Hello website owners. Were you recently notified by someone whom you send emails to about a red question mark graphic next your name in Gmail? Or maybe you noticed it yourself after seeing the red question mark appear in your own Gmail application. Google recently started showing this red question mark graphic in Gmail next to incoming messages which originated from unauthenticated email servers. This is done at Gmail to help combat spam / abuse emails and to protect Gmail users. At the same time, this also exposes weaknesses in mail sending domains by highlighting them with the red question mark graphic.
What is an authenticated email server?
Gmail considers mail sending domains to be authenticated as long as one of these are implemented:
- SPF authenticated – This is simply a DNS text record on your domain that specifies which email server is allowed to send email using your domain name.
- DKIM signed – This is a public key stored on your domain as a DNS text record which allows receiving mail servers to verify the signature attached to the incoming email.
Note that only one of these is needed to be considered authenticated by Google. Although ideally, your domain should have both of these implemented.
How to fix this problem?
If you are a website owner with this problem. The best thing to do is to contact your hosting and ask them what are your options and see if they can fix it for you. If you are technical and are interested in reading more about how to configure this yourself. The rest of this article will cover this in more detail.
How to configure SPF authentication or DKIM signature?
Both methods require access to adding or modifying DNS records for your domain. You will need to check with your hosting for exact details on how and where to modify this. For SPF authentication, you will need to specify which mail servers sends email for your domain. E.g., For tamstradingpost.com, it is 184.108.40.206. So my SPF record looks like this,
v=spf1 ip4:220.127.116.11 a -all
- v=spf1 specifies Sender Policy Framework version 1
- ip4:18.104.22.168 specifies the ip address of the sending mail server
- a specifies that any ip address in the domain with authoritative records will be allowed
- -all says all other ip addresse will fail
For more information on the usage of SPF, check this Wikipedia page. Sender Policy Framework Wikipedia page
For DKIM, you will need to check with your hosting to see if they handle it. Since my host automatically configures this for all domains. There was nothing for me to do. Here is the DKIM public key DNS record for tamstradingpost.com,
k=rsa; t=y; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDVGt8nNHxFrVanpZXPNZvHTzqvEjoWUB4ImUXZDQj3ODhZhmyeMiQKkbFc1OKKA35vEf4fKXtKcj8dbB8lQ/enGDkjvuBVRnjy7BlsDIwXgn4xV94QFB+1cPi2NE4DoXrsc/xqk5lBBCqjxcsYJvW07MeHcdrGTxI6M7r1hG8dkwIDAQAB
Once you have these configured, you can test if they are properly configured by testing the configurations using these 2 websites.
What if I send mail using a script on my website?
In this case, you would want to configure your script to send email through your domain’s SMTP server.
What if I send mail using a mailing list service?
In this case, you would want to check with your mail list service company and notify them of this problem as mail is originating from their mail servers.
Any other questions?
Please ask below in the comments.