Adding SPF & DKIM Records To Help Emails Get To Recipients
Problem: Receipts Sent to SPAM/Junk Folder
This page aims to provide assistance to merchants who are having trouble with customer receipts being blocked as spam. The most common cause of this issue is the ability for merchants to change the Email From address that is used by the gateway when sending emails. By default, receipts are sent with a from address of “noreply@usaepay.com”. Since usaepay.com designates its own servers as being allowed to send “@usaepay.com” email, these messages are not blocked. Once the merchant changes the from address on the settings screen in the console, the receipts are sent with the merchants email, for example: john@adams.com. When the customer's mail server receives the email, it checks that “adams.com” allows usaepay.com to send email on behalf of john@adams.com. If they do not, the message may be tagged as spam. Whether the message is blocked or not depends on whether adams.com has configured a “SPF” dns record and whether that record lists USAePay.
What is SPF?
Sender Policy Framework (SPF) is an open standard that allows mail servers to verify that an email was sent by a source that has been permitted by the owner of the domain. Configuring SPF for your domain is a matter of adding a TXT record to your DNS. If you are not sure how to modify the DNS for your domain, consult your domain provider.
Adding an SPF Record
If a merchant is going to list their own email in the Email From setting, they will need to add usaepay to their SPF record. If the merchant does not control their domain and the domain owner is not willing to make the change, the merchant should either use a different email address or leave the from address blank.
The easiest way to list the usaepay mail servers is to add include:spf.usaepay.com
somewhere before the ~all
or -all
. For example, if your SPF record is currently:
acme.org TXT "v=spf1 a mx ~all"
you would change it to:
acme.org TXT "v=spf1 a mx include:spf.usaepay.com ~all"
If you prefer not to use our include, you can also list the mail server IPs directly. This approach is not recommended as your record will be out of date when our network expands/changes.
acme.org TXT "v=spf1 a mx ip4:209.239.233.124 ip4:209.239.233.125 ip4:64.0.146.124 ip4:64.0.146.125 ip4:209.220.191.124 ~all""
What is DKIM?
DomainKeys Identified Mail (DKIM) is an email authentication method that allows recipients to verify an email's legitimacy. DKIM works by attaching a digital signature to outgoing emails, which recipients' mail servers can verify using a public key published in the DNS (Domain Name Service).
A DKIM record is a DNS TXT record containing this public key. When an email is sent, the sending server signs it with a private key. The recipient's server uses the public key from the DKIM record to verify the signature. If the signature matches, it confirms the email is authentic and untampered, improving the chances of your messages reaching your customers' inboxes.
Adding a DKIM Record
To allow us to sign e-mails on your behalf, please work with your IT department or DNS provider to create the following CNAME records in all sending domains you or your merchants have configured to be used by our system. Please ensure example.com in the table below is updated to reference your specific sending domain.
Type | Host | Value |
---|---|---|
CNAME | gps1._domainkey.example.com |
gps1._default.dkim.safewebservices.com |
CNAME | gps2._domainkey.example.com |
gps2._default.dkim.safewebservices.com |
CNAME | gps3._domainkey.example.com |
gps3._default.dkim.safewebservices.com |
How to Test
Our portal will provide some information about the status of your SPF and DKIM records. You can learn about that validation here:
Validating an SPF Record
Once you have your rules setup correctly in DNS, there are a variety of web based tools that you can use to verify. For example, to test with the Kitterman SPF Validation test tool, enter 209.239.233.124
in the Sending IP Address field, the Email From address you are using in the console should go in the Sender Email Address field, and andmx-ca4-01.usaepay.com
should go in the Senders Computer Name field. If all is configured correctly, you should see a Pass and Sender Permitted.
Validating a DKIM Record
- Go to DKIM Check- DomainKeys Identified Mail (DKIM) Record Lookup - MxToolBoxDKIM Check- DomainKeys Identified Mail (DKIM) Record Lookup - MxToolBox
- Enter your Domain name, enter gps1 in the selector field, and click DKIM Lookup
- The CNAME you entered should be traversed and verified from NMI’s servers.
- Repeat this process using your domain name along with gps2 and gps3 in the selector field.
Note: USAePAY has left the gps2 and gps3 keys empty to allow us to rotate keys in the future. Any DKIM correctness validators you execute against our records for these selectors will fail, due to intentionally having left the public keys blank. You should proceed to add CNAME records to your domains anyway so that rotations in the future will require no action by your staff.
Using a Webmail Based Email Address
USAePay does not recommend using a public webmail based address (@google.com, @hotmail.com, etc.) in the Email From setting. There is no way to correctly configure these email addresses to be sent from the USAePay gateway and merchants will experience a number of customers who are not able to to receive receipts. The merchant should either leave the "From" setting blank or get their own domain for email.
Frequently Asked Questions
What if we do not implement these changes?
If these changes are not implemented, USAePay will fallback to using @safewebservices.com
as the sending domain for mail on your behalf. These changes are only required to retain custom branded sending domains
What should I do if I need help with these settings?
If you need assistance, contact your IT department or DNS provider. They can help you add the necessary SPF and DKIM records to your domain. If they require any assistance, you can always reach us at support@usaepay.com, or using an option from our Contact Us page.
Where can I learn about major email providers' requirements for SPF and DKIM?
Google and Yahoo have recently updated their email security policies to require DKIM and SPF for improved email authentication. These changes are aimed at reducing email spoofing and ensuring that emails are sent from verified sources. While these changes only currently apply to Bulk Senders, we are now requiring this configuration for all custom sending domains.
Where can I find more information on setting up SPF for common providers?
The following table includes links to documentation for common providers.
These are external links and may be broken if the provider makes an update. Please let us know about any broken links by sending an email to support@usaepay.com.