What is authentication (overview)?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Authentication proves that an email really came from the domain in the "From" address. Without it, mailbox providers like Gmail, Outlook, and Yahoo Mail have no way to tell if you're the real sender or someone pretending to be you. So they either block your email or shove it into spam.

Think about it this way. Anyone can put "billing@yourbank.com" in the From field of an email. The email system doesn't check that automatically. Authentication is what lets the receiving server verify that the message actually came from servers authorized to send on behalf of yourbank.com.

Three protocols handle this verification:

  • SPF (Sender Policy Framework) lists which mail servers are allowed to send email for your domain. It's a DNS record that says "these IPs are legit, everything else is suspicious."
  • DKIM (DomainKeys Identified Mail) adds a cryptographic signature to each message. The receiving server checks the signature against a public key published in your DNS to verify the message wasn't tampered with in transit.
  • DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together and tells receiving servers what to do if a message fails authentication. It also sends you reports so you can see who's trying to send email pretending to be you.

All three work together. SPF checks the sending server. DKIM checks the message content. DMARC checks that the domain in the From field matches the domain that passed SPF or DKIM (this is called "alignment"), and then enforces your policy.

Here's what happens without authentication. Modern mailbox providers treat unauthenticated email as suspicious by default. Gmail and Yahoo started requiring both SPF and DKIM in February 2024 for bulk senders. If you're sending more than 5,000 messages a day to Gmail addresses and you don't have authentication set up, your email doesn't get delivered. Period.

Even if you're sending less than that, unauthenticated email is much more likely to land in spam or get blocked entirely. Mailbox providers can't tell the difference between your legitimate newsletter and a phishing attack if you're not authenticating. The lack of authentication is itself a red flag.

The good news is most ESPs handle this for you automatically. Mailchimp, Klaviyo, SendGrid, Postmark, and similar platforms set up SPF and DKIM when you authenticate your domain through their dashboard. You still need to set up DMARC yourself in most cases, but that's just one DNS record.

Now if you're running your own mail server or using a custom SMTP setup, you're responsible for configuring all three protocols yourself. That's doable, but it requires understanding DNS records and how each protocol works. Most senders are better off using an ESP that handles the authentication automatically.

Authentication also enables something called non-repudiation. That's a technical term that means a sender can't credibly deny sending a message. If your domain is properly authenticated and a message passes DKIM, there's cryptographic proof that it came from your servers. This matters for legal and compliance reasons, and it's why transactional ESPs like Postmark put so much effort into authentication. A password reset email or a receipt needs to be verifiably from you.

Want to check if your domain is authenticated? Try our free SPF checker and DKIM lookup tool. Both run in 30 seconds and tell you exactly what's configured (or missing). If you're seeing delivery issues and you're not sure where to start, ask us and we'll walk through your setup.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Check My Authentication Setup

I read this on the Email Almanac about email authentication (SPF, DKIM, DMARC): "Authentication proves that an email really came from the domain in the 'From' address. Without it, mailbox providers have no way to tell if you're the real sender or someone pretending to be you. SPF lists which servers can send for your domain, DKIM adds a cryptographic signature to verify message integrity, and DMARC ties them together and tells receivers what to do if authentication fails." Help me figure out if my setup is correct and what I need to fix. I need: 1. Current state check: What authentication records do I already have, and are they configured correctly? 2. Gap analysis: What's missing or misconfigured that's hurting my deliverability right now? 3. Setup priorities: If I have to fix things one at a time, what order should I tackle them in? 4. ESP-specific guidance: Does my platform handle some of this automatically, or do I need to configure everything manually? 5. Verification steps: How do I confirm everything is working after I set it up? My setup details (the more you share, the better the advice): - Email platform/ESP: [e.g. Mailchimp, SendGrid, custom SMTP, Gmail Workspace, Postmark] - Sending domain(s): the domain(s) you send email from - Current DNS access: yes/no, or "I can request changes through IT" - Sending volume: approximate emails per day or month - Email types: marketing newsletters, transactional, both - What prompted this: [e.g. "emails going to spam", "setting up new domain", "Gmail rejected my messages", "compliance requirement"] - Technical comfort level: [beginner/intermediate/advanced with DNS and email infrastructure]

Edit the yellow boxes, then send to the AI of your choice.