practice is to send your transactional emails from a different subdomain than your marketing
emails. For example:
@transactions.example.com for transactional emails and
for marketing emails.
Transactional emails are sent after a user action. They're expected and tend to have a much better reputation than marketing emails. Splitting the two keeps their reputation scores separate. You don't want your "confirm account" or "reset password" emails ending up in customers' spam folder.
Setting up DKIM
From your AWS console:
- go to the SES management console
- in the sidebar, under "Identity Management", go to "Email Addresses"
- click on the email address you want to verify
- click DKIM and click "Generate DKIM Settings"
This will generate a table of DKIM CNAME records. You'll need to log into your domain registrar and
add these three CNAME records. An example row for the
marketing.example.com subdomain will look like:
Please note, that some registrars automatically append the apex domain name to the hostname portion of the CNAME record. So the actual value you should paste in would be:
Since your registrar will automatically append
.example.com to it.
Setting up SPF
All domains require the same TXT record to use Amazon SES as an email service provider. See Authenticating Email with SPF in Amazon SES for a full guide. Here's the TLDR:
- go to your domain registrar
- add a TXT record with
@as the hostname
v=spf1 include:amazonses.com ~allfor the value
You need to have a TXT record for each subdomain. So
@ can be used if you're sending from the
example.com), but if you're sending from
marketing.example.com you'll need to add another
TXT record with
marketing as the hostname.
Also if you already have an SPF record, you can add additional domains to it with the
directive. The format below adds two email service providers:
v=spf1 include:example.com include:amazonses.com ~all