There are three email domain authentication methods that help prevent email spoofing phishing and help avoid emails being marked as spam. SPF, DKIM, and DMARC are records added to your DNS settings to enable complete email domain authentication.
Each record provides a different level of authenticity. When used together, receiving Internet Service Providers (ISPs) can validate that emails from your domain are coming from a legitimate source.
Topics included in this article:
The Sender Policy Framework record known as an SPF record is a TXT record used to specify which domains or IP addresses are authorized to send emails on behalf of your domain. Adding this record to your DNS settings is the first step in email authentication.
Benchmark’s SPF record
Copy and paste the SPF record in your DNS settings exactly as shown below.
When adding the SPF record, you’ll need to add a name and value.
You can change the TTL or leave it as is.
If there is an existing SPF record, instead, you’ll add “include:bmsend.com” to the current value.
Here is an example:
Below, we have some popular domain hosting services with instructions on adding an SPF record. Click on your provider to see instructions. Please let our support team know if you do not see your domain service listed.
To check the SPF record, use one of the following services. If you are not sure, please contact our support team.
DKIM is short for DomainKeys Identified Mail; it is another type of email domain authentication used to prevent email messages from being forged by adding a digital signature to all emails sent from your domain. DKIM verifies the domain through cryptographic authentication. When DKIM is signed, receiving ISPs, such as Yahoo, Gmail, AOL, and others, can confirm that emails from your domain are legitimate.
Your email headers will display your company’s information, making you look more professional and helping your emails land in the inbox instead of junk.
CNAME RECORDS PUBLISHED
DKIM-Signature:v=1; a=rsa-sha256; d=yourdomain.com; s=bmdeda; c=relaxed/relaxed; firstname.lastname@example.org; t=1598860888; h=subject:from:reply-to:to:date:message-id:list-unsubscribe: content-type: mime-version; bh=VJiLnp1piFKGczzrsciR1Mxy1LTL+aPflXht5kNI5w=; b=Csm6hrngAjg7GebKP4UBybWGC8i1SS8z/tkW9CUqDG9f1QtHFPe+6i2SSD2/dgTYL3xitdEMYuCtRwTQZRreH6xLOjKy7A5vWbx5HgKei4+3jUuWhXboTZGK20PSF+tXjRI1OcBGHLDITaMvZyk4n4ue4pFbPfLT+YHjdBynoV4=
WITHOUT CNAME RECORDS PUBLISHED
DKIM-Signature:v=1; a=rsa-sha256; d=yourdomain.com; s=bmdeda; c=relaxed/relaxed; t=1598860888; h=subject:from:reply-to:to:date:message-id:list-unsubscribe: content-type: mime-version; bh=VJiLnp1piFKGczzrsciR1Mxy1LTL+aPflXht5kNI5w=; b=IhpgMyO1JEy4FhullJon/dkAldaguMqU6ppYvg6ZUjMT49MczetfzHTTg3tlQnmiQPg2COSAersBfaxPdSxVQuhkg2qUDDgdOE5cNJWwgPgScYiNod6cf3HLgZLHI34QXqvqbrj0mhMk+gZmeTIrYn9A/oO1HFImH06S4Qbyeo=
From: user1 <email@example.com>
Additionally, DKIM removes the message that shows in the inbox next to your email address as “via” or “on behalf of bmsend.com.” This text is used to indicate the sending server. For some email clients removing this text is not an option.
To sign DKIM; you’ll need to add two Benchmark CNAME records. The CNAME records can be generated from your Benchmark account and then added to your DNS settings.
Before you can configure your Benchmark CNAME records, you’ll need a confirmed domain in your Benchmark account.
If you’ve previously verified an email address, chances are you already have a domain in your account ready for authentication. Please note that only private domains can have email authentication.
To see a list of previously verified email addresses, visit your Email Verification page. If there are no private verified email addresses, please add the email associated with the domain you’d like to authenticate.
If you cannot verify your private domain, please contact our support team at Support@benchmarkemail.com.
Once you have a verified email domain, you can move on to the next step, the CNAME Records. We recommend using two browser windows to move from one page to another quickly—one for Benchmark Email and another for your Domain DNS settings.
To generate your CNAME Records, follow the steps below.
Back on the Domain authentication page, you’ll see the authentication status of the records. If your records are ready to be added to your DNS, the DNS Record column will read View instead of Start.
Additionally, the domain status will change to Authenticated. Please allow 24 hours before sending any emails from your domain to accommodate for the 24-hour authentication period. Any email sent during this time may not reflect the changes.
If you did not add your records correctly, you would see an error message and an X next to the records that need updating.
If you receive an error message, review the records you added to your DNS settings. If the error is not visible to you, delete both of the records previously added and add them again.
If you continue to see an error message, please contact our support team at firstname.lastname@example.org
The CNAME records have not been created.
The records were created and added to your DNS settings but waiting for confirmation. During this stage, no action is needed.
The records were created, but they were not added to your DNS settings, or the records do not match. If you see this, check the message within the records. You’ll see a red X on the error that needs to be corrected. Back in your DNS settings, check if the records were added exactly as Benchmark provided. If you are not sure, delete the previous CNAME records, and proceed to add them again. If you still see an error, please contact our support team.
Indicates the records were added successfully, and no further action is needed.
DMARC, short for Domain-based Message Authentication, Reporting & Conformance, is the third method for email domain authentication. ISPs like Yahoo, Gmail, AOL, and others, check to see if SPF and DKIM align with the DMARC signature. To take full advantage of the SPF and DKIM records, we recommend adding a DMARC signature to your domain.
If you already have a DMARC signature, skip this step as you can only have one DMARC signature per domain.
The DMARC signature is added as a TXT record in your DNS settings. You’ll need to add your Benchmark client ID and your email address.
DMARC Signature Example
You can change the TTL or leave it as is.
Your client ID can be found within your CNAME records, or on your Partner page. To get your Client ID, follow the steps below.
From your CNAME record:
From the Partner page:
While the DMARC signature is not required, adding it to your DNS will maximize the benefits of your domain authentication. The DMARC signature tells email providers where they can send their DMARC Reports, a type of report created by email providers to share domain and IP addresses that send emails on your behalf.
The process of adding the records will vary depending on your domain host. If you do not have access to your DNS settings, contact your IT team or contact your domain hosting service.
Below we have added some popular domain hosting services; for steps on adding your CNAME Records or your DMARC signature, click on the CNAME Records link or the DMARC link for your domain hosting service.
Please let our support team know if you do not see your domain service listed.