Email authentication: what it is and how to set it up
Email authentication is a way to ensure that an email is genuinely sent by the person indicated in the "From" field. Mail services verify emails using special mechanisms to distinguish legitimate senders from fraudsters.
Why Email Authentication is Needed
| Advantage | What it Provides | Why It Matters |
|---|---|---|
| Fraud Protection | Fraudsters will not be able to send emails on your behalf | Reduces the risk of phishing and email forgery |
| Improved Deliverability | Emails more frequently land in "Inbox" | Increases open rates and responses |
| Enhancing Domain Reputation | Mail services start trusting your domain | Effectiveness of future campaigns grows |
| Access to Analytics | Access to postmaster tools is opened | Delivery errors and spam complaints can be tracked |
Key Authentication Protocols: SPF, DKIM, DMARC
The essence of email authentication boils down to three main technologies, which are configured through DNS records of the domain. These are SPF, DKIM, and DMARC — standards that confirm that your domain indeed has the right to send emails. They also instruct mail services on how to handle emails that fail verification.
SPF (Sender Policy Framework)
SPF is a mechanism through which you specify which servers are allowed to send emails on behalf of your domain. To do this, a special text record is added to DNS with a list of allowed IP addresses.
When someone receives an email supposedly from your domain, the mail server checks the sender's IP address against this list. If the IP is not found, the message will be rejected or go to spam — the system will consider it suspicious.
How to Set Up SPF
To enable SPF, you need to create a TXT record in your domain's DNS. It always starts with v=spf1, followed by a list of permitted servers. Example: primer.com TXT "v=spf1 include:spf.your_service.com -all"
Here, include:spf.your_service.com connects to the list of servers from the mailing service you use. And -all at the end indicates that any other servers — not on this list — are not authorized to send mail.
If you are using the platform Altcraft, it is recommended to add include:spf.aksend.net — this is its own list of servers for mailing.
Important! There should be only one SPF record. If you create multiple, the system may become confused and not understand which one to use — resulting in a failed check. Therefore, if you already have an SPF record (for example, for corporate mail), simply add a new include: to the existing list. Do not create a separate record with v=spf1.
Also pay attention to the format of the record: do not manually insert extra quotes — they are only needed for display, not for storage in DNS.
Why SPF is Important
If your domain is protected by an SPF record, it will be harder for fraudsters to send emails on your behalf. Plus, SPF provides feedback: if an email is undelivered, you will receive a notification (if Return-Path is configured). This helps to react to problems more quickly.
However, it is important to understand that SPF is just one layer of protection. For example, if an email is forwarded through another server, SPF may fail. This is why it is always used in conjunction with DKIM and DMARC — together they provide comprehensive validation of the email's authenticity.
DKIM (DomainKeys Identified Mail)
DKIM is a mechanism that proves that an email was indeed sent from the specified domain and that its content remained unchanged during delivery. To do this, a digital signature is added to the email, which mail services verify using a public key in DNS.
When you send an email, the mailing service or your mail server signs it with a special cryptographic signature. This signature is created by the private key.
When the email arrives at the recipient's server, the system accesses the DNS records of the sender's domain to find the public key. Using this, it verifies whether the digital signature matches the data in the email and the specified domain. If the check is successful — the email is deemed trustworthy. Otherwise, it is marked as suspicious and sent to spam.
How to Set Up DKIM
To make all of this work, you need to:
Generate a key pair — private and public. The private one remains with you, while the public one is published in the DNS of your domain.
Add a TXT record in DNS with the public key.
This record is placed in a special subdomain called a selector. Example: ak.domainkey.primer.com TXT "v=DKIM1; k=rsa; p=PUBLICKEY"
Where ak is indeed the selector, which is the name of the key. It can be anything: mail, default, dkim1, and so on. For example, Altcraft uses the selector ak — it comes along with the other domain setup configurations.
Sometimes, an administrative record is additionally specified, which defines the policy for using DKIM on your domain (for example, o=-, which means: all emails must be signed).
As soon as you add the DKIM record to DNS and it begins to work, the service will automatically sign emails, and mail systems will verify this signature upon receipt.
Tip: use keys that are at least 1024 bits long, and preferably 2048. Short keys (like 512) are considered insecure and may be vulnerable to breaches. If you decide to update the DKIM key, first add a new one, start using it, and only then remove the old one — this will help avoid delivery issues during the transition period.
Benefits of DKIM
DKIM brings two significant advantages:
Authenticity Confirmation. The recipient (and their mail service) see that the email genuinely came from your domain. No one can forge the signature without access to your private key — meaning the email is authentic.
Integrity Guarantee. Even if an email is intercepted along the way, its content cannot be changed — any small alteration, even a single letter, will break the signature, and the email will fail verification.
For email marketing, this is very important. Recipients see that emails are signed by your brand, leading them to trust you more. Moreover, email services (Google, Yandex, Mail.ru, and others) take the DKIM signature into account when assessing your reputation as a sender. The more frequently you send signed and valid emails — the better your domain's reputation.
How to set up email marketing correctly? Read in the article.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
DMARC is a mechanism that dictates how emails sent on behalf of your domain are handled. It works in conjunction with SPF and DKIM and sets rules for how mail services decide whether to trust an email.
How DMARC Works When an email comes from your domain, the mail service checks:
1. Has the email passed SPF or DKIM checks?
2. Does the domain in the "From" field match the domain that was used in these checks?
If everything is in order — the email is deemed authentic. If not — the policy you specified is applied:
none— do nothing, just send reports.quarantine— send suspicious emails to spam.reject— outright reject such emails.
How to Set Up DMARC
DMARC is configured through a single TXT record in DNS, for example: _dmarc.primer.com TXT "v=DMARC1; p=none; rua=mailto:reports@yourdomain.com"
What's important here:
p=none— we are just observing (monitoring), not blocking emails.rua=mailto:— the email address where reports will be sent (usually once a day, in the form of XML files).
At the start, it’s better to use none to gather data and understand who and how sends emails on your behalf. Once you’re sure that all your legitimate services pass checks, you can strengthen the policy — first to quarantine, and then to reject.
Benefits of DMARC
DMARC is the next level of protection that closes the "gaps" in SPF and DKIM. For example:
- Someone might use an authorized SPF server but change the "From" address.
- Or they might sign an email with a valid DKIM signature from a different domain.
In such cases, DMARC will notice that the From domain doesn’t match what passed the check — and it will apply your policy (for instance, rejecting the email).
Beginning in 2024, Google (Gmail) and Yahoo require that all domains sending more than five thousand emails a day must have DMARC configured. Otherwise, such emails may be automatically rejected. This means that without DMARC, it's currently impossible to seriously engage in large-scale email campaigns.
How Authentication Affects Email Deliverability
1. Increases the chance of landing in the "Inbox." Emails with correctly configured SPF, DKIM, and DMARC are less likely to end up in spam. Mail services trust such emails more — they pass filters and reach the recipient more often. Without authentication, emails are almost certainly going to spam.
2. Improves domain reputation. Mail providers monitor sending history: how much spam, how many complaints, how many opens. The more frequently you send authenticated emails, the greater the trust in your domain. And the higher your reputation — the more lenient the filters will be.
3. Helps avoid blocks. Major mail providers like Gmail and Yahoo will require mandatory authentication (at least SPF or DKIM) starting in 2024. Without this, emails may simply fail to arrive. If you list someone else's domain in the From field — this can also be a reason for automatic rejection.
4. Protects against server-level rejections. Some mail systems block emails even before they enter the inbox if they fail SPF or violate DMARC policy. This affects overall delivery and may cost you part of your audience.
5. Provides reporting and control. DMARC allows you to receive reports on who and where sends emails on your behalf. You can promptly notice configuration errors or attempts at forgery and quickly rectify them.
How Authentication Works in Altcraft
If you send campaigns through Altcraft, it's important to properly connect your domain. Altcraft helps to set up email authentication step by step: after adding the domain, you will receive a list of DNS records that need to be entered on your hosting. It will take just 10-15 minutes.
What exactly needs to be done:
SPF. Altcraft will ask you to add the line
include:spf.aksend.netto your existing SPF record. This is necessary for the servers to have the right to send emails on your behalf. If SPF already exists — just append this part. The main thing is not to create a second record; there should only be one SPF.DKIM. The platform will generate a unique DKIM key for you — this signature confirms that the email is indeed from you and has not been altered. You will receive two values:
1. The main DKIM record with the public key (in the subdomain ak._domainkey)
2. An additional policy record that states all emails must be signed.
These records are also added to DNS.
- DMARC. This is the final layer of protection. It is recommended to immediately specify a strict policy
p=reject, so that any suspicious emails sent on behalf of your domain are automatically blocked. Also specify the email to which reports will be sent.
What This Provides
Once all records are entered, emails from your domain begin to pass checks according to all the rules:
- not ending up in spam,
- being signed correctly,
- not being able to be forged by others.
Conclusion
Email authentication is now a standard without which professional mailing is hard to imagine. Today, emails without SPF, DKIM, and DMARC are seen as suspicious: mail services do not trust them, and users simply do not see them in their "Inbox."
But all this is not complicated to configure. Especially if you use platforms like Altcraft — they handle the technical part and provide clear instructions. As a result, you save time, avoid mistakes, and can be confident that emails are truly reaching their recipients.