What You Need to Know About Email Authentication: Understanding SPF, DKIM, and DMARC

6:30PM Feb 7, 2024

Speakers:

Nathan Ingram

Keywords:

demark

email

record

spf

wp

domain

directive

services

spf record

google

question

transactional email

today

people

reject

matt

yahoo

unsubscribe

txt record

started

Again, welcome everybody. We are just now about five minutes away from getting started

captions are coming up here in just a moment. So it looks like we're going from zero up until around six or an Arizona eight. Yeah, so Vern is up there at eight.

It's pretty good. Very good.

So our goal today is going to help you hopefully increase your understanding significantly. And captions are just about ready should be working now for everybody. So welcome everybody folks checking in from across the United States and around the world. Our check in question today. Give us on a scale of one to 10. How do you What's your understanding of email authentication?

all over the board mostly

below five. So the link bundle is there in the chat. You can find today's slides as well as the replay links. Learn more about sin WP check in question is there as well hey guy from Tenerife. Welcome, either from Scotland BG from Germany Eddie from Switzerland. Hey Sue, Richard from Philly. Elizabeth welcome Vern Wendell. Gerald. Good to see everybody checking in there. A Windell from Salem, Oregon Jean. Good to see you. Burn says eight. But I'm always worried that I'm wrong. I get that. Yeah. 100%.

I feel that deeply.

So Matt and I were joking about as we're chatting earlier about how complicated email just is in general, like some of the most complicated things in the world for us to deal with our email and DNS. And this subject that we're talking about today is the intersection of those worlds. So yes, if you have trouble understanding it, I get it. This is this is complicated things.

I just need to get into caching and then I got the trifecta like The three horsemen of the of the internet, right?

That's it right? Yeah. If you get email if you get emailed DNS and caching right, you know, the world is your oyster. So welcome, everybody. We're just about two and a half minutes away from getting started officially with this live stream with Matt Pritchett from sin WP all about this alphabet. Soup of email authentication, he is going to clear up all the questions today, particularly as we're looking down the barrel of these changes from Google and Yahoo regarding demark it's gonna be great. So glad everybody's here. I'm going to drop in the chat once again, our link bundle there and you'll find today's slides the replay link, and also the check in question. How do you rate your understanding of email authentication, give us a one to 10 there folks have been checking in with their their self selected rating for the last few minutes here mostly under five several higher I'll look at 775 Yeah, so all across the board today, Matt so should be a good day. A janitor zero Yeah. Jana, you're not the only one at zero level. It is complicated stuff. Several I have agreed with you on that. All right. All right. Welcome, everybody. A minute and a half away from getting started. We'll dive in with Matt Pritchett from sin to WP here in just a moment. Glad you're all here. We'll take about an hour or so today to unpack this issue and answer your questions. Really glad that you're gonna be with us here for the next several minutes. Just about a minute to go now, Google workspace reverse DNS as Karen that, ah, that's really something. Always a fun one. Indeed, I don't know that we're going to venture into that murky swamp. Today, Karen. But we'll at least get unpack what all these acronyms mean and what maybe some of the way how demark works, especially in today's changes that have been announced by Google and Yahoo. Alright, Link bundles in the chat once again. If you're just joining us in zoom, you'll find there the link to today's slides if you'd like to download those and follow along. The replay link is there you can learn more about send to WP as well. And the check in question how do you rate your understanding of email authentication, give us a one to 10 there in the chat. Stacey, you know, I somebody wanted to go Matt said I've said I've set the markup for all my clients. Now I need to know if I did it right. So there we go. We're

going to talk about how to do that.

Absolutely. So we're just about ready to start folks. Let me make one little mention before we start the recording and get live get going live here. Several of you in the chat it says host and panelists if you want everyone to see your chat above the place where you type in your message, just drop down that and choose everyone all right, I've got three minutes after so we're gonna get the recording started and dive right in. Well, good afternoon. Good evening. Good morning to you wherever you happen to be around the world today. Welcome to another solid Academy livestream. My name is Nathan Ingram. I am the host here at solid Academy and I'm joined today by Matt Pritchett from Cindy WP Matt, how's it going today?

I'm doing really well. How about you, sir?

I am. Well, we've been really looking forward to this topic. A lot of folks have read the news recently from Google and Yahoo. about these new requirements for demark. And, you know, I was like Who can I was? Looking around who can we get to talk about this. It really knows what they're doing. And Matt Pritchett was the answer to all those questions. So Matt, tell us a little bit about you and what you do there at Sen WP Yeah,

so I and I was thinking about this question coming up and it made me feel very old because I've been a software engineer now for going on 17 years. I started with sin WP here five years ago now, coming up on five years. Send him if he is a transactional email service for WordPress websites, we take care of your password resets your solid security, email notifications, those kinds of things. And I My official title is managing partner and that is just a fancy way of saying I take care of everything that no one else wants to. So you'll see me doing setting up DNS records and answering support tickets and doing plugin feature development a little bit of everything. Yeah. That's basically what I do every day. Yeah.

So you said that send WP is a transactional email service for WordPress websites. Tell us a little more about what it is that send WP does. Yeah, so at

a very high level, your WordPress website probably not set up to send email very well. It may get by now and now and then. But especially with these new rules that we're going to talk about today from Google and Yahoo. It's gonna get it's already hard to send an email without another provider but it's gonna get harder. And so it sends me P does is we bypass how that mail goes out from your server and we take that to our servers and send it on your behalf and make sure that you have all the records in place that you need to have. And then it's formatted properly. All these kinds of things. We help ensure that it gets delivered into the inbox as much as we can. And so, we we do specifically transactional email a lot of people ask, what does that mean? So marketing, email, bulk email, these are not things that we technically do at this time. But we handle ecommerce receipts and no email form notifications and password resets these kinds of things that rely on a transaction to occur.

Yeah, absolutely. And so Matt, you are neck deep in this world of making sure email gets delivered. And I really appreciate your time today as we unpack all these acronyms and how they work and what they mean for folks that are doing WordPress for themselves are doing WordPress for clients. So just a couple of notes as we get started here, folks, and then I'll disappear and let Matt take over. If you have questions along the way, please use the zoom q&a link. If you mouse over the shared screen, you'll see the zoom menu bar, one of those icons should be q&a. And just pop that open and keep it open. And if you have a question that you want to ask, just drop it in there in the questions. Also, if you see somebody else ask a question that you also have just press the little thumbs up icon under that question and we'll take the question the questions in the order of upvotes at the end today. If you're just now joining us in zoom we welcome you we're just about to dive into this content I've dropped in one more time today, the link bundle which contains today's slides. Also the replay link will have the replay up along with the chat log and the transcript and about three o'clock central time so roughly an hour after we finish today. And if you want to learn more about Matt and send WP the link is there as well. If you're watching this on the replay just right below the video, you'll find the link to download the slides or view the transcript or chat log as well. All right, so with that, Matt, I'm going to disappear and let's get started talking about email. Authentication. No,

all right. Well, thank you, sir. So like we already said, we're here to talk about email authentication today. Kind of understanding what SPF DKM and demark records are, what that alphabet soup stands for, and why it's important to you, your clients, your business. Just your your email in general. So let's talk about why most of you are probably here. I would guess a large majority of you got an email or saw something on a blog that said like, hey, Google and Yahoo are about to make email a lot more difficult. And to some degree, that's true. Google and Yahoo both late last year announced that they were going to start enforcing authentication on email servers that sent to their customers, an ad Gmail address a Google workspace at Yahoo address, and between the two of them mostly on the Google side, they own about 50% of all the email inboxes worldwide. Are through those two services. So we're talking a large part of the global email infrastructure. And so that happened late last year, they announced that and then here starting February 1, they started to roll these changes out. It wasn't kind of a hard fixed deadline, but they started to roll them out on a slow basis. And we'll go over that in more detail here in just a second. So let's talk about what the changes actually are. The coming changes are to varying degrees. There's a little bit of nuance here, but for the most part, these are going to count for people sending more than 5000 emails per day. If that's not you, these are still good ideas. These are still things probably be doing because they lead to more secure email. They lead to lack of spoofing, that kind of thing. And we'll go over that a little bit more detail here in a minute. But you technically don't have to comply with these changes. Again, 5000 emails adds up quick, quicker than you might think. But if you're sending less than that, these are good. Suggestions, but they're not going to they're not going to force you to comply with them at this time. So those changes, what are they look like? You must have a demark record. This is this record is basically a gatekeeper that we'll go over in more detail in the next couple of minutes. But that's that demark record is kind of the barrier to entry. It's the big thing that everybody probably should have. Those messages that you send out must pass through the demark policy, either because you're a monitor only policy or through SPF DKM or both. You but they must pass that policy. If they're not they're going to get rejected. mail servers and this this one, probably no one's going to have to face this today. But if you're creating your own mail servers, you're not sending mail through a third party service. You've got your own mail. SMTP server set up, you got to have a PTR record. I know somebody mentioned reverse DNS, this is where that comes into play. So you must have that PTR record but again, that's only if you're sending mail from your own servers. And that's generally going to be more corporate and enterprise networks. The fourth one pretty basic, don't send spam, Yahoo and Google are are kind of saying how this is going to be viewed a little bit differently. But overall you want to shoot for less than a point 3% Spam reporting rate. The next item is your your messages need to be properly formatted. There's a spec but if you're sending messages from WordPress, or you know you're sending things like MailChimp for your marketing emails, this is already going on in the background. You don't really have to worry about it. But if you're creating emails from scratch the actual objects in code, then you need to it needs to match the spec. The next item is hey, don't spoof or pretend to be Google or Yahoo email addresses if you're sending from something that's not one of those don't pretend to be that. We'll go over how that kind of can play out. And more nuance here in just a few minutes. And then the last thing is if you're sending bulk emails, you need to have a one click Subscribe. So these are more your marketing emails. than they are your transactional emails. But it is really important. I know probably most of you have tried to unsubscribe from some large corporations emails and you get a notice that's like, we'll try to unsubscribe you maybe in like seven to 14 years. That's always super frustrating. And so Google is trying to and Yahoo are trying to make that a little bit better. So they're, they're basically forcing everyone to have one click unsubscribe, and it asked to actually unsubscribe them within two days. I believe that business days, but the kind of the plain wording is days. So when are these changes coming? Let's talk a little bit about that. Start with Yahoo, since that's kind of the smaller one. Beginning as of February first, Yahoo is enforcing these standards for all senders. You have to properly authenticate your emails. That's where the demark DKM SPF come into place. And you have to keep your complaint rates low. That's where the don't spam people comes in. And so if somebody chooses to complain, a ledger a complaint against your emails, they keep a track of that. And if you get enough of them comparatively, the amount of emails you send out. There are going to be consequences. They're going to start banning you they're going to block traffic to Yahoo email addresses. And then kind of the second tier is again, beginning in February 1 for bulk senders. They're gonna be stricter about things than they are for transactional emails. They're gonna make you authenticate with both SPF and DPI de Kim records. You're going to have to have a published demark policy. And you're going to have to have really easy one click unsubscribe starting in June. So that one's rolling out a little bit later because it's going to take some of the larger corporations a little bit longer to kind of get their acts together. And so that's kind of how Yahoo is rolling this out. We're I'm pretty confident at this point and as is most of the industry that there's more rules and kind of rollouts coming for Yahoo but at this point, this is all they've published. Alright, so let's talk about Google because this is the one I'm sure everyone's afraid of. Because Google, you know, let's face it, probably a large number of emails on your list are Gmail addresses, or Google workspace addresses with their own domain. These apply to both. So starting February 1, so earlier last week, I guess, bulk centers they have to meet these requirements. And that we've already talked about and if they don't, they're going to start kind of incrementally forcing compliance. So at first with Google, if you have non compliant emails going to Gmail addresses or Google workspace addresses, they're going to start giving errors on a small percentage of those emails at first that are non compliant. This is to kind of say, like, Hey, you should see these errors. And you need to do something about this. We're not going to start banning you or rejecting email or anything like that. But the errors will have messages in them telling you what's not happening. So you should be paying attention to your errors if you're using a mail service out there. They should be showing you these errors. And it should have information about what is in non compliance and how you how you can fix that. And then beginning in April of this year, Google is going to start rejecting a certain percentage of that non compliant traffic. So no longer they're going to give you errors and kind of give you Hey, you should really think about doing this. They're going to start rejecting a percentage of that. And so certain percentage of the mail that comes through to Gmail and Google workspace addresses is just going to fail. And so even if you have a large percentage of compliant traffic, compliant emails, but a small percentage is non compliant. They're going to start blocking a percentage of that. And then beginning June 1, you will see that the bulk senders have to implement that implement that one click unsubscribe like we talked about. Oh, and I should also mention on the APR first percentage, they're going to slowly increase that percentage over time until it's 100%. So it's not just it's a small percentage, I don't have to worry about it. It will get worse and worse. And they've not really published a good calendar of how that's how fast that's going to occur. I would suspect that it's going to be based on how it goes. But only Google only knows that really internally at this point.

So I can see that a lot of you might be freaking out a little bit. Oh my gosh, what do I do? This is going to break my email. I'm going to lose all my customers. I'm not going to be able to email market. None of that is true. We're going to get through it. It's we're going to talk through what all this is and how it works. And we'll get you to a place where you're compliant and you don't have to worry about this. So let's talk through that a little bit. Let's start out with what those three acronyms are and why they're important. And I want to start first with demark. demark stands for domain based messaging, authentication Reporting and Conformance. And that's a mouthful, even without being an acronym. But all this really means is that your domain can have a DNS record that does three things. One, it provides authentication for emails. It provides reporting, how those emails are passing or failing. And then it provides you some steps to make sure that those things are conforming to that specification. And so let's talk about what a demark record looks like a little bit. I've already seen a typo as as happens inside. Sometimes there should be semi colons after the demark one and the P equals none. That's my bad but this is kind of the most basic demark record you can have demark records, the name value, um, probably we're probably going to see a few people who are used to demark records your name value can be a few different things, hosts different hosts kind of like Thanks, Nathan. That's exactly how it should be a different host kind of like this a little bit differently. The most basic variation of this is an app symbol and on a DNS record and that's simple just means your domain. So if your domain is google.com, then at is a reference to google.com. It's an easy way to show that without having to type it out every time. And then the value is just V equals d mark one and P equals none. And we're gonna go over what all of that means and what the other options are right now. So demark directives Varun, thanks for that a demark record he's correct is a TXT record. We're going to talk about kind of the difference in those TX T C names all these kinds of things, but for the most part, these records are all going to be TXT records. So demark directives let's let's start out and kind of break down which each of these directives is and what it means and what it does and all of that. So V equals demark. One this is just telling, telling everyone that this is a demark record and what version of the specification it is. Thankfully, right now, there's only one and so it's going to be V equals demark. One every time. So pretty simple. Again, it just tells tells you this as a demark record. The second one is p equals this is a policy directive. It indicates what action that servers should take when an email fails the demark authentication and so basically, when an email comes through, if it fails, the D marks kind of policy, what happens and I just realized I skipped a slide so that's on me. But I do want to briefly kind of back out and talk about it. D Mark overall, is a record that basically acts like the bouncer at a nightclub or a party or something like that. demark records are the high level. This is this is who's allowed to send email from this domain. This is what you do in cases where someone tries to get in that isn't allowed to send the email. And this is the list of people who have tried to send email through your server that aren't allowed. So you can think of it kind of like a bouncer and it works in conjunction with the other records that we're going to talk about. So sorry, I missed that earlier. So back to our demark directives. So the P equals the policy directive, again, tells what action should take the email, the email server should take if a email that doesn't pass through that bouncer arrives. And so you can have three options. You can have three options here. None and this is again like we saw in that super simple record. People equals none basically means Hey, this demark record is monitoring the traffic only and you can do reporting and that kind of thing. But it's not going to take any action to block anything that fails. Then you're gonna have quarantine so P equals quarantine. Any email that fails the demark that the bounce or goes Nope, this doesn't belong, it's going to be moved into quarantine. So for most email providers for most domains, that that means it ends up in spam there are some edge cases on corporate and enterprise networks or if you have a custom setup, where that can do other things. But for 90% of use cases, this is going to end up in spam and then reject so P equals reject. This is going to get rejected and if your mail doesn't pass the about the bouncers tests, it's just gonna get rejected and not delivered at all. And so those are kind of the three levels. Each of them is extremely useful in its own regard, P equals none as a great place to start for a lot of people that need a demark record to comply with Google and Yahoo but aren't sure exactly what their needs are yet. P equals none as a great way to get started. P equals Quarantine is a great for I need to get deeper in on this, but I'm not exactly sure that I want emails to be failing outright and then P equals reject is a lot of is what a lot of networks use to say like, Hey, if you're not matching our traffic, we don't want you to send an email on our behalf. Stop it. So those are three different levels. They are all valid and specific use cases. Most of the time we see at St WP our traffic we see a lot of P equals reject and a lot of P equals quarantine. They kind of go back and forth depending on the use case but we see an equal amounts of either. All right, so let's move on to the subdomain policy tag. This one is very similar to the P equals but it is specifically for sub domains. And really the only valid directive value here is reject. So you This is for if you need to tell your demark to behave differently for for subdomains. Which is kind of an edge case to begin with. But there are valid use cases for it. This is kind of how you can do that. Otherwise your P equals domain if you do not have the SP holes. This will apply to all subdomains as well. The s the subdomain policy directive gives you the ability to set that custom Alright, so moving on to something that's probably a little bit more useful is the report aggregate directive. This one is super useful, especially when you're getting started. This one basically allows you to set an email address that you get aggregate failure reports for and so they're not going to be super detailed on why they failed. They're not going to look into all of the headers and all of that but you are going to get some pretty good information about hey, for this week for this month, for this day, this is all the failed emails that you're getting, and where they're coming from and a few other things about it. Super useful information. I highly recommend you set this up for your domains. Even if you're you don't think you're getting your email addresses being spoofed, or you're having troubles with spam. Absolutely. You should be using it in those cases. But I recommend you set this up for all domains just so you have it in case things do start to happen. email spam can happen at any time. To anyone. And so you want to have a record of when the problem started. And and why what's happening. So basically, you'll get a report in your email that has like hey, for this time period, here's who came through. Here's who was good. Here's who was bad. Here's where they came from that kind of thing. And there are lots of services out here who will do this as well, but you can do it yourself with a simple DNS record.

And so you can send that aggregate Utley as opposed to the next one, which is more forensic reporting. And this is hey, if you have a problem if you're if you're starting to see like your emails are getting rejected because you have massive spam problems, or you're getting spoofed emails, like phishing attempts or something like that. This is a record that I would turn on in that case, because this record, just like the aggregate reporting record, directive allows you to say what's failing, why Where's it coming from that kind of thing, and it gives a very in depth reporting about it. Now, the difference between them is the aggregate one reports are daily, whereas the forensic one are in real time. There there can be some issues with the real time ones. In certain scenarios. I've seen them get super delayed, but for the most part, they're in real time. And so if you're troubleshooting a specific issue, absolutely use these forensic reports. Alright, so our next directive on the demark record is going to be the percentage tag. These are kind of like what we talked about earlier with Google how they're going to block a certain percentage of traffic and that's going to increase over time. This allows you to only to only apply your demark record to a certain percentage of traffic. You can do 25% 50% 53% You know, you can step it up over time if you're scared if you're nervous about applying your demark record. If you have a really strict one and you're really nervous about that, you can apply it to a small percentage to start off with and see how that goes and then step it up from there. This is just a another tool to kind of gradually increase how strict your record and your security is over time. This by default you don't have to put it but if you don't, it'll be 100% It'll just apply it to all the traffic. Alright, next at a dk I m, I almost always stumble over that for some reason. So this is essentially the alignment mode for your DPI M record which we'll go over here in a moment. This tells your demark your bouncer your security, what to do about the DKM record. It has two values possible R and S one Rs for relaxed SS for strict and in relaxed mode, your emails, as long as they're signed by some sort of domain that relates to that domain subdomains or the actual domain itself. It'll pass and be great. The strict mode only the exact domain will pass. So if you have a email.yourdomain.com and you have strict mode on that's not going to pass. And so it's really it's really important to understand the difference there. And but to be honest, there are use cases for these that are both equally valid. For a lot of people relaxed is just fine. In fact, I would say for most cases, relaxed is fine. But if you're having issues or you have a very complex DNS setup, strict mode might be for you. The SPF record directive is very similar to the DKM except it applies to your SPF record again, we're going to go over SPF here in just a second. But it can be relaxed or strict. In just like the ad, a dk I am record directive 10 B as well. So that's D Mark and and that in a nutshell. And so, again, like we discussed the very simplest record you can have is the vehicles demark one and then P equals none that is that record at its very core is going to make you compliant, however, it's not going to really do much. And so my recommendation is going to be kind of exploring what your email sending kind of infrastructure looks like who all is sending emails on your behalf. What third party services do you have? Do you have things like Google workspace Do you have complex email environments who is sending email for you kind of get an an an understanding of all of that before you go deeper on demark Alright, so let's move on to SPF records. SPS stands for Sender Policy Framework. SPF records are kind of like the guest list. If we continue with our nightclub party metaphor. SPF provides a list of a here's who is allowed. And SPF records are great. They're super helpful in kind of establishing a baseline of security around your email domain and your domain. But I caution people not to use them alone. SPF is great, but it's best when used in conjunction with demark and DKM. And so let's kind of look at what an SPF record can look like in its basic form. Alright, so similar to the demark record. This is what a super basic SPF record should look like. An SPF record is a TXT record. As mentioned previously, most of these are going to be txt and it's going to have a name or hostname. Again, different read domain registrar's and DNS services kind of talk about that differently. That is going to be your domain. So if your domain is my company.com the name host mine is going to be my company.com. But another way of saying that is the act symbol. And so the value this is a very basic one is vehicles SPF one, the A and the MX directives, we're going to talk about just a second and then a tilde A all and we're going to talk about what that means in just a second. So let's go deeper on this one. Just like demark SPF has a kind of prefix tag that tells all the services that are looking at it out there. This is an SPF record. It identifies it right from the start it has to be at the beginning of your of your value for that record. Super important. Again, this is the first SPF specification so it's SPF one. They're leaving room in case they have to do more in the future. But for now, there's just the one another thing that I want to mention about SPF records and demark records is you really should only have one of these SPF records. I see all the time that people have like six or seven or more SPF records. And the reason for this that it's really a problem with SPF is because you have a lot of services that you use to send your email things like MailChimp or send WP or postmark or any of these other services out there that send email on your behalf and ask you to set up this record so that they can do so securely and make sure that you have good deliverability they just asked you to add a record. The problem is is that the spec says that you can only have one of these and they a lot of services don't want to do the work of figuring out if you already have a record and then telling you how to combine them. And there are lots of reasons for that. And a lot of them are good because it can be complicated and it can cause problems if they don't get it right. And so you need to have only one SPF record and basically how you combine them at a high level is you have the vehicles SPS one, and then every all the records directives that you need to include after that with a space in between them, followed by your all your all directive. And so we'll go over that what that means in just a moment. But again, it's really important that you only have one because for the most part if you have more than one they're just going to get ignored. They're going to read the first one that they come across and the rest of them are going to get ignored and so you're not getting the benefit of doing that work. Next the aid directive. This allows you to send the mail it tells everyone looking at this SPF record that if you have an A record in your DNS records or a quadruple a record in those records, that anything any IP address or domain tied to those is allowed to send mail on your behalf. That's why it was in my most simple record is because you almost always see these in SPF records. Because you want to be able to say like oh, I have a sub domain over here. I want that to be able to send mail on the behalf of this domain but I don't want to have to add that every time add both the a record in my DNS and also add it to my SPF This is a quick way to kind of just say know anything that has an A record and my domain also is allowed to send mail.

MX record. So if you've ever set up Google workspaces or anything like that, you've probably mess with MX records. MX records are basically a type of record that says what happens with incoming and outgoing mail, where it goes where it should be processed, that kind of thing. MX records for an SPF direct directive are very similar to the a directive in that it tells it tells someone looking at the SPF record. Anything that has an MX record on my domain is allowed to send mail. And so again, this is kind of part of this is a part of the most basic record. It's not technically required, but the use cases where you're not going to use this are pretty low. This one IP for this is basically says here is a list of IP addresses that are allowed to send mail. You see these occasionally they mostly don't see these mostly C includes which we're going to talk about in a second. But this is a way to say this IP version four address has permission to send mail in my domain. Same thing IP six you know a lot of consumers aren't using IP six at least at the top level, and maybe underneath most of your use Diaby for there's no problem with that but this gives IP six addresses the ability to send mail All right, the Include records so this is what I most often in my daily work use. And this is basically a pointer record pointer directive that says hey, this is my SPF record but also use the values that their SPF record so if you've ever set up, send WP Gmail these kinds of things to be used from your domain. You will see an SPF record that they will ask you to implement that has this in their for their domain because they want they want you to be able to quickly add it without having to add all of the IP addresses that they need you to add. And so they just say hey, add this include and this include points to our SPF record and all the values there. So it's a quick way to quickly allow a customer or a client something like that to update their SPF to allow mail, from the things all the things that you need them to allow mail to. Alright, right. So finally I've saw I've seen a few questions about the all and why there's a hyphen versus a tilde de and a few other things. I'm going to answer that right now. So the all directive goes at the very end of your SPF record and it can have a dash a dash hyphen, a tilde de or a question mark in front of it and these all mean different things. So you have this long SPF record that has a an MX and maybe some includes maybe some IP addresses and they're all telling who is allowed to send email on your behalf. The all directive is four. What about the people that aren't listed? What about if somebody tries to send email that isn't on this list? What do we do? And so these are the three kinds of options. The dash or hyphen all is only going to allow from the things that are listed. Everything else gets rejected, that tilde A all is going to soft fail other so we talked about quarantining earlier, this is kind of like that. This allows the email recipient to kind of decide and say this is suspicious. We don't know that where this comes from or why it's being used to send to our domain. You deal with it. So a lot of places have started to block this but but Gmail and most others are still saying like, we'll probably just put this in spam unless we know it's it's malicious. Because they have billions and billions of data points on what what email addresses are bad, what are good, who's spoofing who's not all of these things. And so you're basically saying you guys figure it out. This is actually the directive that we recommend at Sun WP, just because it doesn't outright reject things that might be legitimate, but we're not sure because the record hadn't been updated. But we also see a lot of other services that recommend the hyphen all. So just it's really the amount of security that you want and the amount of risk that something legitimate gets blocked that you're willing to take. And then last the one that I have never seen in the wild before but does exist is a neutral policy, which means Yeah, we have this long list of SPF records and we tell you exactly who we want to let through. But really, we don't care. Just let everybody through. It doesn't matter. Nothing matters. It's anarchy and chaos. Again, I've actually never seen this one in the wild but it does exist. And I'm sure someone out there is using it. Alright, DK I am so this one is fairly complicated and is really outside the scope of this talk. But DomainKeys DKM record Stanford DomainKeys Identified Mail and that is a very weird word. jumble. That basically means this is if you've ever used an SSH key or something like that. Decay M is a way to have a record and a public key and a private key that signed your emails that create a very secret token based on each email and then compare it to those keys to say whether it is actually being sent by who says it's being sent by this is why it's important to use with SPF because it basically says okay, here's the list of who can send and a DKM record guarantees that it is sent from that person and that the content of the email has not been changed in any way. And so this is something that you would need to set up if you're running your own email servers if you were actually instead of using someone like Mailgun or MailChimp or send WP, if you're going to set up your own service. This is something that would be semi complex to set up because you have to understand how the signing secret signing works and apply it to each message. But the good news is, is that for everyone else, this is pretty simple. You set up a decay on record, just based on the instructions that that service gives you. And that's basically going to look like this. Now, I'm probably going to get a few of you who have implemented DKM records before that are saying ah this is just a TXT record and it can be that's totally legitimate. My recommendation is always going to be a CNAME for this because it is it is more respected but and these kind of started out as CNAME records and they've been slowly moving to TXT records over the years. So you can do either it's up to you one, you know, they will both work. We recommend CNAME records for a couple of reasons. Mostly because they're more reliable of records. And especially on Super if you have a lot of TXT records. This can cut down on some of the time that it takes to resolve your domain and your emails and that kind of thing. But this is what that record will look like when you do implement it from your third party service. It will generally have a post name name value that looks like service name dot underscore domain key.yourdomain.com. Just so you're not surprised certain registrar's and DNS services. Don't let you do the yourdomain.com. They will either reject the record outright or they'll magically erase it when you save, which causes tons of support requests which are totally understandable because it's like I tried to do the thing you asked me to do and it like it just disappeared. I don't know what happened. That's the thing we're seeing more often these days with domain registrar's not all of them but a good number of them. So like for send WP, we have send WP dot underscore slash domain key would be ours. And then it's going to be that type of record and the value is going to be DKM. A lot of times there are lots of different values for DKM records. I'm giving you an example that we see a lot which is d k m dot service domain.com. So again, d k or M Records are super helpful. If you're using an SPF record, you should probably use a DKM record as well. Again, they provide a guarantee that hey, this email has the content hasn't been changed. So somebody did intercept your email, change it to be malicious and then keep sending it on and that it came from who it said it came from. Kind of simultaneously. Most I see somebody talking about rotating the key. So most mail servers are rotating keys pretty regularly. There are a few providers out there that refuse to but they're kind of on their way out so you don't really have to worry about that. If a service provides you with a DKM record, you should install it because it will help. It will help in a monumental way with your email security. Alright, so those are kind of the major directives

in the major pieces. Hopefully this has helped kind of unjumble the word jumble that and the word soup that is demark DKM and SPF a little bit really quickly I want to hit on some best practices for these things. Because this is a lot of information. This is a very technical kind of wordy talk and discussion. And so I want to talk about some really high level best practices that can get you started today. Start small this is good advice in a lot of things. But for DKM demark, SPF and DNS in general. This is always going to be my advice is start small. You don't have to go today and create the super complicated records. You can start with kind of the best the best practices, the small set that we talked about in each in my slides. You can start with small records that aren't going to break things Yeah, I like I like that. Stacy mentioned One does not simply jump to p equals reject that. I love the Lord of the Rings reference there. That's excellent. This is what I recommend you start with. This is a demark record. You could go add this in the next 10 minutes to your DNS records and the only thing that would change is that you would get an email every day. And obviously you should replace the email address I have here with your email this will go nowhere. Or you'll send it to somebody who's going to be really confused. But replace after the male two colon with your with an email address that you want it to go to. And you can then this will allow all mail through but it will also comply with Google and Yahoo and it will send you aggregate reports. So this is an easy way to get started. Do not please I beg of you do not try to go and implement every single thing that I have shown you today. In the next five minutes. I don't do that when I get a new domain that I'm sending email from I use a sliding scale and I start small and I move to the most strict thing that I need for my scenario. Because you probably don't need every single one of these directives across all three of the type of records. your use case may need that but it may not and so you want to start small and gradually add. Second piece of advice. Start in this order. Start with an SPF. This is where you're going to do your research of hey, who's sending email? What subdomains are sending email, what services that I pay for sending email who is sending email through my domain that I want to be able to send? Start building that list and then translate it based on what we've talked about today into an SPF record. And if you already have an SPF record, combine it don't create a second one like we talked about. Next, see what services you you have that offer DKM records and implement those. And then finally, once you have those two setup, then do your demark I was talking to someone on Twitter a couple of weeks ago, who is really talented and build stuff on the internet like knows, knows development really deeply. And she was telling me Yeah, you should tell people as she saw that I was going to give this talk and she said You should tell people not to do their demark first because I made that mistake. And you know I set up my demark record and then suddenly no email was sending. And while I was trying to figure out my DKM and SPF, we just weren't getting sending out emails so like our customers weren't getting their some support tickets responded to. We sent out you know, 50,000 marketing emails that just went nowhere. You know, it can be really, really bad if you set up a demark record that block stuff or that says like, look at the SPF and DKM records before you block it. If you don't have those tags. So this is my recommended order for folks is start with your SPF, then move to DKM and then finally, do your D Mark based on the SPF and the DCIM record. Again, if you start small with your D mark, it shouldn't cause a problem. But I know that you're gonna go do this and get all excited and you're gonna be like, I'm gonna block this so we don't get spoofed and all of this and then if you don't have these things in place, it's going to get blocked and you're not going to know it because it's going to be failing silently unless you have those aggregate reports on. All right, next test. Always. There are lots of tools out there to test your demark to test your SPF records. There are lots of services out there. Literally a Google away this isn't like oh he's not going to tell us because he wants it to be a secret. You can literally google it. And there are 1000s and 1000s of reputable services that will test your records to go yeah, this looks great. Here's what it's going to do. One of my favorite is called MX tools.com. I highly recommend them but again, their interface may not make sense to you. There are lots of them out there that all work basically the same that look different, that feel different that work for different people's use cases, but test everything so anytime you make a change, try to go send an email. That's the easiest way to test this. You know, if you change your demark go try to send an email from MailChimp go try to send a password reset from WordPress, these kinds of things. Thanks for it is it's MX toolbox, you're right. But send tests and this is true and a lot of let's be honest, a lot of technical things, you change your cache, you should probably check test, you update a plug in you should probably test. So test always. Anytime you make a change, send some emails from several different places to make sure they're not getting blocked. Make sure you're getting those aggregate reports and if you do notice an issue turn on the forensic reports you can get them really quick. But Test test test and then last but certainly not least, when in doubt, quarantine and I know you know the records it may be relaxed or quarantine. You know, different directives have different versions of this. But when in doubt, don't go as hard as you can. Make sure it's relaxed. Make sure it's quarantine instead of reject. You know you want to be careful. We don't want you to be afraid but we want you to be careful because you do have the possibility of rejecting emails and not knowing about it if you're not getting those reports. And so you want to be careful. And so you want to start small and you want to start with things like quarantine. Or relaxed mode. And so it's it's giving you a way to test it out without actually rejecting things and just never finding out about it. We a company I worked with previously. They had strict records for all of these things. And they were like Man, we want to get like one or two support tickets a day. It's awesome. We have the best product that never breaks. I'll come to find out. They weren't getting all of their emails. They were getting like 10% of their support tickets. And like 90% of their customers. Were just reaching out going it's broken. And it was vanishing into the ether. So when in doubt quarantine All right. I want to thank solid WP and Nathan really quick just for allowing me to come on and talk about this. This is something that I deal with every day and I love talking about I love explaining it to people. My name again is Matt Prichard. I am at Mr. Pritchett on Twitter and LinkedIn and really basically everywhere else on the internet. I'd love to chat I'd love to say hi. Again send wp.com is where is where I do my business on the on the daily. But if if you ever need anything have a question about email, I'd love to chat. Email Twitter, LinkedIn send WP has a contact form all of it would love to chat.

Madness has been great. So Sue who's one of our regular audience members measures the technical complexity of webinars by how many are live streams by how many m&ms she consumes in the hour. And so it was a high m&m consumption this hour, but really, really good information. Thank you so much. We have 36 questions in queue. So folks, I noted in the chat a bit earlier that there's no way we can get to all those questions. We'll be going for another hour at that point. So what I would encourage you to do while we pause just for a minute to talk about sin WP is open up the q&a scan the list of questions and upvote the questions that you want to see answered, and we'll do this as democratically as possible. So as folks are taking a look at the q&a, Matt, we talked a little bit about send to WP at the beginning of the hour. Several folks joined us late so send WP is a transactional email service for WordPress. I want to give us just a little quick pitch about that and the offer that you have for folks that are watching.

Yeah, absolutely. So again, St. Louis p is a transactional email service for WordPress. You know, we we don't we don't handle your marketing, bulk email, that kind of thing. If you're looking to send you know, Black Friday, we're giving 80% off or whatever. That's not what we focus on. Our focus is primarily on your transactional emails, your email actions from your forms your E commerce receipts, I know solid security, sends out emails for when things are going wrong. Like we handle those emails for you. We want to make it as easy as possible for your transactional emails to get delivered. And so we've spent a lot of time and energy making that process super simple. Your your host doesn't want to be in the email business probably. There are a few out there, but they don't want to be in that game because hosting is complex enough. And so we want to take that load off of them and say like, Hey, we can get your emails delivered for you. We have an offer that are our services $9 a month but your first month is $1 and I know I'm gonna get this question in the q&a if I haven't already have Why is it $1? And that honestly, the easy reason about that is because we used to have a free offer and we actually had to shut it down because spam because Spam was a massive email problem. And so we were getting inundated with spam people and we were blocking a large portion of them. But my hair was turning gray and falling out and just horrible things were happening because I was staying up all the time dealing with spammers. So $1 for your first month. We do have an annual plan. That is $99 a year. But a large majority of our people on the $9 a month no contracts nothing like that. You know, I I tell people this I'm not a hard sell guy I never have been I'm in this to help people. So if we can help you, I'd love to but at the same time, I want you to get the best solution for you. So if we're not the best solution for your needs, I'm going to tell you that straight away and recommend somebody who can help you.

Right. So Matt, thanks so much. And folks, you see how helpful that is? And if you're looking for somebody to partner with you to help with your WordPress email, send a WP is a great option. And there are also partnership opportunities if you've managed a lot of websites, that sort of thing. Just reach out to Matt and you can discuss all those those specifics. So Matt, I want to be respectful of your time. We are just about to tick up to two o'clock central time. Are you okay for about 10 minutes of q&a here. Okay, awesome. So we'll we'll respect your time and take about 10 minutes worth here. So because we now have 36 questions open. Let's try to do let's try to do quick fire questions and answers. So some of these may not be able to answer succinctly but we'll give it a shot. Okay, first question from Jeffrey. I thought the TXT record was supposed to be underscore D mark.mydomain.com. Is the app better or should we set up both?

It depends is is the answer. Certain registrar's like it certain ways and overall if you can do the underscore D mark. In fact, I see a lot of people moving in that direction. So I'm going to actually change what was on my slides and I would actually recommend that just because it's kind of becoming the new standard.

Alright, good information. Lisa, how often do the SPF DKM and demark settings need to be reviewed or adjusted?

As with most things, it depends. If you don't send a lot of emails, you can probably get away like I have a couple of friends businesses that you know once a quarter is probably fine every six months if you're not noticing problems. And then I have people that I know that send like millions of emails per day, and I have them checked like we work on checking them like once a week or more. Because the situation is fluid. You know who's allowed to send may not change, but how you want to block the bad actors that are trying to send through your domain that may change. And so that's really the part that you have to focus on when you sign up for new service that sends email change who's allowed, but you want to change what's happening to the bad actors as it fits your business and you want to kind of review that regularly.

Yeah, great answer. Melanie's question if you're using multiple services like a transactional email service and an email marketing service, or other reason you might have multiple demark records. Do you combine them should you only have one demark record?

It is a complex answer.

Are you an attorney Come on, are you

just the worst? You can technically have more than one that is allowed by the spec. However, it is always going to be my recommendation that you have just one and you combine them. Yeah, good stuff.

This is a complicated topic. Yeah. Okay. Sue's question you talked about in the the demark record there was the RU a option does the email address that receives the RU a report has to be on the domain for that the demark record applies to

technically no. I would recommend that it does. Yeah, this is a hard one. It doesn't, but it should be. You can send it Secondly, you want and you can actually I didn't show this here. You can actually send it to more than one email address. The way that you do that is oh, it's escaping. me at the moment. There's a way to do multiple of them. Google it. I can't remember if it's a comma or a semicolon.

And, and I will say and I mentioned this in the chat earlier, I've had great success using chat GPT to combine SPF records, or to in this case, maybe combined some demark records or at least get you moving that direction.

Yeah. And so the key there and it's funny, I do this for a living and I've started doing that too, just because it makes it easy. The key there is you want it to you don't want to just take it at its word you want to make it explain it and say hey, put these together combine these write a record for me and then explain it and then also tell it while explaining it if you come across an issue admit that because it will skip over when it's lying to you. But if you tell it to admit it when it finds an error a lot of the times it will find it will find it and go oh, I made a mistake. Here's the actual thing. Really good. Really good.

Okay, let's see question from sherry. I'm having an issue getting Google workspace email to authenticate. I added a TXT record they provided for DK I am and after 48 hours propagating still doesn't work what can I do to troubleshoot this?

Um I would start with making the MX toolbox they have a dk M checker, you have to know both the hostname and the value in order to use that tool for DKM. But if you can do that, that will tell you if it can be seen from the public Internet. But if you're using something like cloudfare CloudFlare, or a custom DNS setup that can oftentimes have problems with that or name servers. So check that your GK M is visible from the public internet and if it is resubmitted to Google, they occasionally get this wrong but a lot of the times the issue is is that you've got a custom DNS setup. That means that can't be seen from the public domain.

Yeah, good. And that's the website. I just dropped into the chat that's been referenced several times. MX toolbox.com. has a wealth of information and tools to help debug a lot of the stuff. Questions from Jeffrey Is there a limit to how many sites are in your SPF record? I remember getting a warning at some point that I had too many. There

is I don't have the limit in my brain as like a thing I could just spout off the top of my head but there is it's it's a lot. It's I want to say it's 36

but I quit would be Google searches showing 1010 Some folks in the chat are saying that as well. See

you guys are way more on the ball than I am. Yeah, so you do you do have to be careful and that's where those a MX and includes come from. They are an attempt to cut down the size of adding just infinite IP directives. So if you need to add more things and you own those like IP addresses or something like that, add an add an A record to your DNS and then just use the A and you only have to write one for infinite number of DNS records. Yeah, Stacy makes a good point. There's a 255 character limit limit to lookups. That's correct.

Yeah. So it's all kind of fit. Right and that Yeah. All right, John, is that gosh, this is 100% true. you've ever looked at those god awful XML files that are demark records. And actually, I'm going to insert a quick question here, because it came up several times. In the chat throughout the presentation. Who is creating these demark reports? Is that coming from your mail server? It

can be yes, it can come from your domain in the mail server. You also can set up so if you don't like XML, and I totally understand, you can actually set these up with a service. Google actually has a service that will do it for you called postmaster tools. That is super great. You can set them up where it'll be in a really nice UI. There are a few free services out there. There are some paid services out there that will do this. I was actually working with a customer this morning, who had the most beautiful demark reports I've ever seen. And I am still waiting to hear back who created those for her because they were awesome. But yeah, they are XML which is can be really painful. I unders I totally understand. But once you kind of learn how to read them, and there are actually some services out there that you can just copy and paste when you get a record into and throw the XML and it'll give you a nice clean UI. Yeah, very good.

Link. Yeah, I dropped the link into the chat for Google postmaster tools. That's probably the best free option. And several folks have mentioned there's an app sumo deal right now for demark stuff. You know, there's always an app sumo deal for something. That's true. But yeah, like Matt is saying there's a number of services out here that make those unintelligible XML report files a little more intelligible? Yeah,

I will say postmaster, the Google postmaster tools. One of the nice things they do as well is that they will show you what your complaint rate is, as on top of that. You really monitor if you're getting close to that threshold.

That's really good. Yeah. All right. Maybe a future training on setting up Google postmaster tools. I hear that request floating in the ether ether. Stacy's question How do I stop spammers from sending mail from my domain? So that's a lot of what we've talked about here. This demark do

that. Yes. So, you're gonna want to combine the three things we talked about. First? Well, in the order that I talked about already, you're gonna want SPF DKM and demark records. The most important to for that to prevent the spam problem is is going to be your SPF and your demark DKM will be for your third party services. But overall, your SPF kind of says here's what's allowed and what to do for those that aren't and then your demark kind of acts as the Yeah, I see. I see the SPF acting as kind of a guest list and the D Mark is going to help act as the bouncer for that and kick those people up.

Yeah, good. All right, we are at our 10 minute threshold here. One more question. We'll wrap it up from Ben. MailChimp has a one click unsubscribe. Normally, that's at the bottom does it matter where you put that link now in the email or does it just have to exist?

It does not matter. The most common place is at the very bottom. I will say a lot of services put this in like almost background color text. If your background is white, they'll put it in like one shade of lighter than white gray. That's not going to be allowed anymore and it's gonna get you in trouble. It doesn't have to be this flashing banner, but it can't be difficult. I will say I'm a transactional email guy but I do lots of marketing email as well. You're actually better off putting your unsubscribe at the top and making it super obvious and saying like, hey, if our emails aren't a valued anymore, unsubscribe number one that's gonna save you money because you're paying for that subscriber who doesn't want to get your emails and number two, it's going to include your open and click rates, which is going to make your email easy to deliver, and Google and Yahoo and everyone else is gonna go, hey, people are interacting with their emails. They're legit, we should deliver them to the inbox. And so you don't want to hide your unsubscribe. You want it to be easy, because if somebody wants to unsubscribe, let them because you're going to you're going to more likely landing inboxes for everyone else. And who wants to spend money on somebody who doesn't want your product, your service your stuff? Like if somebody wants to get rid of your emails and maybe come back later, let them don't try to prevent that it's going to work out bad for you in the long run. Yeah,

that's a great place to end. Matt, thank you so much for your wisdom today. A lot of this makes a lot more sense. Any final thoughts as we're wrapping up?

I like I said, I'm available to anytime reach out to me on Twitter, LinkedIn, any of the social platforms, or through send a VPS website. If I didn't get your question, I'm happy to answer it there. Reach out I'm always willing to talk about this stuff. Excellent.

So reach out to Matt there at at Mr Pritchett on Twitter slash x and LinkedIn and all the places check out send WP there at send to wp.com Thank you all for hanging out with us. We'll have the replay up in about an hour if you want to go back and rewatch any of this or share it with a friend. The link is there in the chat there in the link bundle I put in just a moment ago. All right, everybody. We are back tomorrow. Thursday is office hours for members of solid Academy and until then have a great rest of the day.