Guide to email authentication types: Bulletproof your email

In this article, we break down email authentication to explain what it is, why you need it and how to do it. Plus, we explain what SPF and DKIM do, and discuss two additional authentication methods you can use to further boost security and deliverability.

January 19, 2022

Just as we use locks, keys and IDs to keep our physical premises safe, it’s important to implement the correct safeguards to protect our digital ecosystem as well. For email, this comes in the form of email authentication.

Not only does email authentication keep your email safe from fraud and protect your business and reputation, but it also ensures a better campaign deliverability rate.

By configuring SPF and DKIM records for your emails, you’ll protect your brand, avoid phishing and spoofing, and signal to mailboxes that your messages are legitimate and safe for subscribers’ inboxes. Plus, with two optional (but highly recommended!) protocols, you can double down on your efforts for more secure sendings!

In this article, you’ll learn how to authenticate email, how email authentication works, as well as the four email authentication types and what they do. Let’s get to it!

Email authentication is the process performed by mail servers to establish that an incoming email is legitimate and not fraudulent. It’s kind of like doing an ID check; does the identity of the sender indeed match the records associated with the server it’s sent from? 

Specifically, email authentication refers to the technical standards by which the authentication takes place. There are four standardized protocols used by email clients like Google, Yahoo, Outlook and Apple Mail to verify the identity of senders. Two of these email authentication types—SPF and DKIM—are required, while DMARC and BIMI are optional:

  • SPF: Sender Policy Framework
  • DKIM: DomainKeys Identified Mail
  • DMARC (Optional): Domain-based Message Authentication, Reporting & Conformance
  • BIMI (Optional): Brand Indicators for Message Identification

As an email sender, you need to configure these records in your DNS.

As wonderful as email is, it’s become a major platform for cyber criminals to commit crimes (such as phishing, spoofing and attacks from spammers). Consequently, Internet Service Providers and Email Service Providers (ISPs and ESPs) implement various protocols to protect both senders and receivers of email messages. Part of this involves email authentication. 

Email sender authentication helps you to protect your business from harmful activity that could damage your brand image and customer relationships, and even lead to financial implications. 

In addition to this added level of security, correctly configuring email authentication records also helps to instill a level of trust with ISPs, increasing your email deliverability. If you don’t have these records in place, ISPs are likely to send your emails to the spam folder instead of the inbox. 

What’s more, ESPs, like our friends MailerLite, require you to have valid records to use their service. This ensures you receive the maximum deliverability possible, and that sender reputation is protected for all users. 

If you’re a business managing your own mail server or are sending marketing or transactional emails via an ESP, you will need to configure your email authentication records.

When set up correctly, the email sending and receiving process is almost instantaneous, but you’d be surprised at what goes on behind the scenes! 

Every time a mail server receives an email, it verifies the sender’s authenticity. If one of the checks fails, it acts based on the policies set out by the sender in the DMARC record. This could result in the email being flagged or bounced. 

This process can vary slightly in its approach, but generally it looks like this:

  • 1

    The sender implements the protocols needed to authenticate emails sent from its domain. These are configured on the mail server and the sending domain’s DNS (Domain Name System) zone file.

  • 2

    When an email is sent, the receiving mail server looks for specific identifiers in the email and DNS records to confirm the sender’s identity and make sure that the email is safe to deliver.

  • 3

    The receiving mail server checks the records. If email authentication is verified, the email is happily forwarded to the mailbox of the receiver. If not, it will follow the policy rules set out by the sender, which could land the email in spam or result in a bounce.

Bonus info: Email authentication is just one part of what's checked en route. Mail servers also look at sender and domain reputation, previous engagement levels, bounces and spam scores. This provides an understanding of the overall sender quality.

Earlier, we talked about SPF, DKIM, DMARC and BIMI: the four protocols that support SMTP to ensure bulletproof verification. Let’s take a look at what each of these does.

SPF records define which IP addresses are allowed to send emails for a specific domain. For example, MailerCheck’s SPF record states which sending IP addresses can send emails from the mailercheck.com domain.

The SPF record should be published as a TXT record to DNS so that email servers can reference it for authentication. Most ESPs will provide you with an SPF record when you set up an account to use their services. 

Tip: Add SPF records for all domains you control, even if you don’t send emails from them. This will prevent criminals from hijacking your email domain for fraudulent email activity.

DKIM is SPF’s slightly more secure cousin. This protocol complements SPF by adding an encrypted digital signature to your emails to verify that the message is legitimate. 

It provides a private encrypted key to encode email headers. The private key is needed to send messages from the domain, while the receiving mail server accesses the message header contents using the DKIM key published on the DNS, which is a public key. 

Just like with SPF, the DKIM key is provided by your ESP, and should be added to your DNS as a TXT record. Unlike SPF, you’ll need a unique DKIM key for each domain. 

Once this is done and you have DKIM verified, every time you send an email, a unique DKIM signature will be generated and added to it. The receiving mail server then decrypts the signature using the DKIM key published in your DNS records. Once decrypted, a hash string is generated based on the contents of the email, and compared to the hash string in the contents of the signature. If they’re a match, the email will pass the DKIM authentication process. This is why DKIM makes it impossible to interfere with emails in transit.

DMARC isn’t required for email authentication, but it is highly recommended to further protect your domain from phishing scams and spoofing attacks. 

DMARC binds DKIM and SPF together to offer more flexibility and control over authentication. It provides a framework for feedback so that senders can define how they would like emails to be handled if they fail the DKIM or SPF check. What’s more, it enables senders to track fraudulent activity with reports. 

A DMARC record will validate the email’s origin by checking the sender’s IP address, and protect the domain from spoofing by aligning the SPF and DKIM records. If one of these checks fails, the DMARC record will instruct the receiving mail server what to do. 

Once again, DMARC should be added to your DNS as a TXT record, but this time, it’s a little trickier to configure. 

A DMARC record is made up of several tags depending on your needs. The required tags are:

  • v: Identifies the record and must be listed at the beginning. The value is always DMARC1
  • p: Identifies the policy chosen for your record, which is applied by mailbox providers if your email fails DMARC authentication. There are three policies to choose from:
    • p=none: This directs mail servers to take no action but allows you to track emails being sent
    • p=quarantine: This directs mailer servers to send the email to the spam folder if it fails DMARC authentication, and tracks emails being sent
    • p=reject: This directs mail servers to reject any emails that fail DMARC checks, resulting in a bounce. It also allows the sender to track emails being sent. 

Here’s an example of a basic DMARC record:

v=DMARC1; p=none; rua=mailto:[email protected]

Note: rua=mailto:[email protected] is an optional tag that indicates the email address that complete reports should be sent to. 

Find out more and generate your own DMARC record.

This email authentication type, like DMARC, is optional and adds an extra layer of authentication for your business. It adds your brand logo to your domain to be displayed alongside your email in subscribers’ inboxes, just like in this example from Yousician.

example of BIMI in use from Yousician
Image credit: Yousician

As well as helping your emails to stand out from the crowd, using BIMI instantly makes your emails more trustworthy and professional. This helps to increase subscriber engagement, as well as decrease the chances of fraudulent activity by setting a standard for emails sent from your domain. 

To implement BIMI, you guessed it, you need to add a TXT record to your DNS. This should look a little something like this: 

Name: default._bimi.[Your Domain] In TXT record: “v=BIMI1; I=[Your SVG’s URL]; a=[Your VMC URL]

You must also have: 

  • DMARC configured, as you will be required to add a specific DMARC policy in order for your logo to display (p=quarantine or p=reject)
  • An SVG image of your logo that meets the standard of tiny-PS
  • A Verified Mark Certificate (VMC) so that your logo will work with Gmail 

After BIMI is implemented, your logo will be evaluated by the receiving mail server. If everything is configured correctly and meets their requirements, your logo will be displayed! As of now, the email clients that support BIMI are Google, Yahoo, AOL and Fastmail. 

Phew! That was a lot. Now you’re ready to learn how to authenticate email when using an ESP. Let’s do this!

With most ESPs, email sender authentication should be a similar, straightforward process. We’re going to show you just how easy it really is using MailerLite, our email marketing sister!

1. Log in to MailerLite and head to Domains.

2. Click Authenticate to continue for a previously verified domain. To verify a new one, click Add domain and follow the steps first. 

3. The Name and Value fields for the DKIM and SPF records will be displayed. Keep this open.

Authenticate email with SPF and DKIM records in MailerLite

4. Head over to the DNS records of your domain. If you’re unsure how to do this, contact the support of your hosting provider. They can help you add the DKIM and SPF records. 

5. Add the DKIM and SPF as TXT records, using the Names and Values that are provided by MailerLite. These records must be an exact match. 

6. Once added, go back to MailerLite and click the Check DNS records button.

authenticate email check SPF and DKIM in MailerLite

And that’s it! If your DKIM and SPF records aren’t approved right away, don’t worry. It can take up to 24 hours to update this information. 

Check this email authentication help guide for more information and troubleshooting.

With MailerCheck, keeping tabs on email authentication is easy—you never need to worry about possible failed authentication. As well as keeping your email list clean and healthy, MailerCheck’s email insights feature tests your email content and checks the two essential email authentication types before you hit send.

MailerCheck email insights results showing SPF and DKIM verification

No sender expects their authentication to fail, but it can happen from time to time. For example, when changing DNS providers. MailerCheck enables you to send each and every email campaign with complete confidence, knowing your email authentication is verified. 

In addition to regularly running email authentication checks, it’s a good idea to keep an eye on open rates. Often, when mistakes happen or processes fail, a significant drop in opens is the first indicator that something has gone awry.

If you have a business, you need to authenticate your email. Configuring your SPF and DKIM records are two simple ways that you can protect your brand, avoid email fraud and increase deliverability today. 

Combined with the powers of DMARC and BIMI to turbocharge your efforts, you’ll make your emails more trustworthy to mail servers and subscribers alike while keeping those pesky cyber criminals at bay. 

Have you tried implementing these two additional email authentication types, DMARC and BIMI? Share your experience in the comments!


Amy Elliott
I’m Amy, Content Writer at The Remote Company. As a child, I dreamt about writing a book and practiced by tearing pages from an A4 notepad and binding them with sugar paper. The book is pending but in the meantime, I love taking a deep dive into technical topics and sharing insights on email metrics and deliverability.