How to Setup SPF and DKIM for Your Sending Domains
You must follow the 3 step process to successfully authenticate your sending email domain.
To add the SPF and DKIM records for your sending domains, you'll need to add records of type 'TXT' through your hosting provider, domain registrar, or DNS provider. We recommend referring to your provider's help documentation for specific information on adding TXT records. A list of provider links are available below with some domain management instructions.
Link to Why email SPF and DKIM Authentication Is a Good Thing! white paper
Note
You must add SPF and DKIM records and verify ownership of your sending domains before you can send email through your account. Mandrill will not send any email from unverified domains or domains without valid SPF and DKIM records, including public domains like gmail.com, yahoo.com, and more.
Mail sent from unverified domains or domains without valid SPF and DKIM records will be rejected at the time of send, with the reject reason, unsigned.
1. Adding a SPF Record
If you don't yet have an SPF record, add one for your domain. At a minimum, the value should be the following if you're only sending mail through Mandrill for that domain:
v=spf1 include:spf.mandrillapp.com ?all
If you already have a TXT record with SPF information, you'll need to add Mandrill's servers to that record by adding include:spf.mandrillapp.com in the record (before the last operator, which is usually ?all, ~all, or -all).
2. Adding a DKIM Record
Add a new TXT record with the name mandrill._domainkey.yourdomain.com (just replace yourdomain.com with the domain you're setting up).
The value for the record should be one of the options listed below. There are two options because the record contains semicolons, and some DNS providers escape semicolons for you while others require you to do it when setting up the record.
With semicolons escaped:
v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/IQ/J/mRwSRMAocV/hMB3jXwaHH36d9NaVynQFYV8NaWi69c1veUtRzGt7yAioXqLj7Z4TeEUoOLgrKsn8YnckGs9i3B3tVFB+Ch/4mPhXWiNfNdynHWBcPcbJ8kjEQ2U8y78dHZj1YeRXXVvWob2OaKynO8/lQIDAQAB\;
With semicolons unescaped:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/IQ/J/mRwSRMAocV/hMB3jXwaHH36d9NaVynQFYV8NaWi69c1veUtRzGt7yAioXqLj7Z4TeEUoOLgrKsn8YnckGs9i3B3tVFB+Ch/4mPhXWiNfNdynHWBcPcbJ8kjEQ2U8y78dHZj1YeRXXVvWob2OaKynO8/lQIDAQAB;
3. Validation/Verification of SPF and DKIM Records
Once you have entered the SPF and DKIM records you must perform the verification process using the following process and utilities otherwise your sending email domain will not be authenticated. ABELDent Patient Portal Email Domain Verification
DNS Providers
Here are links and information for several hosting and DNS providers.
Provider | Links | Formatting Notes |
---|---|---|
CPanel (general) Many hosting providers offer CPanel to manage your domain. CPanel instructions are often similar among hosts that offer this option. |
Bluehost GoDaddy |
DKIM record typically escaped automatically. The 'name' of your DKIMrecordshouldbe mandrill._domainkey.yourdomain.com where yourdomain.com is replaced by the domain name where you're adding the record. Most hosts that utilize cPanel don't automatically add the domain name to the end of the record name. |
Amazon Route 53 |
Route 53 Console Route 53 API |
|
CloudFlare |
SPF Records DKIM records |
DKIM record escaped automatically. |
DNS Made Easy | DNS Made Easy | The 'Value' field where you enter the content for each record must be enclosed in quotes. |
DreamHost | Dreamhost | |
DynDNS | DynDNS | The 'data' field where you enter the value for each record must be enclosed in double quotes. |
GoDaddy |
Plesk Panel 9 Plesk Panel 10 |
|
Hover | Hover | |
ZoneEdit | ZoneEdit |
If your host or DNS provider doesn't appear here, contact their customer support or help files for more information. Each host may handle the adding or editing of records differently, so your host's technical support or documentation is the best resource for any limitations or formatting specific to that provider.
Troubleshooting
After you've added the appropriate DNS records, it can take up to 24 hours for the changes to take effect. If there's an error validating your records, you can view the error details in Mandrill for additional information. There are also some third-party resources you can use to check your records or for other details if needed:
- Check the SPF validator here. Enter your domain name in the first text box and click Get SPF Record for a diagnostic of your SPF records.
- Check whether your DKIM record is valid using the DKIMCore validator. Enter mandrill as the selector and your domain name.
- The SPF validator looks for a TXT record with the appropriate SPF information. If your domain has an SPF type record, it's best to add a matching TXT record for compatibility.
- If you already have an SPF record, edit that record instead of adding a new one. The specs for SPF require that there only be one TXT record with SPF information.
-
If you've added the DKIM record and are still seeing that it's missing, your DNS provider may require the record be formatted differently. The DKIM record Mandrill provides has semicolons escaped with a backslash, so the record starts with this:
v=DKIM1\; k=rsa\;
and ends like this:
\; - Some DNS providers don't require semicolons be escaped. If you see issues, try removing the backslashes right before semicolons at the beginning and end of the record.
- Some DNS providers take longer than others to publish and push the record. If you're adding a completely new record, those often validate within 10-15 minutes. Changing records can take longer, but can vary based on your DNS provider and TTL for the record.
Source: mandrill.zendesk.com