By Bill Hartzer, April 7, 2020 at 6:29pm CST.
Starting sometime this month (April 2020) Microsoft will begin blocking any email that does not have SPF and DKIM alignment for email sent to Outlook 365 domains. What that means is that if you send an email from your domain name and you have not properly set up the proper email records on your domain name, people using Microsoft Outlook 365 won’t receive your email. To make sure that they do receive your email, you need to make sure that SPF, DKIM, and DMARC records are properly set up on your domain name.
Chris Lang, an email delivery expert from Better Call Chris Lang, alerted me to an email that was being sent to email providers from Microsoft. The email essentially told the email provider(s) that starting in April 2020, “Microsoft will start blocking any email that does not have SPF and DKIM alignment for email sent to Outlook 365 domains.”
Emails Going to Spam? This Could Be Why
I recently had a client of mine tell me that all of the emails I send her (even replies to important work I’m doing for them) are going to her spam folder. I then checked the DNS records for my domain and found that I had not set up the SPF, DKIM, and DMARC records properly. But mainly the DMARC record was not set up. I took care of that, and hopefully that will solve the problem with emails from my company domain going to her spam folder.
There are several reasons why emails will end up in someone’s spam folder, but it can be very frustrating. Especially if you’re like me, and emails that are sent manually to one person end up in their spam folder. So, one of the issues that you can correct right now is to set up the proper records in the domain name’s DNS. This isn’t necessarily going to solve all of your email spam problems. But, it could help. And, if any of your emails are going to ever go to someone using a Microsoft product such as Outlook or Outlook 365 (soon to become Microsoft 365), then you must set up your SPF, DKIM, and DMARC on your domain.
There are other reasons why your email may be going to someone’s spam folder rather than going to their inbox. This can include, but is not limited to:
- Words you use in the email. There are certain words that can cause an email to go to the spam folder.
- A problem with the domain name (it’s blacklisted, for example, or has been marked a lot as spam by recipients.
- Subscriber engagement. If you’re sending to an email list, and only a small portion of people open the emails and interact with them, or mark them as spam (such as in Gmail), Gmail may mark it as spam.
- The IP address used to send the email. The IP address could be tainted.
- The subject line is missing.
- You don’t include required information, such as your physical address in your emails sent to a list.
That’s just a few reasons as to why emails may not be going to your recipients’ email inboxes. But, in this case, keep in mind that we’re not talking about emails going to people’s email inboxes and going to their spam folders instead. In this case, Microsoft is going to be blocking ALL emails and they won’t even go to someone’s inbox or spam folder. They just will be deleted most likely and will not be delivered at all. So, you need to set up SPF, DKIM, and DMARC records on all of the domain names that send and receive email. If you have a domain name that you don’t use for email, or your use another email provider (i.e., your email address is @gmail.com, for example), then you do not need to do anything. Let me explain.
What You Need to Do Now
If you have a domain name that has a website and you send email from that domain name, then you need to set up SPF, DKIM, and DMARC records on that domain name. When I say “send email from that domain name”, I mean if your email address is something like email@example.com, where hartzer.com is your domain name. It’s not something like firstname.lastname@example.org, because gmail.com is not your domain name. So, if you use gmail.com, yahoo.com, hotmail.com, outlook.com, for example, then you don’t need to do this.
- First, check to see if you have these records set up on your domain name. You can check any domain name, but I’d check the one you use for email.
Here are a few sites that will tell you if they’re set up:
DNProtect.com – DNProtect.com will tell you a bunch of stuff about your domain, and also give you your DNP Score.
DNS Checker – DNS Checker will check your DNS of your domain, you will want to check the “TXT records, as that’s where these records are added.
250ok DMARC Wizard – This wizard will help you check, and set up, your DMARC record.
- You will need to edit your domain name’s DNS records to add the records. More specifically, you’ll need to add a TXT record. It won’t have any effect on your website or even whether or not you can send/receive email. But editing DNS records aren’t for everyone, as it can get messed up quickly and, if not done correctly, could take your website down. If you don’t know what this means or how to do it, you’ll want to have someone who is familiar with it do it for you.
If you don’t have DKIM, SPF, and DMARC TXT records set up in your site’s DNS, then add them. This is done at your registrar, or whoever “hosts” your domain’s DNS. Look at the WHOIS record for the domain name. Look for the name servers–if they are set to use Cloudflare, for example, then you’ll need to edit the DNS at Cloudflare. If they’re using something else such as Epik’s name servers or GoDaddy’s name servers, or even your own domain name’s name servers, then your registrar or your web host will be able to help you. Again, you may need to open up a support ticket at your web host for more help. If still have questions, contact me and I should be able to steer your in the right direction as to who you should contact to get it done.
- Once these records are set up, check using one of the above-mentioned services to see if they see the DMARC record in your DNS. If you do, and, for example, the 250OK.com gives you the green light so to speak, then you should be all set. The email address that you specify in the DMARC record will receive reports typically once a day, and you can look at them. Once I enabled DMARC, for example, I started receiving a report once a day from Google, which was helpful to review.
What is DKIM?
DKIM stands for DomainKeys Identified Mail. DKIM is an email authentication method designed to detect forged email addresses in email. DKIM should be set up in the DNS records of the domain name if email is sent or received from the domain name. You’ll need to contact your domain name registrar (where you bought your domain name) or your web hosting service in order to set up DKIM on your domain name. DNProtect believes it is important to set up DKIM on domain names that send and receive email. Setting up DKIM on a domain name can help protect from someone pretending to send email from that domain name, which can lead to email spam and the domain potentially getting blacklisted on email blacklists. For more information about DKIM, see DKIM.org or Wikipedia: https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
What is SPF?
Sender Policy Framework (SPF) is an email authentication technique or “framework” used to discourage, stop, or prevent someone else from sending email “on your behalf” or faking that the email is sent from you (from your domain name). Wikipedia describes SPF as “Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during the delivery of the email.” SPF needs to be used in combination with DMARC in order to prevent, stop, or discourage email spoofing (sending email pretending to be email from another domain). Email spoofing is often used in phishing or email spam.
What is DMARC?
DMARC stands for Domain-based Message Authentication, Reporting & Conformance. DMARC is an email authentication protocol designed to give domain name owners the ability to protect their domain name from unauthorized use. DNProtect believes it is important to set up DMARC on a domain name to help protect from business email compromise attacks, phishing emails, email scams and other cyber threat activities. In order to set up DMARC, you need to talk with your website host. For more information, see DMARC.org or Wikipedia https://en.wikipedia.org/wiki/DMARC
This is Just the Beginning
This is, in fact, in my opinion, the just the beginning of a lot more attention to email security than what we’re used to in the past. As Mr. Lang explains, “Microsoft is most likely going to be getting into the email security business, and treat email security different than they ever have in the past. They appear to be starting with Outlook 365 domains. But do you think they won’t expand it?” In my opinion, we could see Microsoft, in the future, start blocking all emails that don’t have DMARC records set up in the DNS of the domain. That could easily include Outlook.com, Hotmail.com, as well. Then, when why would Google and other email providers let Microsoft be the leader in email security? Google may follow suit, as well, by either automatically sending emails without DMARC set up to spam, or blocking them entirely.