As of February 2024, Google and Yahoo have increased their enforcement of domain authentication. To avoid issues with email delivery, it’s crucial to complete DKIM and DMARC authentication for the sending domain you use to send emails. If your IT team is hesitant to set up DKIM, this article may address some of their questions and concerns.
What is authentication?
When you send emails from your email marketing account, receiving servers recognize that the server sending the email (which belongs to us) does not align with the domain sending the email (which belongs to you). Authentication creates alignment between the sending server and the sending domain, verifying that we have permission to send on your behalf. For more information about authentication, check out the Additional resources section.
Domain reputation
Some IT teams worry that setting up DKIM might impact their domain and sending reputation outside of your email marketing account. For example, if something goes wrong, could it affect your internal email sending or emails that you send from a transactional platform?
It is true that all sending from your domain affects your reputation, regardless of whether that sending comes from our system or not. That said, setting up DKIM for your email marketing account is typically a low risk, high reward action.
The purpose of authentication is to protect your domain reputation.
You’re already sending emails through our system with your domain, which means that your domain reputation is already involved, regardless of your authentication status. However, if you are sending those emails without authentication, it will be far worse for your domain reputation than if you are sending authenticated emails.
Additionally, we have a large IP range and those IP addresses are shared amongst the vast majority of our customers. Shared IPs are helpful because everyone has bad days and can accidentally send to the wrong list or take a risk with an unengaged list. The fallout that comes from those bad days is lessened by the rest of our senders – there’s a bit of cushion there because everyone’s good days help dilute the small number of bad days.
Monitoring
We also monitor all emails sent through our platform. Our Deliverability and Compliance teams are constantly on alert for spam complaints, inappropriate sending behavior, and more. When an account shows up on Deliverability or Compliance’s radar, they will temporarily suspend sending for that account or subaccount, and reach out so that the problems can be addressed before they become big, reputation-damaging issues.
Our reputation
One of the reasons for sending through an ESP, is that our reputation also helps protect your reputation. Additionally, since our reputation and ability to reliably send emails is the foundation of our business, we are dedicated to protecting, maintaining, and improving our sending reputation every day. We work closely with major inbox providers and blocklists to make sure that we are in the best possible position to get your emails delivered. Across all of our customers, we maintain a delivery average of over 99%. That is, over 99% of messages sent through our system are accepted for delivery by receiving servers.
Reputation overall
Sending reputation can vary between each inbox provider that your domain sends to. Every provider determines the sender’s reputation and “score” based on a combination of factors, although they generally do not disclose the formula for that score.
That said, if you see a healthy amount of emails being accepted for delivery, with few bounces, that can be a sign that you are in good standing with the recipient inbox providers. Healthy open rates and clicks can indicate that emails are making it to the inbox, which can also imply good standing. Low spam complaints are also a good sign; since our Compliance team monitors spam complaints, if you haven’t heard from them, you can assume that your spam complaint rate is low.
There are nuances to reputation and these are broad statements. It’s not possible to describe or account for every individual situation in one article, so none of this should be taken as an exhaustive guide to reputation. The important thing to take away is that we are your partner in protecting your sending reputation. We care about your deliverability and want to help you succeed.
Technical concerns
Some IT teams are concerned about the security and logistics from a technical perspective. In order for DKIM to work, you need DKIM keys, which need to be managed and updated regularly in order to keep them secure. We understand that this is a big lift, so we handle DKIM a little differently.
In brief, we control the DKIM keys so that you don’t have to. Functionally, this means that when you set up DKIM, your IT team will only need to create 4 simple DNS records: 3 CNAME records and 1 TXT record. Additionally, once the final DKIM validation step is complete, they can actually delete the TXT record so that only the 3 CNAME records remain.
If you’re not familiar with CNAME records, their purpose is to act as a “road sign” to tell internet traffic where to go. When an inbox provider heads to your domain to check for DKIM keys, they will see the CNAME records, which will tell them “actually go here instead” and point them towards our records, which hold the actual DKIM keys.
Why use a CNAME instead of the actual key?
DKIM records are complex and it’s very easy to make a mistake when adding them to the DNS. These records must be absolutely correct in order to prevent significant mail delivery problems, so even a tiny error can have a large impact. Additionally, DKIM should be changed on a regular basis, which would require frequent contact, updates, and an overall heavier lift for users to accomplish.
Using CNAME records allows for a once-and-done setup of the DKIM configuration. CNAME records also give us absolute knowledge of which keys are valid at any given time, as well as control over key rotation for all customers. This allows us to follow security best practices while also minimizing the burden on our users.
Why do you use multiple DKIM keys?
DKIM keys should be rotated at regular intervals in order to prevent replay spoofing and protect account security. The rotation process invalidates an older key and replaces it with a new key that is used to sign for future emails. When there is only one key, any emails that are in progress or sent within a few days of the rotation could lose their authentication because the current key doesn’t match the expected value.
Using multiple keys provides a window of time in which both the old key and the new key are valid, which bypasses the key rotation validity problem and provides a seamless transition between keys. Our system also works to prevent key validity problems by publishing the next key in the DNS well before it’s used to sign messages.
What is the key rotation period?
Our system rotates DKIM keys on a monthly basis. At the start of each month, new messages sent will be using a new DKIM signing key. Each key will be rotated out a full month after it was last used and rotated in a full month before it will be used again. Each rotation generates a new private / public key pair.