You might be surprised to learn that nearly 80 percent of all emails on the internet are spam. Regardless, it can be pretty frustrating if your business emails keep ending up in your recipients’ spam folder instead of their inbox.
While there’s not much you can do on your recipients’ end to fix that issue—they might have aggressive filters implemented that label even legitimate business emails as spam—there are some steps you can take to keep your messages from getting marked as email spam.
There are several reasons you might be getting labeled as email spam. For instance, if you don't have the required permissions, or if the server flagged your IP. If your email engagement is not high enough, or if you’ve used misleading subject lines or used email spam trigger words, your email can very easily land in the spam folder.
To solve this issue of email spam, you need to familiarize yourself with SPF and DKIM. If this is the first time you’ve come across these acronyms, don’t be concerned. We’ve got you covered.
SPF stands for Sender Policy Framework. At its very basic level, it is a security protocol that tells the recipient that it is actually YOU sending the email and not someone else posing as you. When you have this mechanism set on your DNS server, your recipient's DNS – a phonebook directory of networks – the server can authenticate that it is you sending the emails and not a spammer masquerading as you. This authentication process is used by mail servers to help protect you and your end users from email spam, phishing, and spoofing.
SPF works like this: you publish an SPF record – a list of authorized IPs – that defines mail servers that can send emails on your behalf. The recipient mail server compares the IP address of the sender with the ones on the SPF record and allows it if it checks out. If it doesn’t, it rejects it and flags it as spam.
DomainKeys Identified Mail, or DKIM, is another authentication mechanism that validates an email message. It works by attaching a unique digital signature to the header of the email to be sent. You, the domain admin, publishes a public cryptographic key in TXT format along with your domain’s DNS record.
Your mail server creates and attaches the digital signature to the outgoing email’s header. The recipient’s mail server decrypts the signature and compares it to the published key. If it matches, it means the email is authentic and not forged.
Now that you know how SPF and DKIM can land your emails in your recipients’ junk folders, the next question that might pop in your mind is how you can create these records yourself.
Before you can set up SPF, you need to find out whether it has already been set on your mail server or not. You can use Google App toolbox or MxToolbox and run your domain name there, and it will show you your current SPF settings.
Next up, you need to collect all the mail servers you'll be using to send your emails on behalf of your domain and compile them into a list. Your domain might be using one, or your domain might be using a combination of web servers, respective ISP’s mail server, mail server the same as your recipient’s or a third-party mail server. Make sure you include all of them in your list.
If your brand owns multiple domains, include the domains you’ll be mailing your users from as well as the ones you won’t be using.
Moving on, you need to tag each IP address with v=spf1, after adding all of the authorized IPs, conclude the record with an ~all tag. In case of a third-party mailing server, don’t forget to add include statements as “include:thirdparty.com." Here's an example of how a mail sending record should look like:
v=spf1 ip4:1.2.3.4 ip4:2.3.4.5 include:thirdparty.com -all
Strip all the code save for “spf1” and “-all” for non-sending domains. The final step is to publish this completed record to DNS. And you’re all set with the SPF protocol.
To create a DKIM record, start by choosing a DKIM selector – a text string defined by the user. This selector will help with identifying the public key.
Next, you need to create a pair of public and private keys. You can use puTTYgen if you’re running Windows and ssh-keygen if you’re on Linux.
If you’re using puTTYgen, simply click “generate” to create a public/private key and save it to your disk. The next step is to place the public key you saved on your disk as a TXT record in the DNS provider’s settings. This set up varies between DNS providers, so, you should consult the documentation provided by your DNS provider.
Once you’ve done that, you need to create and save your digital signature. Using an SMPT (an internet protocol used for transmitting emails) server of your choice, you can make use of the DKIM milter. A milter is an open-source extension that lets you flag spam emails. SMPT servers release milters and DKIM milter are released by Sendmail. It allows you to generate and attach private keys to emails.
A typical DKIM digital signature should look like this:
v=1;
a=rsa-sha256;
c=relaxed/relaxed;
d=isipp.com;
s=sel42;
t=1399817581;
bh=Pl25…dcMqN+E=;
h=Message-ID:Date:Subject:From:To:MIME-Version:Content-Type; b=Xp/nL93bv6Qo73K…KmskU/xefbYhHUA=
Once you have published a DKIM public key, you need to frequently change and update the private/public key pairs in case a key has been broken and is compromised. This process is called DKIM key rotation, and it is pretty straightforward.
All you need to do is to use the key selector – the “s=sel42;” in the above example – to introduce new keys into circulation. It also keeps the old keys maintained for a specified period of time, so the older emails with the old key stored in the headers have enough time to be delivered.
You can change the keys every week or longer depending on your brand’s policy.
Sometimes, instead of the mail going into the end users’ junk/spam folder, it will be rejected or bounced. Unlike your business email getting marked as email spam, when it bounces, the reason for the rejection is given to you.
The email might have failed to deliver because the recipient’s inbox might be full or the email server might be temporarily down. This is referred to as a soft bounce. When an email hard bounces it is probably because the email address or domain doesn’t exist anymore.
More often than not, the mail service would have you blacklisted and tackling this issue can be as simple as contacting the service and getting yourself removed from this blacklist. If the problem persists, emailing the admin of that server might help resolve it.
To keep you from getting blacklisted, after a specified number of failed soft bounce attempts the email address is labeled as hard bounced. This process keeps your IP reputation intact and minimizes the number of unengaged emails.
