Now that Gmail introduced its new sending requirements, more people have been forced to implement some extra steps to improve their deliverability but here’s the kicker: It’s still not the full way to avoid people spoofing your domain.
First off, Gmail and Yahoo requirements apply to Gmail and Yahoo only for now.
Next, the main way to avoid your domain being spoofed is setting up DMARC with a ‘reject’ policy along with making sure you have SPF alignment.
Think of it this way: when you set up all these authentication things, you tell any email server that only a certain domain or set of IPs is allowed to send emails on your behalf.
What is the risk otherwise? Anyone can sign up to an email platform, plug in your domain as the sender, and start sending emails with your domain.
And this happens more than you think… That’s why we’ll explain the steps to take to minimize this problem and to monitor it for the future.
Table of Contents
Step 1: Set up DKIM, SPF, and DMARC
This depends on your email service provider (ESP), and the tool you use to send emails.
What you have to know here is that it generally just involves copy/pasting a few things in your DNS Settings.
You will have to ask your ESP for exact instructions to set up DKIM and SPF.
When you reach the step to set up DMARC, start with policy ‘none’, then go to step 2.
Make sure you test sending emails to yourself or people you know before sending campaigns with this new setup.
Step 2: Add a DMARC monitoring solution
Once you’ve implemented step 1 correctly, you should now use a monitoring solution that tells you how often your emails fail DMARC check, and which IPs and servers send on your behalf.
This helps you identify people who still attempt to spoof your domain.
We recommend either Cloudflare or DMARC Digests to monitor this.
A few hours after you send campaigns, you should already see data coming in here. You will see if your main servers and IPs are passing DMARC, and if others are trying to spoof your sender domain.
If your tools all pass DMARC, go to step 3.
Step 3: Adjust DMARC policy
Now that you see your DMARC passing correctly from your senders, you can safely adjust the policy to ‘reject’.
Adjusting it to ‘quarantine’ is also possible but this means your spoofed emails go to spam, so it’s not a perfect solution. A ‘reject’ policy means the email never reaches the recipient.
Here’s why you should try this
With the new guidelines from Gmail, DMARC is required but even policy ‘none’ is enough.
This doesn’t stop spoofing.
And this doesn’t even account for Apple Mail, which hasn’t implemented the same requirements as Gmail and Yahoo.
Last but not least, this is the way to make sure you and only you hold the keys to your subscribers’ inboxes.
If you don’t do this, you open yourself up to spoofing, which will annoy recipients and tank your deliverability for your main emails too.
By the way, you can also check your settings using MX Toolbox. Here’s what our setup looks like:
