This article will explain why your website’s emails don’t get delivered and how to get around this problem. A recent announcement by Google and Yahoo adds urgency to the matter. Finally we also include a typical example of email authentication for WooCommerce websites.
Why emails don’t get delivered
Emails from your website, and even those that you send from Apple Mail or Microsoft Outlook may fail to get delivered. Often times these emails land in the spam or junk folder, but sometimes emails are rejected completely without any notification to you the sender.
It is trivial to spoof an email address, or send an email as somebody else. Here’s some code that will send an email that appears to have come from Bill Gates.
<?php $to = '[email protected]'; $subject = 'You are the recipient of $1,000,000'; $message = 'hello'; $headers = array( 'From' => 'Bill Gates <[email protected]>', 'Reply-To' => '[email protected]' ); mail($to, $subject, $message, $headers); ?>
Because of the ease of spoofing emails, legitimate email senders need a way to prove that they did really send the email. Enter email authentication, which refer to a combination of technologies including DKIM, SPF and DMARC.
Improving deliverability with SPF, DKIM and DMARC
Taking the time and effort to set up email authentication gives a strong signal to email providers that a sender’s emails are legitimate and went a long way to improving their deliverability, the measure of how likely the email will be delivered. Email providers would still accept your emails even if you didn’t enable email authentication… but that may change in 2024.
Last October 2023, Google and Yahoo announced requirements that bulk senders must have DMARC in place by February 2024. “If senders don’t meet these email authentication requirements, messages might be rejected or delivered to recipients’ spam folders,” say the folks at Gmail.
Yes, you’re definitely affected. Basically everyone who needs to send email will be affected by this change, including you. Even if you don’t have an email newsletter, your website definitely needs to deliver contact form notifications, order confirmations and password resets. And emails you send directly to your customers will be affected too.
So if you haven’t yet set up email authentication for WooCommerce and all services you use, it’s time that you implement it now.
Email authentication doesn’t guarantee your emails will avoid the spam folder. Your email content and reputation will also contribute to your deliverability.
How does email authentication work?
Email authentication is a combination of technologies that work together to declare who is allowed to send emails on behalf of your domain.
Using DKIM and SPF, the clickwp.com
domain declares the following:
- Direct, personal emails are sent from Fastmail
- Marketing emails are sent via ActiveCampaign
- Website form and order notifications (transactional email) are sent via Amazon Web Services (Simple Email Service)
DMARC then tells email providers that they should spam (or reject) emails claiming to be from clickwp.com
but aren’t sent from one of the senders above.
In summary…
- Services that send email for your domain are authenticated
- DMARC tells email recipients to junk or reject emails from your domain that aren’t authenticated
Steps to implement email authentication
List all email services that you use
Start by listing out all the services that send email for your domain.
Primary email. The main service is likely your business email. We have used Fastmail for over a decade, but you might use Google Workspace, Microsoft 365 or the email provided by your web host.
Email marketing service e.g. ActiveCampaign, Mailchimp, Brevo, Klaviyo, etc.
Other 3rd-party services. You may use other services that want to send email from your domain. Examples include:
- CRM like HubSpot, Pipedrive, Dubsado and Honeybook
- Course platforms like Teachable, Thinkific and Podia
- Sales / E-commerce platforms like SamCart, Shopify or ThriveCart
If you miss out any services here, their emails will not get delivered. Be sure to compile a full, comprehensive list for this step.
Determine where your domain name servers are hosted
Email authentication is set up at the domain level, and your domain settings are controlled by the domain name servers. You can find your name servers with a WHOIS lookup.
Now that you know your name servers, you need to also have the login details to manage and edit the DNS settings.
Warning: Making a mistake with your DNS settings could cause your email or website to stop working. ClickWP can help with setting up email authentication.
Set up DKIM and SPF records for each service
Find the instructions on how to activate DKIM and SPF for each service. Some services may not support the older SPF, but it’s best to set up both if possible.
Setting up DKIM will involve installing new CNAME or TXT records in your domain’s DNS. Each service will have its own DKIM record.
However, each domain can only have a single SPF record. This means installing SPF records involves modifying the record if it already exists.
Remember to verify DKIM and SPF for each service you set up.
Set up DMARC
Activating DMARC also involves installing a DNS record. At the very least, you’ll need to set up this basic DMARC record:
Type: TXT
Host/Name: _DMARC.yourdomain.com
Value: v=DMARC1; p=none;
The p=none
above will set your DMARC policy to monitor only. This gives you the chance to catch any misconfigurations before you switch to a stricter policy (quarantine or reject).
Now, head over to learndmarc.com and send a test email to address it provides. It will then diagnose and tell you whether your setup passes or fails, with an easy-to-understand final verdict. Click here to see a sample results page
You’ll want to test each service you had set up earlier. Use the learndmarc.com results to fix any mistakes and get a PASS for DMARC.
At this point, you have completed all the email authentication steps and your emails will now pass Google and Yahoo’s 2024 DMARC requirements. However, you’ve come this far so we recommend taking the final step to verify your setup.
Monitor and optimize your DMARC set up
The basic DMARC record above tells email providers to decide what to do with emails that don’t pass DKIM or SPF, and to report any failures. Getting notified of failures is important in case you missed out any important services that you use.
But where do the failure reports go to? You can have failure reports go to yourself, but the reports are in computer speak and you likely won’t understand it. Therefore we recommend using the free DMARC monitoring service from Postmark: dmarc.postmarkapp.com
Fill in your email address and domain that you want to monitor, then click the Get Started button. You’ll get a new DMARC record to replace the basic one you created in the previous step. Install the record and you’ll now receive weekly reports on DMARC failures.
If there are no failures and you’re confident with your set up, you can now optimize your DMARC policy to be stricter by using the quarantine or reject flag, e.g.
Type: TXT
Host/Name: _DMARC.yourdomain.com
Value: v=DMARC1; p=quarantine;
Example Setup: Email authentication for WooCommerce sites
Now we will provide an example setup for a typical WooCommerce site, example.com
. Our example site uses the following services:
- Google Workspace for primary email
- cPanel hosting for emails sent via the website
- ActiveCampaign for email marketing
This means we’ll need to set up DKIM and SPF for Google Workspace, cPanel and ActiveCampaign.
The site is hosted on A2 Hosting and uses their nameservers. This means we edit the DNS settings from inside of A2 Hosting’s control panel.
Google Workspace
Start by logging into the Google Workspace Admin console (admin.google.com). Navigate to Apps → Google Workspace → Gmail. Click Authenticate email.
Select your domain and click the Generate New Record button. We’ll use the 2048-bit option. Once generated, you’ll be shown a DNS record.
Now we’ll login to A2 Hosting and click the cPanel Login button. Inside cPanel, we navigate to Domains → Zone Editor. Click the Manage button.
Now add a new TXT record and enter the details provided by Google Workspace. The 2048 bit key is too long to fit in the field, so we click the Add TXT string to record option to add a 2nd field.
Now go back go Google Workspace and click the Start Authentication button.
Next we check for an existing SPF record. If none exist, we’ll create a new one. But cPanel usually installs a SPF record automatically so here it is:
v=spf1 +a +mx +ip4:103.227.176.12 include:spf.a2hosting.com ~all
We want to modify the record to add include:_spf.google.com
to it. Here’s the new, updated record:
v=spf1 +a +mx +ip4:103.227.176.12 include:spf.a2hosting.com include:_spf.google.com ~all
cPanel hosting email
Modern cPanel accounts have an Email Deliverability tool that will check and install the necessary DKIM and SPF records. Login to cPanel and navigate to Email → Email Deliverability.
If you don’t see ✔ Valid, click on Repair to have cPanel automatically diagnose the problem and suggest a fix.
For WooCommerce to make use of cPanel’s DKIM and SPF, it needs to send the emails via SMTP (rather than the default PHP method). So now we have to create an email account that WooCommerce can use.
Navigate to Email → Email Accounts. Create a new email account. Then, click on Connect Devices to get the email settings.
Next, we login to WooCommerce and install the FluentSMTP plugin. We’ll create a new email connection with the settings above.
ActiveCampaign
ActiveCampaigns DKIM is set up differently than Google Workspace as it involves CNAME records rather than TXT records. Login to ActiveCampaign and navigate to Settings → Advanced. Choose the I will manage my own email authentication option. You’ll be provided 2 CNAME records to install. On the same screen you’ll also find the SPF record to be installed.
We now add the 2 provided CNAME records, and modify the SPF record to
v=spf1 +a +mx +ip4:103.227.176.12 include:spf.a2hosting.com include:_spf.google.com include:emsd1.com ~all
Don’t forget to verify your DNS records in ActiveCampaign.
DMARC
We’re in the home stretch. Go to dmarc.postmarkapp.com and enter example.com
as the domain to monitor. You’ll receive a DMARC record like this:
Install the record and click the Verify button. DKIM, SPF and DMARC has now been set up for example.com
.
Conclusion
Email authentication is important for anybody that sends emails, especially for WooCommerce sites or businesses that rely on email to communicate with their customers.
Unfortunately, setting up email authentication can be challenging and complicated. Worse, getting it wrong could cause your email and/or website to stop working correctly. There are also so many 3rd-party services that need to be integrated which makes it difficult to keep track of everything.
But because Google and Yahoo have decided to be stricter with the emails they accept, email authentication is something you can no longer put off. Skip this step and you’ll risk your emails not getting through to your customers.
We hope our guide helps you with setting up SPF, DKIM and DMARC for your business. Feel free to contact ClickWP if you need help.