Email authentication (or email validation) is the process used to verify the source and legitimacy of an email message.
Authentication helps providers verify the origin of a message: whether it comes from a trustworthy source or has been faked or forged by spammers, scammers, and spoofers pretending to be someone they are not.
The three most widely adopted email authentication methods are SPF, DKIM, and DMARC, and we’ll get to them below. If the message can be authenticated with at least one of these, it is more likely to get to the inbox; but if authentication is missing or improperly set up, a provider’s red flags will immediately go up, which can lead to the message ending in the spam folder—or not being delivered at all.
Why do I need to authenticate my email? #
Email authentication standards help email service providers fight spam and phishing attempts, determine which emails are legit, and ultimately protect email recipients.
In the early days of the Internet, providers were relatively trusting of all senders and didn’t need to rely on authentication methods—which is exactly how spammers and phishers took advantage of the system. It was (and still is) surprisingly easy for spammers to send emails that trick recipients into disclosing sensitive information, like passwords or account numbers, or performing harmful actions such as downloading malware, spyware, and other viruses.
It’s also surprisingly easy for spammers and phishers to send emails that look like they are coming from your brand, which means your customers’ and audience’s safety might be compromised by someone pretending to be you. Not cool.
By authenticating emails, you:
- Send providers a signal that you meet strong security requirements and respect your recipients
- Protect your brand by mitigating spam and phishing
- Ensure your emails are displayed as legitimate
- Improve deliverability
- Protect your overall domain reputation
🎡 fun activity: think YOU can recognize phishing and spam? Here is a quick quiz developed by Google to see if you can outsmart phishers and spammers!
What are email authentication methods? #
Email providers rely on three main authentication methods. Get ready for a whole lot of acronyms:
- Sender Policy Framework, or SPF, is a domain-based way to determine what IPs are allowed to send email on your behalf
- Domain Keys Identified Mail, or DKIM, is a message-based signature that uses cryptography to sign email and verify that your email was not altered in transit
- Domain-based Message Authentication, Reporting & Conformance, or DMARC, is a domain-based way to tell receivers how to handle authentication failures for your domain (approve, quarantine, or reject)
💡 Bonus method: in addition to SPF, DKIM, and DMARC, inbox providers have started encouraging companies to add a BIMI (Brand Indicators for Message Identification, pronounced bih-mee) specification. BIMI enables email inboxes to display a brand’s logo next to the brand’s authenticated email messages, like this:
1. How SPF authentication works
A domain owner lists the specific IPs and sources authorized to send its mail. When a message is sent using this domain in the Return-Path address, the receiver can look up the authorized sending sources for that domain to ensure the sending IP is listed there.
2. How DKIM authentication works #
A domain owner generates a public and private key pair, where the private key is known only by the signing authority (typically their ESP) and the public key is stored in the domain’s DNS. When a message is sent, the signing authority generates a unique signature hash using the private key and specified content of the message, placing this signature in the message headers. The receiver can then use the public key to verify that hash, which suggests that the content has not altered in transit and that the signing domain takes responsibility for that content.
3. How DMARC authentication works #
The domain owner publishes a DMARC policy in their DNS with recommendations on how they would like receivers to process their mail based on SPF and DKIM authentication results. This policy applies to all mail using that domain in the From header of the email. In order for DMARC to pass, either SPF or DKIM must pass and align with the DMARC domain.
How do I check my email authentication? #
One of the easiest ways to check your email authentication status is sending an email from the domain you want to test, looking for SPF, DKIM, and DMARC mentions in the message header, and seeing what results you get. Here, for example, is what a triple pass would look like if you opened the email in Gmail:
💛 Friendly tip: a better way to check your email authentication status is to use a dedicated monitoring tool. Here, for example, you see our very own DMARC Digests, which makes it easy to identify email authentication issues that cause DMARC failures…
…and gives you actionable guidance to resolve problems so you can get your emails back in the inbox.
Email authentication is the sum of many acronyms that can get quite overwhelming pretty quickly. If you made it this far, you deserve to take a 5-minute break and do something fun—for example, read this webcomic we wrote to explain how emails are delivered and how authentication methods play a part in the process.
We promise you’ll never look at your SPF and DKIM records the same way again 😉