How to
Setting up Custom Domains for secure email delivery using Pendula

Malcolm Jacobson
Malcolm Jacobson
  • Updated

For marketers looking to authenticate their brand and to boost credibility in their client communication, sending emails from a custom domain is imperative. In this guide, we'll walk you through the process of sending emails from your company’s domain. We’ll also cover important topics like SPF, DKIM, and DMARC, all critical to fortifying your domain’s email security

Understanding SPF, DKIM, and DMARC

Before setting up your custom domain, it's important to understand these key email authentication terms

Sender Policy Framework (SPF):

SPF verifies that incoming mail from a domain comes from a host authorised by that domain's administrators. This is a must-have.

DomainKeys Identified Mail (DKIM):

DKIM uses public-key cryptography to sign an email with a private key, verifying that parts of the email have not been modified during transit. This is a must-have.

Domain-based Message Authentication, Reporting, and Conformance (DMARC):

DMARC works with SPF and DKIM to detect and prevent email spoofing. It instructs the recipient’s mail server on what action to take if an email fails SPF or DKIM checks. This is optional but highly recommended.

DMARC + SPF: DMARC ensures the header “From:” address matches the return path or envelope “From:” address in the SPF record, thus validating the source of the email.
DMARC +DKIM: DMARC ensures the header “From:” domain matches the d= domain in the DKIM signature. This validates the authenticity of the message.

dkim.png

Why use a custom domain?

A custom domain is crucial for implementing SPF, DKIM, and DMARC because it allows you to control and configure the necessary DNS records. These records authenticate your email, verifying that it genuinely comes from your domain, thus preventing spoofing and phishing attacks. This setup enhances your brand's credibility and trustworthiness, ensuring your emails are recognised as legitimate by recipients' email providers and reducing the risk of being marked as spam.

Setting up your custom domain with Pendula

Step 1: Provide your domain

Start by providing Pendula with your desired domain name. This is the initial step to get your domain registered with Pendula's email service.

Step 2: Implementing SPF, DKIM, and DMARC Records

Email authentication is crucial for ensuring your emails are recognised as legitimate. Setting up these records will enhance your email credibility and reduce the risk of your emails being marked as spam.

SPF Setup

Pendula has SPF set up out of the box. No additional action is required from your side.

DKIM Setup

  1. Obtain CNAME Records:
    • After you provide your domain, Pendula will provide a set of CNAME records.
    • These records are necessary for linking your domain with Pendula, allowing authenticated email sending.
  2. Add CNAME Records to DNS Settings:
    • Log in to your domain registrar’s DNS management section.

    • Enter the CNAME records provided by Pendula. These records will reference Amazon SES, Pendula’s default email sending service. Example of CNAME Records:

      Name: [provided by Pendula]

      Type: CNAME

      Value: [provided by Pendula]

DMARC Setup

Setting up DMARC is strongly recommended to improve email security.

  1. Create a TXT Record:
    • Log in to your domain registrar’s DNS management section.

    • Create a new TXT record with the following details:

      Name: _dmarc.example.com (replace example.com with your domain).

      Type: TXT

      Value: v=DMARC1; p=none;

The above basic configuration instructs email servers to take no action if an email fails SPF or DKIM checks. For better security, customise this value based on your organisation's needs, such as setting p=quarantine or p=reject.
None: Do nothing with the email
Quarantine: Place failed emails in the spam folder
Reject: Delete email
rua: This specifies the email address or addresses where you receive your DMARC Aggregate Reports. These reports give you valuable insights into how email senders use your domain
ruf: This specifies the email address or addresses where you receive your DMARC Forensic Reports. Unlike the aggregate reports, these reports give insights into emails that fail SPF, DKIM, and DMARC authentication.

How to check if your email has passed SPF, DKIM and DMARC

To verify the status of your email authentication methods, you need to examine the full email headers. Here’s how you can do it using Gmail:

  • First, send a test email to your address
  • Open the email and click on the down arrow next to the sender details to view the initial headers.
  • Ensure the “mailed-by” and “signed-by” headers match your domain, indicating SPF and DKIM passes.

Further, you can view full headers

  • Click on the three dots in the upper right corner of the email and select “Show original” to view the full headers in HTML format.
  • Look for “PASS” indicators next to SPF, DKIM, and DMARC results.

PASS.png