As of February 2024, domain authentication is more strictly enforced by Google and Yahoo. To avoid potential deliverability issues, DKIM and DMARC authentication must be set up for your sender email address domain.

What is email authentication?

Just like a unique digital signature, email authentication helps prove your sender identity so that your emails are more likely to reach the inbox. Authentication also helps identify forged or fake emails so that they get rejected as spam, which is why many major inbox providers now require it for anyone sending through an email service provider (ESP). There are several types or “protocols” of email authentication senders can use to verify their emails, which are described below.

While essential, authentication alone can’t guarantee that your emails will always land in the inbox. Senders still need to follow deliverability best practices and anti-spam requirements.

Important email authentication terms

Before we dive into the world of email authentication, it’s important to understand some common terms and concepts.

• Email Delivery is whether the email gets accepted (delivered) or rejected (bounced) by the receiving mail server.
• Email Deliverability is where the email lands after it is accepted for delivery, like the inbox or the spam folder.
• DNS (Domain Name System) is like the telephone directory of the internet. It’s a record of all domain names (like google.com) on the web.
• Sending Domain is the domain (after the “@” in an email address) used to send emails. This should always be a domain that you or your organization own.

If you don’t own a domain, check out our Domain names and registrars article.

It’s also useful to know that every email has two “from” addresses:

1. Header-From / Friendly From is the address we’re all familiar with in our inbox, like “sally@mycompany.com”. It’s meant to be read and understood by humans receiving the email.
2. Envelope-From / Return-Path is the address we don’t usually see in the inbox, and it looks like “1234567.8901234.12345678910@e2ma.net”. It’s meant to be read and understood by the machines sorting incoming emails.

Setting up email authentication requires some technical knowledge because you’ll need to access and create DNS records for your sending domain. If you’re uncertain how to do this, ask your IT team or your domain provider for help.

DKIM

What you need to know

DKIM (Domain Keys Identified Mail) allows a mailbox provider (like Gmail, Yahoo, Outlook) to verify that an email’s content hasn’t been tampered with or changed in transit and the Friendly From address (the one for humans) matches the DKIM record domain. DKIM authentication happens in two parts, one on the sender side and the other at the receiving end.

1. Sending: Our system generates an alphanumeric code (let’s call it code 1) that represents the Friendly From address and email content. The system then encrypts code 1 and sends it with your email.
2. Receiving: When the mailbox provider receives your email, it generates its own alphanumeric code (let’s call it code 2). It then encrypts code 2 and compares code 2 with code 1. If both codes match then, your email hasn’t been tampered or changed while in transit.

Without DKIM, many major inbox providers will either mark your emails as spam or reject them outright. For more information about how DKIM works and why it’s important, check out our DKIM and deliverability article.

What you need to do

All accounts should set up DKIM authentication, as this helps distinguish your emails from other email senders and builds your unique domain reputation as a trusted email sender. Some major inbox providers, such as Gmail and Yahoo, actually require DKIM and will reject emails without it.

DMARC

What you need to know

DMARC (Domain-based Message Authentication, Reporting & Conformance) combines parts of SPF and DKIM authentication to tell mailbox providers what to do with unauthenticated emails. It was created to destroy the deliverability of email senders who forge or fake other people’s sending domain, also known as spoofing. Some major inbox providers, such as Gmail and Yahoo, require DMARC and DKIM for anyone sending through an email service provider (ESP).

What you need to do

Before creating a DMARC policy for your domain, you need to correctly set up DKIM authentication for your email marketing account. If not, you risk a large segment of your emails being rejected by mailbox providers. Once you’ve completed your DKIM setup, then you can move forward with adding a DMARC policy on your domain.

SPF

What you need to know

SPF (Sender Policy Framework) authentication checks the DNS records of the domain in the return-path address (the one for the machines), and the IPs authorized to send emails for that domain. If a sender’s IP address is not listed in the DNS records of the return-path domain, their email is rejected.

The return-path domain for all emails coming from our system is e2ma.net. This cannot be changed.

SPF alignment is partially determined by an email’s return-path, thus all mailings sent from our system will only partially pass SPF, even if the sender has added us to their SPF record. This is another reason why setting up DKIM is so important; DMARC only requires SPF alignment OR DKIM alignment in order to pass, not both. So as long as you have DKIM set up in your email marketing account, your campaigns should still pass DMARC.

What you need to do

We manage the SPF record for our sending domain, and as an option you can also include our domain in your DNS records. If you already have an SPF record you can edit the existing SPF record and include “_spf.e2ma.net”. Otherwise, you’ll need to create an SPF record and include “_spf.e2ma.net” in it. More information on SPF records in general can be found here.

Allowlisting

What you need to know

If you are experiencing delivery trouble when sending from one domain to the same domain, or internal delivery trouble, then allowlisting is one of the most helpful steps that you can take to fix it. Allowlisting is essentially giving permission for a specific domain or IP range to have access to a certain privilege, such as delivering emails.

What you need to do

Your IT team should be able to allowlist our sending IP addresses so that your server knows that we have permission to send on your behalf. For more information on allowlisting, how to allowlist, and alternatives to allowlisting by IP range, please refer to this article.

We recommend setting up allowlisting at all points where incoming emails are checked, as other forms of authentication can be affected by internal relays or hops through multiple servers.

Additional resources

• Email authentication: Frequently asked questions
• Authentication and security
• Domain names and registrars
• DKIM and deliverability
• DKIM authentication setup
• DKIM for tiered accounts
• DMARC and SPF setup
• How to allowlist