DMARC DKIM SPF Email anti-spam slow-motion trainwreck
Recently a client’s long-well-running, important email process was broken, halting reception by their sales team of emailed notifications regardings product inquiries on their website.
This was all working well before ~January.
Quick fix: website will now send emails marked as being “From:sales@YOUR.net”
Longer explanation:
Microsoft/Outlook and/or 2cows.com apparently changed email reception into their servers, increasing their security standards for email anti-spam.
For our servers to send emails marked as “From:sales@YOUR.com” we need the DKIM SECRET KEY from your company master Microsoft/Outlook email account, specifically for the “selector3”:
selector3-YOUR-onmicrosoft-com._domainkey.YOUR.onmicrosoft.com (DNS TXT record)
Without that key our servers can not properly sign and send emails on your behalf. Any such emails may be flagged or blocked as “spam” even though they are not.
I just now added a loose DMARC record to your DNS:
target: _dmarc.YOUR.com
host: _dmarc
type: TXT
val: v=DMARC1; p=none; rua=mailto:hostmaster@YOUR.net
DMARC, DKIM, SPF — these are now 10+ year-old standards, long time coming into enforcement. Back in Aug 2014 we registered YOUR.net to sidestep this and other potential issues.
The overall best solution is for us to send emails from the website marked as coming “From:sales@YOUR.net” because we control the technical details.
The blog post titled “DMARC DKIM SPF Email Anti-Spam Slow-Motion Trainwreck” from wp.brenden.com discusses a real-world scenario where a client’s email notifications—specifically, product inquiry alerts sent from their website—suddenly stopped reaching their sales team. This disruption began around January 2025 and was attributed to stricter enforcement of email authentication protocols by providers like Microsoft Outlook and possibly 2cows.com.
Key Issues Identified
- DKIM Signing Challenges: The client’s website was sending emails with a “From” address of
sales@YOUR.com. However, without access to the DKIM private key associated with their Microsoft Outlook account (specifically for the selectorselector3-YOUR-onmicrosoft-com._domainkey.YOUR.onmicrosoft.com), the website couldn’t sign emails properly. This lack of proper DKIM signing led to authentication failures.(Wikipedia, Wikipedia, Wikipedia) - Missing DMARC Record: The domain
YOUR.comlacked a DMARC policy in its DNS records. While not mandatory, the absence of a DMARC record can be a red flag for receiving mail servers, potentially leading to emails being marked as spam or rejected. To mitigate this, a basic DMARC record with a “none” policy was added:(Smartlead, Wikipedia)
_dmarc.YOUR.com TXT "v=DMARC1; p=none; rua=mailto:hostmaster@YOUR.net"- SPF Record Limitations: Although the SPF record for
YOUR.comincluded entries forYOUR.netandOUR.net, emails were still being blocked. This suggests that the SPF configuration was insufficient, possibly due to the inclusion of other services likenetsuite.com, adding complexity to the email authentication setup.
Recommended Solution
Given the challenges with DKIM key access and SPF configurations, the author recommends changing the website’s email “From” address to sales@YOUR.net. Since YOUR.net is under the client’s control, they can ensure proper configuration of DNS, SPF, DKIM, and DMARC records, thereby improving email deliverability and reducing the likelihood of messages being marked as spam.(Cloudflare)
Broader Implications
This case underscores the importance of correctly implementing and maintaining email authentication protocols:
- SPF (Sender Policy Framework): Specifies which mail servers are authorized to send emails on behalf of a domain.(Cloudflare)
- DKIM (DomainKeys Identified Mail): Allows the sender to sign emails with a cryptographic signature, verifying the email’s integrity and origin.(Wikipedia)
- DMARC (Domain-based Message Authentication, Reporting, and Conformance): Builds on SPF and DKIM by providing instructions to receiving mail servers on how to handle emails that fail authentication checks.(Smartlead)
Proper configuration of these protocols is crucial, especially as major email providers increasingly enforce strict authentication standards to combat spam and phishing.(Wikipedia)
