- Overview
- What is SPF?
- What is DKIM?
- Validation
- Using a Webmail Based Email Address
- Frequently Asked Questions
Overview
This article provides guidance for partners and merchants experiencing issues with emails being rejected or marked as spam. Here, you'll find information on SPF and DKIM records and how to configure them in your DNS to ensure successful email delivery.
When you send an email from your NMI portal (or a system notification email is sent), it will appear to come from your email address. However, the actual sending server is NMI's, with the domain "safewebservices.com." This discrepancy between the sending server domain and the sender's email address domain can cause emails to be rejected or marked as spam.
To prevent this, you can add SPF and DKIM records to your domain's DNS settings. These records indicate that the safewebservices.com mail server is authorized to send messages on your behalf. Email systems will then check the SPF and DKIM records to verify the email's authenticity, ensuring it is delivered correctly.
What is SPF?
Sender Policy Framework (SPF) is a type of email authentication that defines the mail servers or applications that are allowed to send from your domain. SPF is implemented via SPF records. An SPF record is a text file that is published in the DNS (Domain Name Service) which contains a list of email servers that are authorized to send emails on behalf of your domain.
If the sending server domain used by your email application or system is listed within your SPF record, then your email will be properly authenticated. This will increase the likelihood of your message reaching your customer’s inbox.
Adding an SPF Record
To specifically allow us to send email on your behalf, please work with your DNS provider to create an SPF record for the following domain:
_spf.safewebservices.com
To add an SPF record, find the TXT record in your DNS settings that have a value starting with "v=spf" and edit that value.
There can only be one record with SPF information in it. If none exists, it can be created. The only change needed is to add include:_spf.safewebservices.com
in the record.
Here's an example, where the include is added to show NMI is allowed to send messages using your email address:
Type: TXT
Current Value: v=spf1 +a +mx ~all
New Value: v=spf1 +a +mx include:_spf.safewebservices.com ~all
What is DKIM?
Adding a DKIM Record
To allow us to sign e-mails on your behalf, please work with your IT department or DNS provider to create the following CNAME records in all sending domains you or your merchants have configured to be used by our system. Please ensure example.com in the table below is updated to reference your specific sending domain.
Type | Host | Value |
CNAME |
gps1._domainkey.example.com |
gps1._default.dkim.safewebservices.com |
CNAME |
gps2._domainkey.example.com |
gps2._default.dkim.safewebservices.com |
CNAME |
gps3._domainkey.example.com |
gps3._default.dkim.safewebservices.com |
Note: These need to be CNAME records and not TXT records.
Validation
Our portal will provide some information about the status of your SPF and DKIM records. You can learn about that validation here:
You can also use an online tool such as MX Toolbox to confirm that your SPF and DKIM records are configured correctly.
Validating an SPF Record
- Go to SPF Check & SPF Lookup - Sender Policy Framework (SPF) - MxToolBox
- Enter your Domain name and click SPF Record Lookup
- Your SPF record along with diagnostic information is now displayed on the page. Ensure the record contains
_spf.safewebservicces.com
.
Validating a DKIM Record
- Go to DKIM Check- DomainKeys Identified Mail (DKIM) Record Lookup - MxToolBox
- Enter your Domain name, enter
gps1
in the selector field, and click DKIM Lookup - The CNAME you entered should be traversed and verified from NMI’s servers.
- Repeat this process using your domain name along with
gps2
andgps3
in the selector field.
Note: NMI has left thegps2
andgps3
keys empty to allow us to rotate keys in the future. Any DKIM correctness validators you execute against our records for these selectors will fail, due to intentionally having left the public keys blank. You should proceed to add CNAME records to your domains anyway so that rotations in the future will require no action by your staff.
Using a Webmail-Based Email Address
NMI does not recommend using a public webmail-based address (@google.com, @hotmail.com, etc.) in the "Receipts From Address" field in your merchant's "Account Information" settings.
Since we are sending these emails on your merchant's behalf, they are blocking any emails from domains without our SPF record. To allow us to send an email on your merchant's behalf, please have your merchant work with their DNS provider for the domain the email is coming from to create an SPF record.
As an alternative or quick fix while getting the SPF record set up, the merchant can add <outgoing@safewebservices.com> in the "Receipts From Address" field in their merchant portal (under "Options" → "Settings" → "Account Information"). This is the official email address the automated receipts are coming from. They can also add anything before the "@" sign as long as they're using the safewebservices.com domain, like receipts@safewebservices.com or merchants_name@safewebservices.com where "merchants_name" is the name of the merchant account.
Frequently Asked Questions
What if we do not implement these changes?
If these changes are not implemented, NMI will fallback to using @safewebservices.com
as the sending domain for mail on your behalf. These changes are only required to retain custom branded sending domains
What should I do if I need help with these settings?
If you need assistance, contact your IT department or DNS provider. They can help you add the necessary SPF and DKIM records to your domain. If they require any assistance, you can always reach us at support@nmi.com, or using an option from our Contact Us page.
Where can I learn about major email providers' requirements for SPF and DKIM?
Google and Yahoo have recently updated their email security policies to require DKIM and SPF for improved email authentication. These changes are aimed at reducing email spoofing and ensuring that emails are sent from verified sources. While these changes only currently apply to Bulk Senders, we are now requiring this configuration for all custom sending domains.
For more details, you can refer to:
Where can I find more information on setting up SPF for common providers?
The following table includes links to documentation for common providers.
Provider | SPF | DKIM |
|
||
Outlook |
||
Yandex |
||
Yahoo |
||
GoDaddy |
||
Bluehost |
||
Amazon SES |
These are external links and may be broken if the provider makes an update. Please let us know about any broken links by sending an email to support@nmi.com.