Email Authentication

What Is Email Authentication?

Email authentication is the set of technical protocols that allow receiving mail servers to verify whether an email truly originated from the domain it claims to be from. It's the email equivalent of ID verification — proving identity before granting access. Without authentication, any server anywhere on the internet can send an email claiming to be from any domain. Authentication protocols — SPF, DKIM, and DMARC — close this vulnerability.

SPF: Sender Policy Framework

SPF is a DNS-based record that lists the IP addresses and mail servers authorized to send email on behalf of your domain. When a receiving server gets an email, it checks whether the sending IP appears in the sender domain's SPF record. If it does, SPF passes. If it doesn't, SPF fails. SPF is the simplest of the three authentication protocols to implement and is the most widely deployed — but it has limitations: it doesn't protect against spoofed "From" headers, and it breaks when email is forwarded.

DKIM: Cryptographic Signature

DKIM adds a cryptographic signature to outgoing messages. The sending mail server signs the email using a private key. The receiving server retrieves the corresponding public key from DNS and verifies the signature. If the signature matches, DKIM passes and the message is confirmed as unaltered. DKIM survives forwarding (unlike SPF) because the signature travels with the message, not with the sending IP.

DMARC: Policy and Reporting

DMARC builds on SPF and DKIM by adding a policy layer. It tells receivers what to do with messages that fail authentication (none/quarantine/reject) and where to send reports. DMARC also enforces "alignment" — the domain in the visible From header must match the domain validated by SPF or DKIM. This prevents the common phishing tactic of forging a trusted From header while passing authentication on a different domain.

Why Authentication Is Now Mandatory

In February 2024, Google and Yahoo implemented new requirements for bulk email senders: SPF or DKIM is required, DMARC is required, one-click unsubscribe is required, and spam complaint rates must be below 0.10%. Senders who don't comply see their email rejected or routed to spam at Gmail and Yahoo — which together represent the majority of consumer email addresses. Authentication is no longer optional.

Check Your Authentication Setup

EmailVerify.io's free tools at emailverify.io/tools let you check your SPF, DKIM, and DMARC records in minutes. The DMARC Generator and SPF Generator help you build correct records from scratch. Don't assume your authentication is configured correctly just because you set it up once — authentication records break when you add new sending services and forget to update SPF, or when DKIM keys expire or selectors change.