What’s the difference between visible and authenticated identity?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Picture this: you get an email from "Harbor Shipping Co." That name shows up in your inbox, clear as day. But behind the scenes, the mail server that sent it belongs to a completely different domain. Which one does your inbox actually trust?

That's the gap between visible identity and authenticated identity, and it's worth understanding both.

Visible identity is everything a recipient can see: the From name, the From address, and how the sender presents themselves inside the email client. It's the human-facing side of who sent the message.

Authenticated identity is what's verified in the background through SPF, DKIM, and DMARC. These protocols confirm which domains were actually authorized to send the message and whether the content was signed by a legitimate source. Inbox providers like Gmail and Outlook check this automatically, and your recipients never see it happen.

Here's the thing: the two can easily diverge. An email might display "captain@deepcurrent.io" in the From field but authenticate under a third-party sending domain that has nothing to do with deepcurrent.io. Visually, everything looks fine. Technically, nothing aligns.

That's exactly why DMARC alignment exists. It requires the authenticated domain (from SPF or DKIM) to match the visible From domain. When they do match, inbox providers can confirm that the sender is who they claim to be. When they don't, you're at higher risk of being flagged or filtered (or impersonated by someone else entirely).

If you want to check whether your visible and authenticated identities are actually lining up, our free Email Header Analyzer can show you exactly what's happening behind the scenes. Or if things feel complicated, drop us a message via the SOS hotline and we'll take a look with you.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Paste your details above and get a quick alignment check

We have a From name and From address set up for our emails, and we've configured DKIM and DMARC. But I'm not sure if what recipients see in their inbox actually matches what's being verified in the background. Can you check the following details and tell me whether our visible identity and authenticated identity are aligned? 1. Our visible From address: paste your From address 2. Our DKIM signing domain: paste the d= value from your DKIM signature 3. Our SPF return-path domain: paste the domain in your envelope sender or return-path 4. Our DMARC record (if you have it): paste the full record Based on this, tell me: - Whether our SPF and DKIM domains align with the visible From domain - Whether we pass DMARC alignment (strict or relaxed) - Any mismatches that could hurt our deliverability or leave us open to spoofing

Edit the yellow boxes, then send to the AI of your choice.