Email Verification and DMARC

Help! Our Email Blasts are Showing Up as Unverified

By Huntertech Team • By Huntertech Team | July 29, 2024 | 3 min read

IT Support 3 min read

Many Canadian businesses are struggling with email deliverability issues. When sending marketing emails through platforms like Mailchimp, HubSpot, or Brevo, their messages are being flagged as spam or showing up as "unverified" to recipients. This comprehensive guide will help you understand and fix these authentication problems.

I've been seeing a common issue faced by many companies. They send emails through a bulk email provider like Mailchimp, Ticketmaster, Brevo, Hubspot, etc. and their emails are getting flagged as possible spam or as unverified.

Understanding the Problem

Let's break this down to show what's happening. When a company sends email using their Mailchimp Account, it should be legitimate, right? Let's check the mail header to understand what's going wrong.

Authentication-Results: spf=pass (sender IP is 198.2.144.59) smtp.mailfrom=mail59.atl301.rsgsv.net; dkim=pass (signature was verified) header.d=mailchimpapp.net; dmarc=fail action=none header.from=deploydepot.ca; compauth=fail reason=001

Pulling out the important info:

  • SPF Passed
  • DKIM Passed
  • DMARC Failed
  • Fail reason = 001

Reason 001 means the From address domain does not match the domain that passed SPF or DKIM. In plain terms: Mailchimp is sending the email, but your domain is in the From field, and those two do not align under your DMARC policy.

What is DMARC, DKIM, and SPF?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds upon SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). Its goal is to increase email security. Here's how it works:

Authentication Standards

  • SPF: Checks if the sender's IP address is authorized to send emails on behalf of a domain. It specifies which servers are allowed to send mail for a domain.
  • DKIM: Adds a digital signature to outgoing emails. The recipient's server can verify this signature to ensure the email hasn't been tampered with.

DMARC Implementation

  • DMARC allows domain owners to set policies for handling emails that fail authentication checks.
  • An organization can publish a DMARC policy that says, "If you send mail from my domain, it must pass SPF and DKIM checks."
  • DMARC creates a feedback loop between the sender and receiver. If an email fails authentication, the receiver can send a report back to the sender, detailing why it failed.

How to Fix the Issue

In the Mailchimp example, the CNAME record you create is actually pointing at their TXT record which holds the public key used to verify the DKIM signature applied by the Mailchimp mail server.

A proper TXT record should be formatted like this:

[selector]._domainkey.[domain]

With a value of:

v=DKIM1; p=[insert public key here]

Step 1: Get the Raw Email Header

First, find the raw header of a flagged email. In Outlook: right-click the message, View, Message Details. In Gmail: open the email, click the three dots, Show original. You are looking for the Authentication-Results section near the top.

Step 2: Find the Selector

Scroll to the DKIM-Signature section of the header and take note of these important items:

  • d= is the Domain (e.g., mailchimpapp.net)
  • s= is the Selector (e.g., k3)
  • v= is the version
  • a= is the algorithm used to apply the DKIM signature

Step 3: Create the DNS Records

Head over to www.mxtoolbox.com and use their Super Tool. Select the DKIM Lookup from the dropdown and enter the d value and s value separated by a colon (:) - example: mailchimpapp.net:k3

This will show you the DKIM record for your email provider. When you create your CNAME record, this is what you are pointing to. This has the public key used to verify the DKIM signature.

Now go to your DNS provider (wherever you registered your domain, such as GoDaddy, Cloudflare, or Microsoft 365) and add a CNAME record:

  • Name/Host: [selector]._domainkey (e.g., k3._domainkey)
  • Value/Points to: the record MXToolbox showed you (e.g., k3.mcsv.net)

Propagation can take anywhere from 10 minutes to 72 hours depending on your DNS provider. Some are very slow. Re-check with MXToolbox once it has had time to propagate.

Setting Up DMARC Records

DMARC is the policy that tells receiving servers what to do when an email fails SPF or DKIM, and where to send you the report so you can see what is happening.

If you have never had a DMARC record before, start with p=none to monitor without affecting delivery. After 2 to 4 weeks of reports, switch to p=quarantine, then eventually p=reject. Jumping straight to quarantine can block legitimate email if your setup is not complete.

Create a mailbox or distribution list to collect DMARC reports, or use a service like uriports.com to collect and parse them for you.

Example DMARC TXT DNS record:

v=DMARC1; p=quarantine; adkim=r; aspf=r; rua=mailto:dmarcfailure@yourdomain.ca

What this means:

  • v=DMARC1: Indicates this is a DMARC policy
  • p=quarantine: Email servers should quarantine emails that fail DKIM and SPF
  • adkim=r: DKIM alignment is relaxed, meaning subdomains are allowed to match
  • aspf=r: SPF alignment is relaxed for the same reason
  • rua=mailto:xxxx: Sends DMARC reports to this email address

If you are confident your SPF and DKIM are fully set up and you are not sending from any subdomains, you can tighten alignment to adkim=s; aspf=s (strict). Start relaxed and adjust once you have reviewed a few weeks of reports.

Frequently Asked Questions

New to all of this? These are the questions we hear most from business owners who have never touched their DNS settings before.

What is DMARC and why does it matter?

DMARC is a setting you add to your domain's DNS that tells email providers like Gmail and Outlook what to do when someone sends email pretending to be you. Without it, your domain can be spoofed by scammers, and your own legitimate emails can get flagged as suspicious.

What is DKIM?

DKIM is a digital signature attached to every email you send. It proves the email actually came from your mail server and was not tampered with in transit. Think of it as a wax seal on a letter. Your email provider generates the signature; recipients verify it automatically.

What is SPF?

SPF is a list you publish in your DNS that says which servers are allowed to send email on behalf of your domain. If an email arrives from a server not on that list, it fails SPF. Most bulk email tools like Mailchimp and HubSpot give you an SPF record to add when you set up your account.

Should I set DMARC to none, quarantine, or reject?

Start with p=none. This monitors without blocking anything -- you will get reports showing what is failing without risking your legitimate email being blocked. After 2 to 4 weeks, review the reports and move to p=quarantine. Once you are confident everything legitimate is passing, switch to p=reject. Skipping straight to reject can accidentally block real emails.

My emails are going to spam. Is DMARC the problem?

Possibly, but DMARC failure is usually a symptom rather than the root cause. If SPF and DKIM are not set up correctly for your sending tools, DMARC will fail. Fix SPF and DKIM first, then add DMARC. If you are already passing both and still hitting spam, the issue is likely sender reputation or content.

Do I need this if I use Microsoft 365 or Google Workspace?

Yes. Microsoft 365 and Google Workspace handle authentication for their own sending, but if you send through third-party tools (newsletters, CRM, ticketing systems), those need their own SPF and DKIM entries in your DNS. DMARC ties it all together and tells receiving servers what to do when something does not align.

How do I generate a DMARC record without touching code?

Use EasyDMARC's free record generator at easydmarc.com. It walks you through the options and produces the exact text string to paste into your DNS. No technical knowledge required.

How do I know if my DMARC setup is working?

Check using the DMARC Lookup tool at mxtoolbox.com. Enter your domain and it will show your current record and flag any issues. You can also monitor the reports being sent to your rua email address -- services like uriports.com make those reports readable without having to parse raw XML.

Need to generate a DMARC record without touching code? EasyDMARC's free record generator walks you through the options and gives you the exact string to paste into your DNS.

Need Help with Email Authentication?

Contact our team for expert assistance with email verification and DMARC setup for your business.

Get Expert Help