Whilst your email shows as coming from your domain, it is actually sent out via the server of whatever email platform you use. In most cases, this would be either google.com (Google Workspace) or outlook.com (Office365). To make it even more confusing, you can also send out emails from your domain via other platforms you may use; such as Salesforce, Aroflo, Hubspot etc. In fact, all the autoresponder emails sent from your website are sent via sendgrid.com.

Whilst this is great to ensure your customers know it's from you, it also opens it up for spoofing. Spoofing is where spammers send out emails from their servers set up to look like they are from you. Exactly the same way your legitimate emails are sent. So we need a way for email platforms to know if an incoming email is legitimate or not. There are 3 ways this is achieved.

SPF Records

 An SPF record is something put on your domain stating what servers you send emails out on. For example, when we set up your website, we always add an SPF Record to state that you will be sending out emails via sendgrid.com for your autoresponder emails. So when an email platform receives one of these emails, it quickly reads the SPF Record on the domain to see if the sending server is legitimate. 

In most cases, you should be all good here.

If you want to get technical: https://www.valimail.com/blog/what-is-spf/

DKIM Records

A DKIM record is the next level. Here a DKIM record (a string of around 128 letters) is created and added to both your domain and whatever platform you are sending emails from. When an email is sent from the platform it adds the DKIM record to the email head. When an email platform receives an email it matches the DKIM record in the email head with that on the domain to make sure they match before letting the email through.

In most cases you won't have this, so will need to set this up for all platforms you send email from. This includes both Google Workspace and Office365.

If you want to get technical: https://www.valimail.com/blog/what-is-dkim/

DMARC

This is the big change coming to Google and Yahoo at the end of the month.

A DMARC is a record we add to your domain telling email platforms what to do if they get any emails for your domain that don't pass either the SPF or DKIM records. It tells them to either accept, reject or quarantine the email and where to send a report for every email that fails.

This means that if someone is spoofing your email, you will get notified of this and will be able to take action.

Once again, most of you won't have this set up and if it isn't by the end of the month your emails to any Google or Yahoo email address will bounce.

If you want to get technical: https://www.valimail.com/blog/what-is-dmarc/