What’s the difference between authentication and encryption?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Think of it this way. You receive a letter in the mail. Authentication tells you the letter genuinely came from who signed it. Encryption ensures nobody else could read it on the way to your door. Two different problems, two different tools.

In email, authentication answers the question "who sent this?" It's handled by three protocols you've probably heard of: SPF, DKIM, and DMARC. Together they make it very hard for a bad actor to send email that pretends to be from your domain. Authentication doesn't hide the message content though. It just proves the sender is who they say they are.

Encryption answers a different question entirely: "who can read this?" TLS encrypts your message in transit between mail servers, so it can't be intercepted on the wire. S/MIME and PGP go further with end-to-end encryption, meaning even the mail servers passing the message along can't read what's inside.

Here's where it gets interesting. You can have one without the other. An authenticated message (SPF, DKIM, DMARC all passing) is still readable by any mail server it passes through if TLS isn't in use. An encrypted message can still come from an impersonator if there's no authentication in place. The envelope is sealed, but anyone could have put it there.

So should you implement both? For most senders, the priority order looks like this. Authentication first, always. SPF, DKIM, and DMARC protect your domain from spoofing and impersonation, which is the most common threat. TLS is largely handled automatically by modern mail servers, so you're probably already getting it. End-to-end encryption (S/MIME or PGP) is more niche. It's genuinely valuable for legal, medical, or financial email where message confidentiality is a compliance requirement. For most marketing and transactional senders, it's not the first thing to worry about.

If you haven't checked whether your authentication is set up correctly, our free SPF checker is a good starting point. Or if you're not sure where your gaps are, the SOS hotline is free and we'll actually walk through it with you ;)

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a prioritized authentication and encryption plan for your setup

Based on my email setup, tell me which is more urgent for me right now: getting authentication (SPF, DKIM, DMARC) in place, or focusing on encryption (TLS, S/MIME)? Here's my situation: 1. My domain/sending setup: e.g. Google Workspace, self-hosted, ESP name 2. The type of email I send: [e.g. marketing newsletters, transactional receipts, internal comms, legal/medical/financial] 3. What I've already set up: e.g. SPF is live, DKIM not sure, no DMARC yet 4. My biggest concern: [e.g. domain spoofing, compliance, inbox placement, intercepted messages] Please rank what I should tackle first and explain why.

Edit the yellow boxes, then send to the AI of your choice.