What SPF, DKIM, and DMARC settings are needed for Klaviyo and BigCommerce transactional emails?

Key findings

• Full authentication is crucial: For both transactional and commercial emails, full SPF, DKIM, and DMARC alignment and authentication significantly improve deliverability. While DMARC is not strictly required for email sending, its deployment offers substantial benefits, particularly for domain safety and future technologies like BIMI.
• DKIM's importance: Many ISPs may reject or spam emails lacking a valid DKIM signature. Gmail, for instance, adds a "Sent via unsigned.domain.com" warning, which negatively impacts user experience. If a choice must be made, prioritize DKIM over SPF for alignment.
• SPF's role: Although some argue SPF matters less than DKIM, older Microsoft Exchange mail servers still check for SPF on the mail.from domain and may reject emails if SPF fails. Therefore, having a correctly configured SPF record is still highly recommended.
• Transactional vs. marketing emails: Transactional emails require the same, if not more, stringent authentication and alignment rules as commercial or marketing emails to ensure reliable delivery of critical communications.
• Subdomain considerations: When sending from subdomains, it is important to understand the interactions between the DMARC policies of the root domain and the subdomain. This can affect how emails are authenticated and delivered. For more details on how DMARC, SPF, and DKIM affect deliverability, you can consult our guide on how these protocols affect email deliverability.

Key considerations

• DMARC policy rollout: It is advised to start with a DMARC policy of p=none to monitor email flow and reports without impacting delivery. Once confident in the alignment and authentication setup, gradually move to p=quarantine or p=reject to fully enforce your policy.
• SSL/TLS for subdomains: All sending subdomains should use SSL/TLS for security. Certificates are often free and widely available, making HTTPS a standard for any web presence, including those associated with email sending domains. This practice enhances trust and security.
• Valid website on sending subdomains: It is recommended that sending subdomains resolve to a legitimate, active website. This demonstrates ownership and legitimacy to ISPs and can provide a better user experience if recipients try to visit the domain. Klaviyo also emphasizes the importance of setting up a branded sending domain for authentication.
• Understanding DMARC complexities: Before implementing DMARC, it is crucial to understand its mechanics and potential failure modes. This knowledge allows you to assess the advice from IT teams and make informed decisions that prevent email delivery issues. For a comprehensive guide, review a simple guide to DMARC, SPF, and DKIM.

Key opinions

• Need for full authentication: Many marketers recognize the importance of complete SPF, DKIM, and DMARC setup, especially when migrating platforms or launching new e-commerce ventures with high volumes of transactional emails. They are keen to know if full authentication is truly necessary across all email types.
• DKIM's perceived priority: There's a common belief that DKIM is the most critical authentication factor for ISPs and spam filters. Some marketers have been told that if DKIM passes and DMARC is set to reject, SPF failures might not lead to delivery problems.
• Subdomain security: Marketers often question the necessity of SSL on all sending subdomains and whether ISPs check for valid, live webpages on these subdomains. They understand the value of HTTPS for security and brand consistency.
• DMARC policy rollout strategy: Marketers seek advice on the appropriate DMARC policy, particularly when initially setting up new sending subdomains. They want to know if starting with a less restrictive policy (e.g., p=none) is advisable before moving to a stricter one.

Key considerations

• Platform limitations: Marketers often face challenges achieving full SPF and DKIM alignment across all platforms, especially with third-party providers like BigCommerce, which may have their own sending infrastructure limitations. This can lead to concerns about potential delivery issues. For instance, sometimes checking email headers is the only way to confirm authentication results.
• Balancing security and deliverability: The goal of implementing DMARC for security and BIMI is clear, but marketers worry about the risk of delivery issues if full SPF/DKIM alignment cannot be achieved immediately. They need strategies to mitigate these risks during the transition phase.
• Consistency across email types: Marketers are often advised to apply the same strict authentication guidelines for all sending domains, regardless of whether they are for transactional or marketing emails, to ensure consistent deliverability and reputation. To avoid email deliverability issues, review our guide on getting messages to the inbox.
• Navigating technical roadblocks: Marketers, especially those without deep technical knowledge, often encounter roadblocks when setting up email authentication. They need practical advice to implement these protocols correctly without causing inadvertent damage to their email programs.

Key opinions

• DMARC is not always essential, but beneficial: While one expert states DMARC isn't strictly necessary, most acknowledge its value for security and domain protection. However, they caution against premature deployment without proper SPF and DKIM alignment, as this can lead to significant email loss.
• DKIM's primary importance: Experts largely agree that DKIM is crucial for deliverability. Some ISPs outright reject emails without DKIM, and email clients like Gmail will warn recipients about unauthenticated mail, affecting user trust. When a choice must be made between SPF and DKIM, prioritize DKIM.
• SPF still matters: While perhaps less critical than DKIM, SPF still plays a role. Some older mail servers, particularly Microsoft Exchange, actively check the mail.from domain's SPF record and will reject messages if it fails. This underscores the need for both protocols.
• TLS/SSL is non-negotiable: Experts universally recommend deploying SSL/TLS on all websites and subdomains, including those used for email sending. With free certificates readily available, there is no justifiable reason not to secure these connections in 2024.
• Consistency for all email types: Transactional emails are considered at least as important as marketing emails regarding authentication. They should follow the same stringent guidelines to ensure critical communications are delivered reliably.

Key considerations

• Phased DMARC deployment: When implementing DMARC, starting with p=none is critical. This allows for careful testing and monitoring before moving to more restrictive policies like p=reject. This approach minimizes delivery disruption, especially on new sending domains. For a practical guide on safe DMARC transitions, refer to our article on how to safely transition your DMARC policy.
• Domain reputation: Spam filters prioritize wanted mail. SPF and DKIM primarily serve to help filters identify your mail stream, allowing them to build a reputation for legitimate sending. Poor authentication can hinder this reputation building, even if content is otherwise good.
• Subdomain website resolution: Having sending subdomains resolve to a legitimate website is recommended. It signifies domain ownership and can lead to more traffic and conversions if users type the subdomain into their browser, preventing error pages.
• Understanding DMARC alignment: "Aligned" generally means sharing a common parent domain. This flexibility can simplify setup, allowing choices in which domains to sign with while maintaining alignment with the From: address. For further reading, an expert perspective can be found on Word to the Wise's blog.

Key findings

• Comprehensive authentication required: Major email platforms and ISPs require a robust setup of SPF, DKIM, and DMARC for optimal email deliverability. Messages must pass DKIM and SPF alignment checks to meet DMARC policy requirements.
• Specific record types: SPF records are typically TXT records, and DKIM signatures also involve TXT records provided by your Email Service Provider (ESP). These records need to be added to your domain's DNS settings.
• DMARC policy for brand identity: Implementing DMARC not only helps prevent spoofing but also ensures that your From: header aligns with your sending domain, contributing to a strong visual brand identity in emails.
• Subdomain setup for branded sending: Platforms like Klaviyo often require specific CNAME or NS records for email authentication on branded sending subdomains, in addition to a TXT record for domain ownership verification.
• New sender requirements: Recent updates from major mailbox providers like Gmail and Yahoo necessitate DMARC authentication for sending domains, alignment of the From: header with the domain, and simplified unsubscription processes. This applies to all email senders, including those using Klaviyo, as detailed in their blog on sender requirements.

Key considerations

• Record placement: SPF, DKIM, and DMARC records must be accurately placed in your domain's DNS settings, usually managed by your DNS provider. Incorrect placement or typos can lead to authentication failures and deliverability issues. To learn more about proper record placement, read our article on where to place SPF, DKIM, and DMARC records.
• Alignment is key: DMARC relies on the alignment of your From: domain with either the SPF domain or the DKIM signing domain. Failure to achieve this alignment will result in DMARC failures, even if SPF and DKIM pass independently.
• Policy progression: Documentation typically advises a gradual rollout of DMARC policy, starting with p=none to gather reports and identify legitimate email sources, before moving to p=quarantine and ultimately p=reject to maximize protection against spoofing. Our guide on DMARC implementation best practices provides further details.
• Troubleshooting tools: Documentation often points to online verification tools (e.g., MXToolbox, although we do not link to external tools) to confirm proper SPF, DKIM, and DMARC setup, allowing senders to check email headers and authentication results themselves.