SPF and DKIM: implementation details
Why do I need to set-up 3 CNAME records to verify SPF and DKIM?
When setting up a sending domain in Prezly, we need to verify SPF and 2 DKIM keys before we're able to send emails on behalf of your domain.
The records we request to be set-up look similar to these
- prezly-email.example.com IN CNAME email-XXXXXX.customers.prezly.io
- prezly._domainkey.example.com IN CNAME prezly.domainkey.email-XXXXXX.customers.prezly.io
- prezly2._domainkey.example.com IN CNAME prezly2.domainkey.email-XXXXXX.customers.prezly.io
Where record 1. is for SPF, and records 2 and 3 are for DKIM. And you're right that you're actually setting up these records for a subdomain, not the main domain. In the case of this example it would be prezly-email.example.com.
The reason for this is that this allows us to not needing to interfere with your actual SPF record, and keep the domain lookup value low, while at the same time complying with the rules of SPF and DKIM.
We can do this because we're sending emails providing MAIL FROM SMTP command (a.k.a. return path) using @prezly-email.example.com.
The receiving server verifies SPF against the MAIL FROM address and it checks SPF records on prezly-email.example.com, instead of example.com. Reference to SPF spec: https://tools.ietf.org/html/rfc7208#section-2.4
The receiving mail server sees it was sent by prezly-email.example.com with the From: header set to @example.com.