To ensure your emails from Ostendis arrive reliably with applicants, the three mechanisms SPF, DKIM, and DMARC are important. They also help protect your domain from misuse.
At the beginning, we explain the connections as clearly as possible and create a basic understanding of the topic. The subsequent technical section is aimed at your IT staff or your IT service provider and shows which settings need to be made for sending emails from Ostendis.
Initial Situation
The Ostendis e-recruiting solution allows you to send email replies to applicants.
Technically, these messages are sent via the Ostendis mail infrastructure, but appear to recipients with your own sender address. This ensures that replies from applicants reach you directly.
For large email providers like Microsoft, Google, or Apple to classify these emails as trustworthy, technical authentication of your domain is practically indispensable today.
This is exactly what the three mechanisms SPF, DKIM and DMARC are for.
Important: For email sending from Ostendis to function reliably, your domain’s SPF record must be correctly configured.
Additionally, we recommend setting up DKIM and DMARC. These procedures improve the deliverability of your emails and help to better protect your domain from misuse.
How do SPF, DKIM, and DMARC work together?
The three procedures complement each other. Each covers its own part of email authentication.
SPF
Mandatory
Defines which mail servers are allowed to send emails on behalf of your domain.
In short: Who is allowed to send?
DKIM
Highly recommended
Digitally signs emails and confirms that they originate from the authorized sender and have not been altered during transmission.
In short: Is the message authentic?
DMARC
Recommended
Defines what should happen to emails if SPF and/or DKIM cannot be successfully verified.
In short: What to do in case of errors?
Only all three mechanisms together result in modern and optimally secured email authentication.
Who sets this up?
The same applies to all three mechanisms: Setup is carried out by your IT department or IT service provider and requires access to your domain’s DNS management.
SPF · DKIM · DMARC
Here we explain the three DNS records that ensure secure and reliable email sending from Ostendis.
SPF
Why is SPF important?
An SPF (Sender Policy Framework) record allows not only your own mail server but also other mail servers to be authorized to send emails on behalf of your domain.
The Ostendis mail server sends emails on your behalf. Many receiving mail servers therefore check whether our mail server is authorized to send emails with your domain as the sender.
Without this authorization, emails are often classified as suspicious or directly rejected.
The consequence: applicants may not receive important messages from the Ostendis system.
Therefore, SPF is mandatory for sending via Ostendis.
How to set up the SPF record
1. Check existing SPF record
First, check if an SPF record already exists for your domain in the DNS.
In most cases, an SPF record is already present, as many companies use Microsoft 365, Google Workspace, newsletter systems, or other cloud services.
Important: An existing SPF record must not be replaced or deleted. It only needs to be supplemented with the Ostendis mail server.
2. Add Ostendis as a sending source
For emails from Ostendis to be sent correctly, Ostendis must be added as an authorized sending source in your domain’s existing SPF record.
SPF record to copy
Example
Important
- Retain existing entries
- Add Ostendis additionally
- There can only be one SPF record per domain
- Do not delete existing SPF record
- Do not replace existing SPF record with a new one
Is the entry a risk?
The authorization of our mail server to send emails on your behalf theoretically poses a risk, but in practice, this is very low.
Furthermore, it is in our own interest that only authorized emails are sent via our systems. Therefore, we protect our mail infrastructure with appropriate security measures.
DKIM
What is DKIM?
DKIM (DomainKeys Identified Mail) is a method for authenticating emails.
Every email sent receives a digital signature. The receiving mail server can thus check whether the message actually originates from your domain and has not been altered during transmission.
This increases the trustworthiness of your emails and improves their deliverability.
Why is DKIM Important?
Many large email providers today require technical authentication of emails. If this is missing, it can happen that messages:
- End up in the spam folder
- Be delivered with delays
- Be rejected entirely
Although DKIM is not strictly necessary for sending via Ostendis, we strongly recommend it.
In practice, DKIM has become the standard for most companies today and makes an important contribution to reliable email delivery.
How to Set Up DKIM
1. Contact Ostendis
To set up DKIM, we need a brief message to [email protected].
We will then create the DKIM keys for your domain and prepare all necessary DNS information.
2. Receive DKIM Information
After creating the keys, we will send you all required details.
These typically include:
- DKIM selector
- DNS hostname
- Public key
3. Publish DNS Record
Your IT department or IT service provider creates the DKIM TXT record provided by Ostendis in your domain’s DNS zone.
4. Activation and Testing
After publication of the DNS record we check the configuration email activate DKIM signing for your domain.
Common problems
If the setup does not work immediately, it is often due to one of the following issues:
- Public key not fully adopted
- Incorrect hostname used
- DNS change not yet globally propagated
- Existing DKIM record conflicts with the new record
DMARC
What is DMARC?
DMARC stands for Domain-based Message Authentication, Reporting and Conformance.
This method builds on SPF and DKIM and defines how receiving mail servers should handle emails that cannot be successfully authenticated.
Additionally, reports can be generated. These show which systems send emails on behalf of your domain and whether they successfully pass the security checks.
Why is DMARC important?
DMARC helps to:
- Reduce phishing attempts
- Make it more difficult to misuse their own domain
- Improve the deliverability of legitimate emails
- gain more control over your domain's email traffic
DMARC is recommended by us, but is not strictly necessary for sending from Ostendis.
How to set up DMARC
DMARC is published as a TXT record. The record is always located under: _dmarc.yourdomain.ch
Recommended start
With this setting no emails are blocked yet. The policy serves exclusively for monitoring and analysis.
Later expansion stages
Quarantine
Reject
These policies should only be used when SPF and DKIM function reliably.
Example of a DMARC record
A typical entry looks like this:
Host
_dmarc
Type
TXT
Value
v=DMARC1; p=none
Ostendis Recommendation
For the most reliable and secure delivery of your applicant communication, we recommend:
- Configure SPF correctly (mandatory)
- Activate DKIM for your domain (highly recommended)
- Set up DMARC with a monitoring policy (p=none) (recommended)
This ensures your emails comply with the current security email of large email providers and reach.
Frequently Asked Questions
Are DKIM and DMARC mandatory for Ostendis?
No. SPF is mandatory for sending from Ostendis.
DKIM and DMARC are not technically necessary for sending, but we strongly recommend them as they improve deliverability and increase your domain’s security.
possible
Sending from Ostendis generally works.
However, without DKIM and DMARC, emails may more frequently be classified as less trustworthy or end up in the spam folder.
Why does DKIM sometimes not work immediately after setup?
The most common causes are:
- DNS changes have not yet propagated globally
- Public key was incompletely adopted
- Incorrect hostname was used
- Existing DKIM configuration causes conflicts
Who in our company needs to perform the setup?
Your responsible IT department or your IT service provider with access to your domain’s DNS management.
What happens if we don't set anything up?
Without SPF, reliable email delivery from Ostendis is not guaranteed. Many receiving mail servers will reject the messages or classify them as suspicious.
This requirement is now a general standard in email communication and does not only apply to Ostendis. Other e-recruiting, newsletter, or CRM systems also require appropriate SPF, DKIM, and DMARC settings if they send emails on behalf of your domain.
Wie hilfreich war dieser Beitrag?