.png)
It's time for some authentication talk.
Authenticating your email is literally the first step toward landing in the inbox, but...
Why do you need to authenticate your email in the first place?
Think of email authentication like showing your ID at the door - it’s how mail servers decide whether to let your message through, flag it as suspicious, or dump it in spam.
Without authentication, anyone could send email as you. And unfortunately, that happens all the time. Spammers and phishers love to spoof domains to trick people. So mailbox providers (like Gmail, Yahoo, Outlook, etc.) needed a way to verify that the sender is who they say they are.
That's where email authentication comes in. It helps:
-Protect your domain from spoofing and impersonation.
-Prove to MBPs that you are who you say you are.
-Boost your chances of landing in the inbox.
-Build trust with your audience over time
There are three main protocols - SPF, DKIM, and DMARC. Each play a key role in proving your identify and ultimately what to do if something's off.
Let's break it down:
SPF - This tells MBPs that you gave permission for the ESP to send email on your domains behalf. Example - If you are using Mailgun to send your emails, the mailbox provider will do a lookup on your SPF record to see if the sending IP belongs to that entity. If so you get a pass, but if not then it fails.
DKIM - This helps identify whether your emails were altered or tampered with during transmission to your contact. When the email is sent, a digital signature - like a fingerprint (a cryptographic hash) - is attached by the sending server.
If the email gets changed in any way during transit, that fingerprint no longer matches. The receiving server checks this by comparing the signature in the email to the public DKIM record you’ve published in your DNS.
That's all there is to authentication...but where does DMARC come in?
The importance of DMARC.
SPF and DKIM handle email authentication individually, but dmarc enforces policy by making sure there's no spoofing or impersonation of your domain.
It does this through domain alignment.
After SPF and DKIM checks are performed, DMARC evaluates whether the domains used in those checks align with the domain in the visible “From” address (known as the 5322.From field). The part that your recipients see.
If neither SPF nor DKIM passes with alignment, DMARC will instruct the receiving server to quarantine or reject the message - depending on your policy.
Here's an example from one of my emails:
Notice my from address at the bottom of the graphic above.
Which means that the dmarc lookup will be made from the sub-domain specified in the from field.
Here's my record:
Could you instead just define a dmarc record at the root level (organizational domain)?
Technically yes, but you'd be missing out on more granular control - like stricter alignment, stricter policy enforcement, or separate reporting.
I think this was a good start to authentication and provides an overview of the protocols in general.
What questions came up for you? Let me know!
-Matt
P.S. Last week I experienced some issues getting this email delivered to gmail inboxes when I was doing my pre-send testing, so that's why no newsletter came out, but the problem soon got fixed. Apparently my Email Service Provider was flagged globally by Google. It affected everyone on the platform. Luckily they were able to work directly with Google to resolve it in less than 48 hours.
***
Let’s Work Together
If you're dealing with email deliverability issues, losing sales due to emails not reaching customers, or just want to improve your engagement, fill out this quick form. It takes less than 2 minutes, and I’ll get back to you with the best next steps.
➡️ Start Here: Get My Email Fix Started
Email me: [email protected]
Join my newsletter: https://inboxready.funneltechie.com
Book a Discovery Call: funneltechie.com/schedule
Let’s get your emails reaching the right people - because if they don’t see it, they can’t act on it.
