What are wildcard, DKIM, and DMARC best practices?

Key findings

• Authentication alignment: DMARC requires either SPF or DKIM to align with the From: header domain. This alignment is crucial for passing authentication checks.
• Wildcard DNS limitations: While wildcard DNS records (e.g., *.example.com) can simplify record management, they can also grant broad permissions or obscure specific authentication failures, making troubleshooting more difficult.
• Gradual DMARC enforcement: Implementing DMARC should typically begin with a p=none policy to collect reports and identify issues before transitioning to quarantine or reject.
• Subdomain considerations: Each subdomain used for sending email should have its own SPF and DKIM records, or be properly covered by specific domain policies, rather than relying solely on parent domain records. For more on this, read our guide on setting up SPF, DKIM, and DMARC.

Key considerations

• Comprehensive DMARC reporting: Utilize DMARC aggregate (RUA) and forensic (RUF) reports to gain visibility into your email ecosystem and identify authentication failures or malicious activity. Understanding how these standards work is key.
• Avoiding SPF lookup limits: Be mindful of the 10-DNS lookup limit for SPF records to prevent authentication failures. Consolidate includes where possible.
• DKIM selector management: Regularly rotate your DKIM selectors and keys to enhance security, adhering to best practices outlined in this implementation guidance.
• DNS management: Proper DNS management is foundational for all email authentication protocols, as incorrect entries can severely impact deliverability.

Key opinions

• Practical examples are essential: Clear, practical examples for DNS configuration are highly valued by marketers trying to implement SPF, DKIM, and DMARC correctly.
• Complexity of configuration: There are numerous ways to correctly configure authentication, but also many ways to make errors, emphasizing the need for careful setup.
• Automation for DNS management: Tools like Terraform or database-generated zone files can help manage DNS records efficiently, reducing manual errors.
• Understanding new requirements: Staying updated with new requirements from major mailbox providers (like Google and Yahoo) is critical for continued inbox placement.

Key considerations

• Avoiding deliverability issues: Improper authentication setup is a common reason why emails go to spam. Marketers must prioritize correct configurations to fix email deliverability issues.
• Brand reputation: DMARC helps protect brand reputation by preventing unauthorized parties from sending emails using your domain.
• Balancing security and flexibility: Marketers need to strike a balance between strict DMARC policies for security and maintaining flexibility for legitimate email campaigns from various sending sources. For more, see our article on email deliverability issues.
• Monitoring is key: Even with correct setup, continuous monitoring of email performance and DMARC reports is essential to catch and address any issues promptly.

Key opinions

• Wildcard DNS limitations: Experts advise caution with wildcard DNS entries for SPF or DKIM, as they can be less precise and potentially over-authorize senders.
• Subdomain authentication: Proper authentication for customer-specific subdomains is crucial, and approaches like 'stunt DNS servers' can provide robust solutions. Explore our article on DMARC record placement for subdomains.
• Importance of alignment: Emphasizing DMARC alignment for both SPF and DKIM is critical, especially for complex sending architectures.
• Cautious DMARC policy deployment: Starting with a p=none policy and careful monitoring before moving to stricter policies is the safest approach. Read more about safely transitioning your DMARC policy.

Key considerations

• DNS management complexity: While many ways exist to correctly configure DNS for authentication, the potential for error is high, necessitating precise implementation.
• Proactive policy changes: Anticipate and adapt to new requirements from major email providers, as these frequently impact bulk sending practices.
• Full domain DMARC: Implement DMARC for all domains, including those that do not send email, to explicitly declare their non-sending status and prevent spoofing.
• Granular DKIM control: Prefer specific DKIM records over wildcard DKIM for better control over signing practices and improved security. For more, refer to this discussion on wildcards and DKIM.

Key findings

• DMARC as a policy layer: RFC 7489 specifies DMARC as a policy and reporting protocol that builds upon the results of SPF and DKIM, instructing receiving servers on how to handle emails that fail authentication.
• Explicit domain authentication: Documentation generally favors explicit SPF and DKIM records for domains and subdomains that send email, over broad wildcard entries, to ensure precise authorization.
• Alignment requirement: Major mail providers' guidelines consistently emphasize that the domain in the From header must align with the authenticated domain (via SPF or DKIM) for DMARC to pass.
• Non-sending domain policies: For domains that do not send email, documentation recommends publishing DMARC records with a p=reject policy to explicitly state that no email should originate from them, effectively preventing spoofing. Find out more on configuring non-sending domains.

Key considerations

• Comprehensive tag understanding: Understanding all DMARC tags and their meanings (e.g., pct, rua, ruf) is critical for effective policy deployment and reporting. Refer to our list of DMARC tags.
• Regular record validation: Regularly validate your SPF, DKIM, and DMARC DNS records to ensure they are correctly published and free from syntax errors, which can cause authentication failures.
• Staying informed: Keep up to date with updates from email service providers, as their new requirements often dictate best practices for authentication and deliverability.
• Sender compliance: Bulk senders, in particular, must adhere to stringent authentication rules (SPF, DKIM, DMARC) enforced by providers like Google and Yahoo to avoid significant deliverability penalties.