To combat spam, or unwanted email, most ISPs (Internet Service Providers) and email providers (e.g. Gmail, Yahoo, Hotmail, Microsoft) employ sophisticated spam filters that are regularly updated.
Whilst this is a good thing, it can also mean authentic emails can incorrectly get marked as spam.
Email Authentication
is the effort to equip outgoing messages of the email transport system with enough verifiable information, so that recipients can recognize the nature of each incoming message automatically. These comprise of three main methods mentioned below. As of 2024, all of these are required in order to beat spam traps;
DKIM (DomainKeys Identified Mail) - This lets an organization take responsibility for a message that is in transit. The organization is a handler of the message, either as its originator or as an intermediary. Their reputation is the basis for evaluating whether to trust the message for further handling, such as delivery. Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication. Further reading: http://www.dkim.org/
SPF (Sender Policy Framework) - This is an open standard specifying a technical method to prevent sender address forgery. More precisely, SPF protects the envelope sender address, which is used for the delivery of messages.
Further reading: http://www.openspf.org/
DMARC (Domain-based Message Authentication, Reporting, and Conformance) - This is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing email, email scams and other cyber threat activities. As of 2024, Gmail, Microsoft and other large email providers have made DMARC a mandatory requirement. Further reading: https://dmarc.org/
What Do I Need To Do?
While no system is fool proof, agreed standards do exist and in most circumstances, these records must be added to your domain name DNS records.
If Purple Dog manages your domain name DNS, we can add these records for you - just get in touch. Usually, if we have already added these settings for you, there will be no need to change the default settings on the Purple Dog server. You are advised to contact us first unless you are certain of what you are doing.
If we don't manage your domain's DNS, you can add these records yourself at your domain name registrar - or get in touch to request our assistance.
Records can be modified by logging in to you hosting account cpanel (e.g. www.example.com/cpanel) and navigating to email > email authentication.
=================================
Set up DKIM
DKIM helps verify the sender and integrity of a message. It allows an email system to prove that a message was not altered during transit (meaning it is not forged), and that the message came from the specified domain.
- To use DKIM, click Enable.
- To disable DKIM, click Disable.
Note: If a warning is displayed claiming cPanel is unable to verify that the server is an authoritative nameserver for the specified domain name and either of the following scenarios is true, then please ignore it.
- The server has been changed to be the authoritative DNS server for the domain name, but the change has not yet propagated.
- The server does not view itself as the authoritative DNS server, but outside servers do view it as authoritative.
Set up SPF
This function attempts to prevent spammers from sending email while forging your domain’s name as the sender (spoofing). This authentication function works by adding IP addresses to a list, specifying computers that are authorized to send mail from your domain(s). It verifies that messages sent from your domain(s) are coming from the listed server, reducing the amount of backscatter you receive.
- To use SPF, click Enable.
- To disable SPF, click Disable.
Note: If a warning is displayed claiming cPanel is unable to verify that the server is an authoritative nameserver for the specified domain name and either of the following scenarios is true, then please ignore it.
- The server has been changed to be the authoritative DNS server for the domain name, but the change has not yet propagated.
- The server does not view itself as the authoritative DNS server, but outside servers do view it as authoritative.
Advanced Settings
This section includes a number of ways to configure SPF authentication. The available options are:
- Additional Hosts that send mail for your domains (A): The additional hosts specified here are automatically approved to send mail from your domain(s). You may add and remove hosts using the appropriate buttons.
- Additional MX servers for your domains (MX): MX entries specified here are able to send mail from your domain(s).
- Additional Ip blocks for your domains (IP4): IP addresses approved to send mail from your domain(s). Your server's main IP address is automatically included in this list. If you add IP addresses, you must use CIDR notation. (Example:
192.168.0.1/32) - Include List (INCLUDE): This feature allows you to specify additional hosts to include in your SPF settings. This is useful when sending mail with another service.
- All Entry (ALL): If you select this option, the system will exclude domains not included in the lists defined above.
- Overwrite Existing Entries: If you select this option, the system will overwrite existing SPF entries.
Click Update to save your changes.
Set up DMARC
DMARC helps verify the sender and integrity of a message.
- To use DMARC, click Enable.
- To disable, click Disable.
Note: If a warning is displayed claiming cPanel is unable to verify that the server is an authoritative nameserver for the specified domain name and either of the following scenarios is true, then please ignore it.
- The server has been changed to be the authoritative DNS server for the domain name, but the change has not yet propagated.
- The server does not view itself as the authoritative DNS server, but outside servers do view it as authoritative.
However, if the DNS is hosted elsewhere (e.g. Cloudflare), you will need to login and manage it there instead.