What is authentication (overview)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Authentication proves that an email really came from the domain in the "From" address. Without it, mailbox providers like Gmail, Outlook, and Yahoo Mail have no way to tell if you're the real sender or someone pretending to be you. So they either block your email or shove it into spam.
Think about it this way. Anyone can put "billing@yourbank.com" in the From field of an email. The email system doesn't check that automatically. Authentication is what lets the receiving server verify that the message actually came from servers authorized to send on behalf of yourbank.com.
Three protocols handle this verification:
- SPF (Sender Policy Framework) lists which mail servers are allowed to send email for your domain. It's a DNS record that says "these IPs are legit, everything else is suspicious."
- DKIM (DomainKeys Identified Mail) adds a cryptographic signature to each message. The receiving server checks the signature against a public key published in your DNS to verify the message wasn't tampered with in transit.
- DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together and tells receiving servers what to do if a message fails authentication. It also sends you reports so you can see who's trying to send email pretending to be you.
All three work together. SPF checks the sending server. DKIM checks the message content. DMARC checks that the domain in the From field matches the domain that passed SPF or DKIM (this is called "alignment"), and then enforces your policy.
Here's what happens without authentication. Modern mailbox providers treat unauthenticated email as suspicious by default. Gmail and Yahoo started requiring both SPF and DKIM in February 2024 for bulk senders. If you're sending more than 5,000 messages a day to Gmail addresses and you don't have authentication set up, your email doesn't get delivered. Period.
Even if you're sending less than that, unauthenticated email is much more likely to land in spam or get blocked entirely. Mailbox providers can't tell the difference between your legitimate newsletter and a phishing attack if you're not authenticating. The lack of authentication is itself a red flag.
The good news is most ESPs handle this for you automatically. Mailchimp, Klaviyo, SendGrid, Postmark, and similar platforms set up SPF and DKIM when you authenticate your domain through their dashboard. You still need to set up DMARC yourself in most cases, but that's just one DNS record.
Now if you're running your own mail server or using a custom SMTP setup, you're responsible for configuring all three protocols yourself. That's doable, but it requires understanding DNS records and how each protocol works. Most senders are better off using an ESP that handles the authentication automatically.
Authentication also enables something called non-repudiation. That's a technical term that means a sender can't credibly deny sending a message. If your domain is properly authenticated and a message passes DKIM, there's cryptographic proof that it came from your servers. This matters for legal and compliance reasons, and it's why transactional ESPs like Postmark put so much effort into authentication. A password reset email or a receipt needs to be verifiably from you.
Want to check if your domain is authenticated? Try our free SPF checker and DKIM lookup tool. Both run in 30 seconds and tell you exactly what's configured (or missing). If you're seeing delivery issues and you're not sure where to start, ask us and we'll walk through your setup.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.