We highly encourage our partners to install DKIM, SPF, and DMARC records on their domain. If you're not sure what any of these things mean, scroll down -- we explain it for you! Installing DKIM, SPF, and DMARC records are the most important thing you can do to maintain good deliverability. To learn more about deliverability, watch our 105 Deliverability Training.
DKIM and SPF
- Get your own domain name, if you don’t have one already. We use Namecheap, but there’s many others -- HostGator, GoDaddy, and Dreamhost just to name a few.
- Once you get your own domain, email us at support@actionnetwork.org and tell us what you use for your reply-to.
- We will send your domain to SendGrid (which delivers our emails). SendGrid will give us your public key. We give the public key to you. This key also includes the SPF records, which lets the owner of the domain specify which servers can send mail from their domain. There is no separate record to install.
- You add the public key (CNAME records) to your DNS records. If you’re not sure how to do that, look at the end of this document -- there’s links to help documents for many different domain-hosting websites.
- Email us when you’ve added our records to your DNS records. We will verify that you did this correctly.
- Use that domain in all of your reply-tos
DMARC
If you have over 5,000 people on your list, email providers require that you have some sort of DMARC installed. DMARC instructs email providers what to do if an email fails authentication. There are many options for DMARC settings (read to the end) but the records we send will meet the minimum requirements set by email providers.
We can generate the records you need at the same time as the DKIM records. Follow the steps below:
- Get your own domain name, if you don’t have one already. We use Namecheap, but there are many others -- HostGator, GoDaddy, and Dreamhost just to name a few.
- Email us at support@actionnetwork.org with the reply to email address you'll be using.
- We will send your domain to SendGrid (which delivers our emails). SendGrid will give us your public key. We give the public key to you.
- You add the TXT and CNAME records to your DNS records. If you’re not sure how to do that, look at the end of this document -- there’s links to help documents for many different domain-hosting websites.
- Email us when you’ve added our records to your DNS records. We will verify that you did this correctly.
- Use that domain in all of your reply-tos
Custom Link Branding
We also recommend you set up a custom link brand for your click tracking links, however this is more difficult technically and may not be for every partner. You can read more about how to set this up here.
Definitions
Domain -- A domain name is your website’s name. It’s the address where people can access your website. Ours is actionnetwork.org
DNS -- Domain Name System. It’s like a phonebook for the internet. It contains all the domains across the internet.
SPF -- Sender Policy Framework. SPF defines which IP addresses can send emails from your domain. It let’s the owner of the domain specify which servers can send mail from their domain.
DKIM -- DomainKeys Identified Mail. It links your domain to the emails you send, which allows your organization to take responsibility for a message that can be verified by mailbox providers. It’s pretty complicated, but it basically prevents the “bad guys” from impersonating you as an email sender by letting the recipient’s server check if the sender was really you or not. This means your emails are more likely to get delivered (and not go to spam).
DMARC - Domain-based Message Authentication, Reporting, and Conformance. This tells email providers what to do if an email fails DKIM or SPF authentication. It's only required for organizations sending with lists larger than 5,000.
FAQs
Who should set up DKIM records?
Everyone, whether or not you have a tech background. In order to install DKIM records and ensure your email will make it into inboxes, you’ll need to get your own domain, which can be $10-20 a year. We know this is not ideal for smaller community organizations, but this is a small price to pay for long-term deliverability.
How does DKIM work?
DKIM works by attaching an encrypted digital signature to the header of every email. The digital signature is created by your “private key.” The private key is unique to your domain and is in the header of your emails.The encrypted digital signature is like a watermark -- and don’t worry, you can’t see it, only the computer can.
When you set up your DKIM records, Action Network gives you a public key to add to your DNS records. The private key and public key are like brothers and share DNA. The public key matches the private key, and lets the server know that the email is from you.
When servers receive the email, they decrypt the private key and match it to the public key you put in your DNS records. The server then knows the email came from you, and let’s the email get delivered. Your deliverability goes up, and everyone is happy.
How does this work with Action Network?
We send your emails, and SendGrid delivers them. Normally, the email comes from our domain. But with DKIM, it comes from your domain.
When we validate your DKIM record, we verify it through our email deliverer (SendGrid). Your recipients’ servers will check with SendGrid to make sure the emails are actually coming from you.
How does SPF work?
When you add an SPF record on your DNS, it tells the DNS what IP addresses can send on your behalf -- basically, what IP addresses your emails came come from.
How do I do this on my domain-hosting website?
We’ve put together a list of DNS providers with links to their documentation:
- Amazon Route 53: SPF and DKIM
- Dreamhost: DKIM | SPF
- GoDaddy: SPF and DKIM
- HostGator: SPF and DKIM
- Namecheap: SPF and DKIM
Who should install DMARC records?
Anyone with email lists larger than 5,000 should set up DMARC. These requirements come from email providers. You do not need the DMARC to do anything to the mail, you only need to have it installed.
How should I set up my DMARC?
The records Action Network sends you to be compliant with email providers' requirements simply tell them to do nothing if an email fails DKIM/SPF authentication. However, you can make this more strict by quarantining mail or completely blocking unauthenticated mail. This can be useful to prevent others from spoofing your domain, and sending as you, and can solve some deliverability problems that arise because of this. However, this must be done very carefully, as you can very easily block mail you want to send rather than just blocking mail that you don’t, and we only recommend it for very large email programs that have a high technical capacity. You can sign up for other services that will provide you with reports on which emails failed, why, and more. We'd recommend Valimail.