Should I update my DNS' SPF and DKIM records to pass DMARC?

Posted on March 20, 2020 (Last modified on February 15, 2024) • 3 min read • 434 words

We want to make sure our emails get delivered and don't get bounced back due to SPF or DKIM issues.

eEvidence takes email reputation very seriously, and that's why we recommend all our customers to update their DNS records and comply with industry best practices.

There are two adjustments to make: adding a CNAME with eEvidence's DKIM key and adding a CNAME for a return-path aligned with the FROM of the MIME. This latter adjustment also allows compliance with SPF. In all cases, you must let us know of the creation of such DNS records to enable them on our mail platform.

DKIM signature to pass DMARC

We can DKIM sign your outbound emails and your DNS servers will validate the signature. For example, for the sending domain anexample.com, the CNAME entry would be eevid._domainkey.anexample.com, and the value of that entry must always be eevid._domainkey.eevidence.com

CNAME Record: eevid._domainkey.your_domain
with value/content: eevid._domainkey.eevidence.com

Custom Return-path

We recommend creating a CNAME entry to construct a Return-Path with the same root as the sender's domain. For example, for the sending domain anexample.com, the CNAME entry would be eevid.anexample.com, and the value of that entry must always be resend.eevid.com

CNAME Record: eevid.your_domain
with value/content: resend.eevid.com

More information about these adjustments

The email address that the originating mail server sends to the destination server when establishing communication is known as the connection from or Return-path. It is labeled as such in the headers of the email. This email address may differ from one that appears in the From header of the email, known as the MIME from. Differences in their values may lead to issues like SPAM classification or rejection by the destination server.

The Sender Policy Framework (SPF) standard allows the receiving mail server to check during mail delivery that an email claiming to come from a specific domain is submitted by an IP address authorized by that domain's administrators. The list of authorized sending hosts and IP addresses for a given domain is published in the DNS records for that domain.

Increasingly, mail servers implement additional Return-path domain and From domain checks :

If they are different, the email could be rejected or classified as SPAM.
If they are the same or share the same root domain, it will be accepted as aligned.

This is why we ask you to create a CNAME with a custom return-path with your sending domain.

With this custom return-path CNAME adjustment, we will have the return-path and from aligned. This return-path will automatically comply with SPF policy since it is an alias of our record; the SPF of resend.eevid.com, which we manage, will be checked.

With active DKIM and custom return-path configurations, we will give your emails the highest level of legitimacy and DMARC compliance.

What should I do to cancel my paid subscription?

Where does eEvidence store the evidence receipts and data?