Table of Contents
Overview
The DKIM & SPF Validation feature assists partners with the automated emails the gateway sends on behalf of partners (e.g. password reset emails, settlement reports, etc.). Properly configured DKIM and SPF records play a crucial role in ensuring the reliable delivery of emails to their recipients. This tool is designed to provide our partners and merchants with the confidence that their email domain is correctly configured.
Merchants can use DKIM & SPF Validation for gateway emails sent to their customers. To view this on the merchant portal go to our DKIM & SPF Validation for Merchant Emails article.
What is a DKIM Record?
DKIM, also known as DomainKeys Identified Mail, is a security protocol designed to enhance the trust and security of email communications. It achieves this by adding a digital signature to outgoing emails from a domain, which can be verified using a public key retrieved from DNS records by the recipient's server. This verification process confirms the authenticity and integrity of the email, thus helping to prevent email spoofing and phishing. The DKIM record, which forms part of a domain's DNS settings, contains the public key used for this important verification process.
What is an SPF Record?
SPF, which stands for Sender Policy Framework, is an e-mail anti-spoofing control that uses public DNS TXT records to verify the sending mail server’s authority to send mail on a domain’s behalf. An SPF record is a DNS TXT record with a specific format, which lists authorized IPs or Hostnames permitted to send mail on the sending domain’s behalf.
Why use DKIM & SPF Records?
NMI uses a method to send automated emails from the gateway that makes them appear as if they are sent by you or your merchant. While this is a valuable feature for all parties involved, it also creates an opportunity for bad actors to deceive recipients into thinking that an email comes from a legitimate source when it does not. As a result, email services like Gmail and Outlook may mistakenly flag our emails as fraudulent at times.
The recommended way to authenticate these messages and confirm their legitimacy is by verifying specific DNS records on a user’s domain. This validation ensures that the displayed email matches the actual source. These essential DNS record types are known as DKIM records (Domain Keys Identified Mail) and SPF records (Sender Policy Framework), which can be set up by anyone who owns a domain (e.g., nmi.com) through their domain registrar (such as GoDaddy, Hover, DreamHost, etc.).
Note: Since addresses ending in @gmail.com, @outlook.com, and @yahoo.com are domains owned by Google, Microsoft, and Yahoo, an email address like partner@gmail.com will remain unverifiable because only Google can access their domain settings.
Domain Validation Status
When you add your email address to your Partner Portal, this tool checks with your domain registrar to confirm whether the DKIM and SPF records are properly configured for that domain. For example, if your domain is domain.com and your email address is support@domain.com, the tool would check domain.com to confirm you have added the proper DKIM/SPF records to your domain.
To add an email address, log in to your Partner Portal, go to Settings → Account Information → Edit. The most common email address you will edit using the Email Validation feature will be your Support Contact.
The Email field in Account Information will show one of the following statuses depending on the domain you enter for your email address:
- DOMAIN VALIDATED - When a domain's DKIM and SPF records are correctly set up, the field displays a green “OK” status, indicating that DKIM and SPF are functioning correctly.
-
UNABLE TO VALIDATE - If the domain’s DKIM/SPF records are not set up correctly (or one of the two records are missing), the field displays a yellow “warning” status.
- You will still be able to save your email, you will just be warned about possible delivery issues.
- If the tool is unable to validate correct DKIM/SPF records for a domain, you will be prompted with a note to open a DNS Settings Guide popup which will help you resolve any DKIM or SPF issues.
- Note - You should also check with your IT team or domain registrar to confirm you added the DKIM/SPF records correctly.
- INVALID EMAIL ADDRESS - If the email address is invalid, the field displays red and will not allow the email address to be saved.
The warnings are subtle in the Partner Portal as shown below:
Our system updates the status of these records daily and then reflects the status changes in the portal. However, if you know you just updated your DKIM or SPF record and want to confirm, you can hit "Click here to recheck your domain" and this tool will check your domain immediately and update the status of your domain.
You will also see a popup with the updated domain information and a table showing any records that still may not be valid.
DNS Settings Guide
When the DKIM & SPF Validation tool returns an UNABLE TO VALIDATE status, you will be provided a warning that there may be issues with email delivery on this email and domain.
You can click the "Instructions are available" link to see the DNS Settings Guide that will help you add both SPF records and DKIM records to your domain to help ensure emails are delivered.
Note: NMI has left the gps2
and gps3
keys empty to allow us to rotate keys in the future. Any DKIM correctness validators you execute against our records for these selectors will fail, due to intentionally having left the public keys blank. You should proceed to add CNAME records to your domains anyway so that rotations in the future will require no action by your staff.
For more information on adding SPF and DKIM records, see Adding SPF & DKIM Records To Help Emails Get To Recipients