Articles on: Deliverability & compliance

Learn About Email Authentication


Email authentication employs technical standards like SPF, DKIM, and DMARC to verify the sender's identity. These standards are essential for mail servers to validate the legitimacy of incoming emails, thus safeguarding your brand and minimizing phishing attempts. By implementing these authentication protocols, you can ensure that outgoing emails from your domain are less likely to be marked as spam or spoofed by malicious actors. Additionally, these measures improve deliverability rates as mailbox providers can confidently verify the sender's authenticity.

What you’ll learn

In this tutorial, we’ll discuss:

SPF (Sender Policy Framework)
DKIM (DomainKeys Identified Mail)
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
How to set up DMARC
How to verify successful email authentication implementation

SPF (Sender Policy Framework)

SPF allows domain owners to specify which IP addresses are authorized to send emails on behalf of their domain. It works by publishing a specific DNS record that lists the authorized IP address for a particular domain.

When an email is received, the recipient's mail server can check the SPF record to verify if the IP is authorized to send emails on behalf of that domain. If the SPF check fails, it indicates a potential spoofed or fraudulent email.

DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to the email's header using a private key associated with the sending domain, allowing the recipient's server to verify the authenticity and integrity of the message.

The recipient's mail server can use the public key published in the DNS records of the sending domain to validate the DKIM signature. If the signature matches, it ensures that the email hasn't been tampered with during transit.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC is an additional layer of email authentication that builds upon SPF and DKIM. It allows domain owners to state their email authentication preferences and provides instructions to receiving mail servers on how to handle emails that fail SPF or DKIM checks. With DMARC, domain owners can specify whether failing emails should be delivered, quarantined, or rejected.

Note: When using AfterShip for sending emails, you don't have to worry about adding SPF and DKIM records. The required records for authentication have already been configured by AfterShip. However, the implementation of DMARC is a separate process that needs to be carried out by yourself, with your DNS provider.

To ensure successful authentication of SPF and DKIM, please follow the steps in this help article to complete your domain’s DNS settings first.

How to set up DMARC

To set up DMARC, you'll need access to your brand's DNS settings and control over them. Please be aware that collaborating with your IT team or engaging a trusted third-party expert is essential for properly implementing a DMARC policy tailored to meet the specific requirements of your brand.
To set up DMARC, you need to create a DMARC DNS TXT record for your domain. This record tells email receivers what to do with messages that fail SPF and DKIM checks.

The record usually includes the following information:

"v" tag: Specifies the version of DMARC being used (e.g., "v=DMARC1").
"p" tag: Defines the policy for handling failed DMARC checks ("none," "quarantine," or "reject").

Value for “p” tagWhen messages fail authentication, inbox providers take certain actions in response
noneTake no action on the message and deliver it to the intended recipient.
quarantineMark the messages as spam and send it to the recipient's spam folder.
rejectReject the message. With this option, the receiving server usually sends a bounce message to the sending server.

"rua" tag (not required): Specifies the email address where aggregate reports should be sent.
"ruf" tag (not required): Specifies the email address where forensic (failure) reports should be sent.


Define your DMARC policy: Determine what action you want receivers to take when they receive emails failing DMARC checks. Here's an example of a basic DMARC setting:

Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none

Publish the DMARC record: Once you've generated the DMARC record, publish it by adding it to your DNS settings.

How to verify successful email authentication implementation

One option is to use the DMARC checker provided by EasyDMARC. Simply input your domain into their tool, and you can check if the record is correctly set up by referring to the ‘status’.

Another approach is to examine the header of an email sent by your brand. By analyzing the email headers, you can confirm if your email authentication mechanisms are configured correctly.

If you have any queries, feel free to connect with our support team for quick assistance.

Updated on: 04/03/2024

Was this article helpful?

Share your feedback


Thank you!