Select Page

SPF, DKIM, DMARC, BIMI Notes5 min read

by | May 28, 2021 | Updates | 0 comments

SPF Record Notes

  1. You can only have one SPF record per website. If your domain contains more than one entry, recipient servers will decline both. Source.
  2. DreamHost automatically adds DreamHost's SPF records to your site. You only need to manually add an SPF record if you are also sending email through a third party. If you are sending email through services such as those AND also sending email from DreamHost, you'll need to add a custom SPF record that contains both mail servers. Source.
  3. Dreamhost will automatically remove their SPF record if you add one, and automatically add theirs if you remove yours. Source.

Example of a Multiple SPF Record

v=spf1 mx include:netblocks.dreamhost.com include:relay.mailchannels.net include:_spf.mlsend.com ~all

Alway start with v=spf1 mx and end with ~all

To ~ or not to ~? That is the question

I've seen it written as ~all, -all, and ?all and here's why from Dreamhost:

  • ?, question mark, makes the whole record inactive, as though the domain had no SPF record at all.
  • -, dash, makes the record strict, and any mail from servers not listed will be marked “fail” and may be marked as spam or rejected entirely.
  • ~, tilde, is between the other two options in strictness. Any mail from servers not listed will be marked “softfail”. While intended for testing, it is recommended to be used to avoid delivery issues as noted in this article.

DKIM Notes

  1. You can have multiple DKIM records, one per service you need to send from. So I would have one for Dreamhost or Google Apps, and another for MailerLite or Klaviyo, and another for the website, etc. Source.

DMARC Notes

  1. You are required to have SPF and DKIM setup before you can add DMARC.
  2. Settings for DMARC on Dreamhost. Source.
    Name — _dmarc
    Type — TXT
    Value: Example below: 





v=DMARC1; p=none; p=quarantine; fo=1; rua=mailto:dmarc_agg@example.com;ruf=mailto:dmarc_forensic@example.com;pct=100





The sp=quarantine is the DMARC Quarantine/Reject policy and can be set to “reject” or “quarantine”.  This source says that quarantine is a good way to start testing before switching to reject, although switching to reject is not required. 





3. It is advised to not set a Quarantine or Reject policy until you have evaluated your DMARC reports to make sure you don't have any legitimate senders that have email delivery problems. However a DMARC Quarantine/Reject policy is required for BIMI.





BIMI Notes





  1. Create an SVG file of your logo. Here's a free tool for converting your logo to SVG.
  2. Then you have to take your SVG from that tool and convert it to SVG Tiny Portable/Secure (SVG P/S) format. This article offers free conversion tools for each operating system. However this tool did not recognize the images I made using the previous tools. I had to remake my logo in Illustrator and save it as an SVG after converting all text into vectors. 
  3. Upload the SVG image to a public folder on your website via SFTP. 
  4. Create a TXT Record. Source. 
    name: default._bimi.example.com (Dreamhost automatically adds the “example.com” part so just put the “default._bimi” part)
    value: enter the following with quotes





"v=BIMI1; l=https://www.example.com/wp-content/uploads/your-logo.svg;"





4. Test it with this tool: https://mxtoolbox.com/bimi.aspx?referrer=cms_bimi_setup





Tools To Test









72 hours later and the logo is still not showing up in Gmail.





A few things I just discovered that may be throwing a wrench in my process here…





Is Google still in the pilot program phase?

“The AuthIndicators Working Group is thrilled that Gmail is helping push the specification forward. In the coming weeks, BIMI pilots will be active at Google and Verizon Media; in the coming year, additional pilots will begin at other major mailbox providers. Of particular note is the inclusion of Verified Mark Certificates (VMC) as a requirement in Gmail’s pilot. VMC’s are the highest level of verification defined in the BIMI spec, and help to reduce the danger of spoofing by verifying that senders own the logo they’re transmitting.”

From: https://bimigroup.org/gmail-launches-bimi-pilot/





And then on the implementation guide, it reads:

“Publish a BIMI record for your domain in DNS which:—points to the logo indicator in SVG format to be used,—and/or a Verified Mark Certificate (VMC) for those receivers that require it.”

From: https://bimigroup.org/all-about-bimi/

3. According to DigiCert, you need to trademark your logo in order to get a VMC:

“Once the initial BIMI pilot is completed, companies will be able to purchase VMCs from DigiCert. After obtaining a VMC, email clients must be able to validate that you are enforcing Domain-based Message Authentication, Reporting and Conformance (DMARC) standards. You will then be able to upload one or more logos to display within email clients. If you have multiple logos, you can choose which will render for each communication flow.”

That page also goes on to read, 

“Before we can issue a VMC, your logo must be registered with the trademark office so we can validate ownership.”

From: https://www.digicert.com/tls-ssl/verified-mark-certificates





So… unless your logo is trademarked (which mine for Shopifreaks is not because I've changed it like 4 times since I launched LOL), then we might be out of luck.


					

					

					



		   

		  
		  	   

					

		
Submit a Comment 
Your email address will not be published. Required fields are marked *