What SPF, DKIM, and DMARC settings are needed for Klaviyo and BigCommerce transactional emails?
Summary
What email marketers say11Marketer opinions
Email marketer from Mailerlite explains that DMARC helps protect your brand from email spoofing and phishing attacks. By implementing DMARC, you instruct email providers on how to handle emails that fail SPF and DKIM checks, reducing the risk of malicious emails being sent from your domain.
Email marketer from EmailGeek Forum explains that start with a DMARC policy of 'p=none' to monitor your email traffic and identify any issues with SPF and DKIM. Then, gradually move to 'p=quarantine' and eventually 'p=reject' once you are confident in your email authentication setup.
Email marketer from Stackoverflow shares that when using multiple email services (like Klaviyo and BigCommerce transactional emails), your SPF record needs to include all authorized sending sources. This is done using the 'include:' mechanism, listing each service's SPF record.
Email marketer from Email Geeks advises to deploy SSL on all possible domains and that it is recommended that your sending domain would resolve with a legitimate website.
Email marketer from Reddit explains that SPF records should include all servers that are authorized to send emails on behalf of your domain. This often includes Klaviyo's sending servers, as well as any other third-party email services.
Email marketer from PostmarkApp recommends using dedicated sending domains for transactional emails to isolate reputation and improve deliverability.
Email marketer from SparkPost shares BIMI (Brand Indicators for Message Identification) requires DMARC to be properly set up to display your brand logo in email inboxes.
Email marketer from Gmass explains to use tools like Mail-tester.com to check your SPF, DKIM, and DMARC setup. These tools analyze your email headers and provide feedback on any issues.
Email marketer from Email Geeks shares that DMARC policy should be there, but which policy depends on the level of implementation. It is advised to start with p=none and when you are certain that everything is working as intended you should slowly move to the p=reject.
Email marketer from EasyDMARC details that SPF records should start with 'v=spf1' and end with a mechanism like '-all' or '~all'. The '-all' mechanism tells receiving servers to reject emails that don't match the SPF record, while '~all' indicates a soft fail.
Email marketer from Email Geeks shares that full authentication and alignment won't hurt to do. Some ISPs simply reject your mail without DKIM, some will send it to spam folder and Gmail, for example, will display "Sent via _unsigned.domain.com"_ as a warning on your emails. SPF in theory does not matter much, but there out there old installations of Microsoft Exchange mail servers that check for SPF on the mail.from domain and are rejecting mails if they fail the SPF check.
What the experts say7Expert opinions
Expert from Spamresource explains that for SPF records it's important to understand the 10 DNS lookup limit. Including too many services in your SPF record can cause it to exceed this limit, leading to SPF failures.
Expert from Email Geeks shares you shouldn’t be deploying any website that’s not using TLS as it’s 2020, certificates are free.
Expert from Email Geeks explains that you absolutely _have_ to have one of SPF or DKIM aligned, and if you can only do one and have a choice, aim for DKIM.
Expert from Email Geeks shares that transactional emails are at least as important to get authentication on as the marketing emails.
Expert from Email Geeks explains that spam filters mostly don’t care about SPF or DKIM but they help identify your mail stream to build a reputation of sending wanted mail.
Expert from Word to the Wise shares that when deploying DMARC, start with a 'p=none' policy to monitor your email traffic and identify legitimate sending sources before moving to more restrictive policies. This helps prevent unintentional blocking of legitimate emails.
Expert from Email Geeks shares if you're sending from subdomains you may need to pay attention to the interactions between DMARC for the root domain and the subdomain. Also, don't forget that "aligned" just means (ish) share a common parent domain.
What the documentation says5Technical articles
Documentation from AuthSMTP shares that DKIM involves generating a private key, using it to sign your emails, and then publishing the corresponding public key in your DNS as a TXT record. This allows receiving servers to verify the authenticity of your emails.
Documentation from BigCommerce explains how to set up transactional emails. While they don't manage SPF/DKIM they recommend ensuring that your chosen email provider (like Klaviyo) has proper authentication in place.
Documentation from DMARC.org details the syntax of a DMARC record, explaining the meaning of tags like 'v', 'p', 'rua', and 'ruf'. The 'p' tag defines the policy (none, quarantine, reject) for handling emails that fail authentication.
Documentation from Klaviyo explains that to authenticate sending domains in Klaviyo, you need to set up SPF and DKIM records. This involves adding TXT records to your DNS settings with specific values provided by Klaviyo.
Documentation from Microsoft explains that to configure DKIM you need to use Powershell to create a DKIM key and then use 2 CNAME records to publish this for the receiver to check.