DNS Records for Email Authentication & Deliverability

Category: Pressable Tutorials Last modified: April 23, 2024

New Email Authentication Requirements

On February 1st, 2024,  Gmail and Yahoo implemented changes to enhance and secure email deliverability for their services. These changes require that domains have certain DNS records (SPF, DKIM, and DMARC) in place if they are used to send email.

A Pressable-hosted WordPress site can send email via plugins for a variety of purposes. For example, membership plugins may send emails for registration, password retrieval, and subscription expiration reminders. Plugins like WooCommerce may send emails to customers for in-stock notifications and purchase receipts.

Some plugins may offer configuration options that allow site owners to specify the “From:” header for the email sent. However, forging a sender address (the “From:” part of an email) is commonly used in phishing and email spam. To counter this, email providers use several methods to detect whether an email was sent by the actual sender.

  • Sender Policy Framework (SPF) helps protect your domain from spoofing by identifying the mail servers allowed to send email for your domain.
  • DomainKeys Identified Mail (DKIM) is an authentication method designed to detect forged sender addresses. DKIM allows the recipient of the email (the “To:” part of the email) to verify that the email they received was authorized by the owner of the domain that sent it.
  • Domain-based Message Authentication, Reporting, and Conformance (DMARC) looks at SPF and DKIM records for a domain to tell mail servers what to do if a message fails other authentication methods.

Authenticate Emails Sent From Your Pressable Site

Pressable-hosted sites that leverage our built-in transactional email service, rather than an SMTP plugin and service, benefit from built-in email authentication. While this is enabled by default, there are some scenarios where DNS records must be added or modified.

Key Considerations

  • On Pressable.com, we will sign outgoing emails for a site’s primary domain. For example, if your site’s domain is example.com, emails from you@example.com will be signed; emails from you@someotherdomain.com will not be signed.
  • If your site’s domain uses Pressable.com’s Name Servers, then your DNS is hosted with Pressable and these signing records have already been added for you but may need to be restored if you have changed your configuration.
  • If your domain does not use Pressable’s Name Servers, your DNS is hosted elsewhere and you will need to add the DNS records listed below at your DNS provider.
  • If your Pressable-hosted site is using an SMTP plugin paired with a third-party SMTP service, then these records are generally unnecessary as Pressable is not signing and sending your site’s transactional email.
  • If you are sending from a subdomain, the Host value should be the subdomain string. For example, if your subdomain is news.example.com, you would enter news in the Host field instead of @.
  • If your domain uses other services for email delivery, they may have additional DKIM and SPF records for you to add. Each email service will typically have their own set of DKIM and/or SPF requirements.

DKIM

DKIM (DomainKeys Identified Mail), is an email authentication method that uses a digital signature to let the receiver of an email know that the message was sent and authorized by the owner of a domain. The related DKIM records are the most important piece for email deliverability on Pressable-hosted sites as they help confirm our servers were allowed to send the message.

Transactional email will be signed by default as long as the sending address aligns with the site’s primary domain.

For DKIM, you will need to add the following CNAME records to your domain’s DNS.

Note: If your Pressable-hosted site is using an SMTP plugin paired with a third-party SMTP service, then these DKIM records are generally unnecessary as Pressable is not signing and sending your site’s transactional email.

Domains that use Pressable’s Name Servers will have these records added by default.

TypeHost/NameValue/Target/Alias To
CNAMEopenhosting1._domainkeyopenhosting1._domainkey.wpcloud.com.
CNAMEopenhosting2._domainkeyopenhosting2._domainkey.wpcloud.com.

SPF

SPF (Sender Policy Framework) records help identify which servers are allowed to send messages for your domain.

This record is generally not required for Pressable’s site email delivery service as we already have that set on our sending server.

However, your domain may be leveraging other email-sending services that do require SPF records.

If you do encounter issues and you do not already have an SPF record, you may consider adding the following SPF record but it is generally not necessary for transactional emails sent from a Pressable-hosted site.

TypeHost/NameValue
TXT@v=spf1 include:wpdatacenter.com ~all

Multiple SPF Records

It is only possible to have one SPF record in the DNS zone of your domain. Having more than one SPF record using the same name (i.e. “@” or “mail”) will break authentication. You may get around this by combining, or flattening, multiple SPF records into one record.

Again, a Pressable-specific SPF record may not be necessary in some cases. If you already have an existing SPF record and you wish to add the value above, you would add include:wpdatacenter.com to the existing SPF record like the following example.

Let’s say that you have two other SPF records that you want to use that look like the following.

TypeHost/NameValue
TXT@v=spf1 a mx include:spf.acumbamail.com ~all
TypeHost/NameValue
TXT@v=spf1 include:spf.protection.outlook.com -all

These records can combined with our SPF into a single SPF (TXT) record.

TypeHost/NameValue
TXT@v=spf1 a mx include:spf.acumbamail.com include:spf.protection.outlook.com include:wpdatacenter.com ~all

DMARC

DMARC (Domain-based Message Authentication Reporting and Conformance) is suggested for all domains and required for bulk senders.

DMARC enhances email security and deliverability but can require some planning and experience to properly integrate and you may consider using dedicated DMARC services to help with your implementation.

If your domain does not yet have a DMARC DNS record, you may start with the most basic option. This does not provide enhanced spam and spoofing protections but can help you get started and allow your domain to pass bulk sender requirements.

To learn more about DMARC, we recommend visiting https://dmarc.org/overview/

TypeHost/NameValue
TXT_dmarcv=DMARC1; p=none;
A friendly support expert working on a laptop.

Still Need Support?

We do our best to write useful documentation but we understand that sometimes you just need extra help. Log into your MyPressable dashboard and chat with one of our friendly experts 24 hours a day, 7 days a week.

G2 Easiest Admin for mid-market spring 2024 G2 badge highest user adoption for mid-market spring 2024 G2 badge high performer spring 2024 G2 badge best results for mid-market spring 2024

Learn more about our WordPress cloud platform