ClickWP

WordPress Experts Just A Click Away

This article will explain why your website’s emails don’t get delivered and how to get around this problem. A recent announcement by Google and Yahoo adds urgency to the matter. Finally we also include a typical example of email authentication for WooCommerce websites.

Need help with email authentication and DMARC? ClickWP can help figure out, set up and monitor your email authentication.

Learn More

Why emails don’t get delivered

Emails from your website, and even those that you send from Apple Mail or Microsoft Outlook may fail to get delivered. Often times these emails land in the spam or junk folder, but sometimes emails are rejected completely without any notification to you the sender.

It is trivial to spoof an email address, or send an email as somebody else. Here’s some code that will send an email that appears to have come from Bill Gates.

<?php
$to      = '[email protected]';
$subject = 'You are the recipient of $1,000,000';
$message = 'hello';
$headers = array(
    'From' => 'Bill Gates <[email protected]>',
    'Reply-To' => '[email protected]'
);

mail($to, $subject, $message, $headers);
?>

Because of the ease of spoofing emails, legitimate email senders need a way to prove that they did really send the email. Enter email authentication, which refer to a combination of technologies including DKIM, SPF and DMARC.

Improving deliverability with SPF, DKIM and DMARC

Taking the time and effort to set up email authentication gives a strong signal to email providers that a sender’s emails are legitimate and went a long way to improving their deliverability, the measure of how likely the email will be delivered. Email providers would still accept your emails even if you didn’t enable email authentication… but that may change in 2024.

Last October 2023, Google and Yahoo announced requirements that bulk senders must have DMARC in place by February 2024. “If senders don’t meet these email authentication requirements, messages might be rejected or delivered to recipients’ spam folders,” say the folks at Gmail.

Yes, you’re definitely affected. Basically everyone who needs to send email will be affected by this change, including you. Even if you don’t have an email newsletter, your website definitely needs to deliver contact form notifications, order confirmations and password resets. And emails you send directly to your customers will be affected too.

So if you haven’t yet set up email authentication for WooCommerce and all services you use, it’s time that you implement it now.

Email authentication doesn’t guarantee your emails will avoid the spam folder. Your email content and reputation will also contribute to your deliverability.

How does email authentication work?

Email authentication is a combination of technologies that work together to declare who is allowed to send emails on behalf of your domain.

Using DKIM and SPF, the clickwp.com domain declares the following:

DMARC then tells email providers that they should spam (or reject) emails claiming to be from clickwp.com but aren’t sent from one of the senders above.

In summary…

  1. Services that send email for your domain are authenticated
  2. DMARC tells email recipients to junk or reject emails from your domain that aren’t authenticated

SPF (Sender Policy Framework):

  • Purpose: SPF helps prevent email spoofing by verifying that the sending mail server is authorized to send emails on behalf of a specific domain.
  • How it works: The domain owner publishes SPF records in their DNS (Domain Name System) settings. These records specify which mail servers are allowed to send emails for that domain. When an email is received, the recipient’s server checks the SPF record to confirm whether the sending server is authorized. If it’s not on the list, the email might be marked as suspicious.

DKIM (DomainKeys Identified Mail):

  • Purpose: DKIM ensures the integrity of the email by adding a digital signature to each message, allowing the recipient to verify that it hasn’t been tampered with during transit.
  • How it works: The sending mail server signs outgoing emails with a private key and publishes the corresponding public key in DNS. When the email is received, the recipient’s server retrieves the public key from DNS, uses it to verify the signature, and checks if the message has been altered. If the signature is valid, the email is considered legitimate.

DMARC (Domain-based Message Authentication, Reporting, and Conformance):

  • Purpose: DMARC builds on SPF and DKIM to provide a policy framework for email authentication. It helps domain owners specify what actions should be taken for unauthenticated emails, and it enables reporting on email authentication activities.
  • How it works: The domain owner publishes a DMARC policy in DNS, indicating how SPF and DKIM should be handled. The policy can instruct the recipient’s server to reject, quarantine, or accept emails that fail authentication. DMARC also includes a reporting mechanism, allowing domain owners to receive reports on email authentication results. This helps in monitoring and fine-tuning the email authentication setup.

Steps to implement email authentication

List all email services that you use

Start by listing out all the services that send email for your domain.

Primary email. The main service is likely your business email. We have used Fastmail for over a decade, but you might use Google Workspace, Microsoft 365 or the email provided by your web host.

Email marketing service e.g. ActiveCampaign, Mailchimp, Brevo, Klaviyo, etc.

Other 3rd-party services. You may use other services that want to send email from your domain. Examples include:

  • CRM like HubSpot, Pipedrive, Dubsado and Honeybook
  • Course platforms like Teachable, Thinkific and Podia
  • Sales / E-commerce platforms like SamCart, Shopify or ThriveCart

If you miss out any services here, their emails will not get delivered. Be sure to compile a full, comprehensive list for this step.

Determine where your domain name servers are hosted

Email authentication is set up at the domain level, and your domain settings are controlled by the domain name servers. You can find your name servers with a WHOIS lookup.

Now that you know your name servers, you need to also have the login details to manage and edit the DNS settings.

Warning: Making a mistake with your DNS settings could cause your email or website to stop working. ClickWP can help with setting up email authentication.

Set up DKIM and SPF records for each service

Find the instructions on how to activate DKIM and SPF for each service. Some services may not support the older SPF, but it’s best to set up both if possible.

Setting up DKIM will involve installing new CNAME or TXT records in your domain’s DNS. Each service will have its own DKIM record.

However, each domain can only have a single SPF record. This means installing SPF records involves modifying the record if it already exists.

Remember to verify DKIM and SPF for each service you set up.

Set up DMARC

Activating DMARC also involves installing a DNS record. At the very least, you’ll need to set up this basic DMARC record:

Type: TXT
Host/Name: _DMARC.yourdomain.com
Value: v=DMARC1; p=none;

The p=none above will set your DMARC policy to monitor only. This gives you the chance to catch any misconfigurations before you switch to a stricter policy (quarantine or reject).

learndmarc.com welcome screen
learndmarc.com welcome screen

Now, head over to learndmarc.com and send a test email to address it provides. It will then diagnose and tell you whether your setup passes or fails, with an easy-to-understand final verdict. Click here to see a sample results page

You’ll want to test each service you had set up earlier. Use the learndmarc.com results to fix any mistakes and get a PASS for DMARC.

We didn’t ace the test here, but we got a passing grade overall

At this point, you have completed all the email authentication steps and your emails will now pass Google and Yahoo’s 2024 DMARC requirements. However, you’ve come this far so we recommend taking the final step to verify your setup.

Monitor and optimize your DMARC set up

The basic DMARC record above tells email providers to decide what to do with emails that don’t pass DKIM or SPF, and to report any failures. Getting notified of failures is important in case you missed out any important services that you use.

But where do the failure reports go to? You can have failure reports go to yourself, but the reports are in computer speak and you likely won’t understand it. Therefore we recommend using the free DMARC monitoring service from Postmark: dmarc.postmarkapp.com

Fill in your email address and domain that you want to monitor, then click the Get Started button. You’ll get a new DMARC record to replace the basic one you created in the previous step. Install the record and you’ll now receive weekly reports on DMARC failures.

If there are no failures and you’re confident with your set up, you can now optimize your DMARC policy to be stricter by using the quarantine or reject flag, e.g.

Type: TXT
Host/Name: _DMARC.yourdomain.com
Value: v=DMARC1; p=quarantine;

Need help with these steps? ClickWP can help figure out, set up and monitor your email authentication.

Learn More

Example Setup: Email authentication for WooCommerce sites

Now we will provide an example setup for a typical WooCommerce site, example.com. Our example site uses the following services:

  1. Google Workspace for primary email
  2. cPanel hosting for emails sent via the website
  3. ActiveCampaign for email marketing

This means we’ll need to set up DKIM and SPF for Google Workspace, cPanel and ActiveCampaign.

The site is hosted on A2 Hosting and uses their nameservers. This means we edit the DNS settings from inside of A2 Hosting’s control panel.

Google Workspace

Start by logging into the Google Workspace Admin console (admin.google.com). Navigate to Apps → Google Workspace → Gmail. Click Authenticate email.

Select your domain and click the Generate New Record button. We’ll use the 2048-bit option. Once generated, you’ll be shown a DNS record.

Now we’ll login to A2 Hosting and click the cPanel Login button. Inside cPanel, we navigate to Domains → Zone Editor. Click the Manage button.

Now add a new TXT record and enter the details provided by Google Workspace. The 2048 bit key is too long to fit in the field, so we click the Add TXT string to record option to add a 2nd field.

Now go back go Google Workspace and click the Start Authentication button.

Next we check for an existing SPF record. If none exist, we’ll create a new one. But cPanel usually installs a SPF record automatically so here it is:

v=spf1 +a +mx +ip4:103.227.176.12 include:spf.a2hosting.com ~all

We want to modify the record to add include:_spf.google.com to it. Here’s the new, updated record:

v=spf1 +a +mx +ip4:103.227.176.12 include:spf.a2hosting.com include:_spf.google.com ~all

cPanel hosting email

Modern cPanel accounts have an Email Deliverability tool that will check and install the necessary DKIM and SPF records. Login to cPanel and navigate to Email → Email Deliverability.

If you don’t see ✔ Valid, click on Repair to have cPanel automatically diagnose the problem and suggest a fix.

For WooCommerce to make use of cPanel’s DKIM and SPF, it needs to send the emails via SMTP (rather than the default PHP method). So now we have to create an email account that WooCommerce can use.

Navigate to Email → Email Accounts. Create a new email account. Then, click on Connect Devices to get the email settings.

Next, we login to WooCommerce and install the FluentSMTP plugin. We’ll create a new email connection with the settings above.

ActiveCampaign

ActiveCampaigns DKIM is set up differently than Google Workspace as it involves CNAME records rather than TXT records. Login to ActiveCampaign and navigate to Settings → Advanced. Choose the I will manage my own email authentication option. You’ll be provided 2 CNAME records to install. On the same screen you’ll also find the SPF record to be installed.

We now add the 2 provided CNAME records, and modify the SPF record to

v=spf1 +a +mx +ip4:103.227.176.12 include:spf.a2hosting.com include:_spf.google.com include:emsd1.com ~all

Don’t forget to verify your DNS records in ActiveCampaign.

DMARC

We’re in the home stretch. Go to dmarc.postmarkapp.com and enter example.com as the domain to monitor. You’ll receive a DMARC record like this:

Install the record and click the Verify button. DKIM, SPF and DMARC has now been set up for example.com.

Conclusion

Email authentication is important for anybody that sends emails, especially for WooCommerce sites or businesses that rely on email to communicate with their customers.

Unfortunately, setting up email authentication can be challenging and complicated. Worse, getting it wrong could cause your email and/or website to stop working correctly. There are also so many 3rd-party services that need to be integrated which makes it difficult to keep track of everything.

But because Google and Yahoo have decided to be stricter with the emails they accept, email authentication is something you can no longer put off. Skip this step and you’ll risk your emails not getting through to your customers.

We hope our guide helps you with setting up SPF, DKIM and DMARC for your business. Feel free to contact ClickWP if you need help.

About David

David has over 15 years of experience with web geekery and WordPress. That experience spans every­thing from cre­at­ing affordable websites for small businesses, developing custom themes to opti­miz­ing WordPress sites for thou­sands of page views in a day. Say hi to David on Twitter at @blogjunkie.