15 February 2023

How to improve deliverability with email authentication

Design beautiful emails effortlessly
Table of contents
  1. What is email authentication?
  2. Why is it important?
  3. Email authentication protocols
  4. Should you use all email authentication protocols?
  5. How to test email authentication?
  6. Wrapping up
What is email authentication?

To reach your customers’ inboxes with email marketing campaigns, your domain should be a trusted source. Otherwise, your messages will end up hitting the spam folder and remain unnoticed. And email authentication helps avoid this.

So what is email domain authentication, why it matters, and what email authentication protocols are there? Let’s discuss this.

What is email authentication?

Email authentication is a practice that implies validating a sender’s email address to confirm that it is authorized to send emails from a particular domain. It also helps confirm that the domain belongs to a certain Mail Transfer Agent (MTA) authorized to transfer an email.

The Importance of Email Authentication for Sender Reputation

(Source: Selzy)

So, putting it simply, email authentication helps confirm that the sender is who they say they are. This validation helps identify spammers and disable them from sending out emails. 

Why is it important?

Having figured out what email authentication is, let’s dive into why it matters. Email authentication enhances your domain’s security by confirming to servers that your emails come from a valid source. This, in turn, prevents your brand from fraud and impersonation. 

Since authentication prevents the malicious activity from your domain, it gets a trusted reputation among ISPs. This shows that you are a reliable and credible sender and, most importantly, keep your email deliverability at a good level.

In the long run, domain security and a high email deliverability rate contribute to the trust in your brand and a positive brand image.

Email authentication protocols

Understanding what email sender authentication is is not enough — the core of the process lies in the email authentication methods or protocols. These are different from email protocols, the ones that are used for SMTP or IMAP servers.

What is SMTP server for Gmail?

The Gmail SMTP (Simple Mail Transfer Protocol) server is a Google workspace-provided outgoing mail server used to send messages from a Gmail account. POP (Post Office Protocol) server, for instance, allows the user to select the email and import it to the inbox, making it the incoming server.

You must configure the Gmail SMTP server settings in your Gmail account to use the Gmail SMTP server. The Gmail SMTP server address, the SMTP username (your Gmail address), and the SMTP password are all part of these settings. 

With a free Gmail account, you can use the Gmail SMTP server for 500 emails a day.

Gmail SMTP server protects your email messages by using a secure connection. Besides that, you can use it to relay messages sent to your Gmail address to another email address or domain. 

All in all, the Gmail SMTP server is an important part of sending emails from your Gmail account.

Now let’s discuss SPF vs. DKIM vs. DMARC protocols, what they are, and how they differ.

Authentication Protocols _ Avoiding Spam Traps

(Source: ZetaGlobal)

SPF record 

SPF stands for Sender Policy Framework and is a list of IP addresses within a domain. These addresses are authorized and, therefore, allowed to send emails. An SPF record comes in a .txt file and is present in a sender's Domain Name System (DNS). SPF is a widely adopted protocol for email authentication.

SPF Record _ How It Works for Marketing Emails

(Source: ZetaGlobal)

So when you send an email and it reaches the recipient’s server for incoming emails, the SPF email authentication runs a check. It is a DNS search that goes through all the SPF records. If your email address is found during the search, then the email proceeds to the recipient’s inbox. Otherwise, it is rejected and will not be sent further.

Best practices for SPF

SPF has different qualifiers — they communicate with the server regarding what to do with a particular IP address. The qualifiers are:

  • + — a Pass, meaning that the IP address has passed the test and the email can be accepted;
  • - — a Hard Fail, meaning that the IP has failed the test and the email should bounce;
  • ~ — a Soft Fail that signals for a failed test; the email is accepted but marked as failed;
  • ? — a Neutral test result (not a fail, not a pass), and most likely, the email is accepted, although it can be rejected.

While these are quite definitive, the qualifiers are just suggestions on what the server should do to an email so that they can be ignored. For example, an email with a Pass may be sent to spam, while a Hard Fail one can be accepted.

Usually, the qualifier suitable for most email senders is Soft Fail. This will make sure all your emails are sent but will be marked as “SPF failed” in case they fail. The Neutral policy is another common choice.

Because Soft Fail accepts all your emails, you will preserve your email deliverability rate while using SPF. At the same time, you don’t have to sacrifice security because all the suspicious emails will be marked as such.

DMARC record

DMARC stands for Domain-based Message Authentication Reporting and Conformance. This email authentication protocol gives domain owners a lot of power over how their failed messages are treated on the recipient’s incoming server. 

DMARC provides an additional level of security built on top of other protocols, which is referred to as domain alignment. This makes the record extremely effective in preventing spoofing, impersonating, and other malicious behavior.

DMARC is also combined with other protocols, ensuring maximum security. Using a single protocol is insufficient to ensure that all your emails reach their recipients well, and DMARC helps handle emails that failed SPF or DKIM policies.

DMARC _ Avoiding Spam Filters and Ensuring Maximum Security

(Source: Agari)

Besides the listed capabilities, DMARC also allows receiving reports from the servers on your emails’ performance and deliverability. This gives you an opportunity to figure out the reasons why your emails fail and troubleshoot in time. Eventually, DMARC helps keep a steady email deliverability and builds trust in your brand.

Best practices for DMARC 

As already mentioned, DMARC allows directing the server regarding what to do with failed emails. In particular, there are three policies you can choose from to decide how to treat your failed emails:

  • reject — discard emails;
  • quarantine — allow emails but deliver them to the spam folder;
  • none — do nothing.

The last policy implies that the failed emails are treated as if there was no DMARC set up. So based on other criteria, the email can be accepted, sent to the spam, or discarded. 

While the “None” policy may seem useful, it helps with campaign monitoring and report analysis without negatively impacting legitimate emails and overall email deliverability. This is also the recommended policy to choose if you’re starting with DMARC to get the hang of how it works.

Additionally, you can choose what percentage of your failed emails the policy should apply to using the “pct” tag, which would set the rest of the messages to “None.”

Speaking of domain alignment, it can be set to “Strict” or “Relaxed.” “Relaxed” is best if you send emails via external services (an email service provider). Because “Strict” domain alignment implies that the sending and returning addresses are the same, DMARC would fail if you send your emails from a no-reply email address.

DKIM record

DKIM stands for DomainKeys Identified Mail and is another standard protocol for email authentication, also effective for phishing prevention. 

The DKIM record contains an encryption key and a cryptographic signature that are used to validate the email address with a public key on the recipient’s end. Similarly to SPF, the record is stored as a .txt file in the sender’s DNS.

Domain Keys Identified Mail Record

(Source: Australian Cyber Security Centre)

The DKIM protocol encrypts a domain’s key for email authentication in 3 steps:

  1. The sender creates a DKIM signature by identifying what fields (i.e., their email address, message body, etc.) to include. 
  2. The email system creates a hash string of selected text fields. 
  3. The hash string is encrypted with a private key that only the sender can access.

To authenticate an email address, the server looks for a match between the private and public keys in the DMS. If there is one, the DKIM signature can be decrypted back to the hash string, and the email is delivered. And in case there is no match, the DKIM test fails, and the email is most likely discarded.

Best practices for DKIM

Besides the absence of a match between private and public keys, DKIM checks can fail for other reasons. To avoid DKIM failures, avoid cases like the following:

  • the fields in the hash string are changed while the email is in transit;
  • the private key length is shorter than 1024 or 2048 bits; any other lengths are no longer supported;
  • the DNS zone of the sender’s domain is not available for search, which is a frequent issue with poor hosting providers.

To keep the DKIM record secure and effective, it’s essential to run regular updates of private and public keys. By updating your keys once or twice a year, you prevent any risks of sending out spam from your domain. 

When changing the keys, make sure to have two signatures available — some emails may still be in transit, and changing both keys with a single signature will lead to a DKIM check failure. But if you have several signatures, one will pass even if the other fails.

DKIM record is also the most suitable one for email auto-forward. When you use ESPs, DKIM doesn’t consider it a failure that the sender’s and return email addresses differ (like SPF). This is because the signature is assigned to the email body, which remains unchanged during auto-forward.

Should you use all email authentication protocols?

After learning what email authentication is, you most likely now understand the importance of combining different email protocols. DMARC, DKIM, and SPF handle domain authentication in very different ways, which means using only one protocol won’t cover all your authentication needs.

So because each protocol runs checks differently, using several or all three methods gives the highest domain security and email deliverability rate.

How to test email authentication?

There are many ways to test your email authentication, both manually and automatically. To run a manual check, send your test email to a Gmail user, click “More” on the received email, and select “Show original.” You will see a new window with SPF, DKIM, and DMARC check results. If they are “PASS,” then your domain is authenticated.

Test Email Authentication to Minimize Spam Complaints

(Source: Mailtrap)

You can also find a lot of tools for automated email authentication checks, like DMARC Analyzer, which checks for all three protocols, DNS Checker, DKIM Wizard, and other single protocol checkers.

With Postmaster Tools by Gmail, you can check your email performance, identify delivery errors, and analyze detailed spam reports. You need to have a Google account to track data and view a variety of informative dashboards. 

Another tool that automates your email authentication and runs regular checks for you is Mailtrap Email API. It verifies your domain through all three protocols and updates DKIM keys automatically every four months. With this tool, you can always be sure that your domain is authenticated.

Wrapping up

Email authentication is domain verification, which confirms its reliability and security and helps keep email deliverability high. Authentication is run using three types of protocols: SPF, DMARC, and DKIM records. While each protocol can authenticate your domain, it’s best to use three records altogether to ensure that your email address is authenticated at all times.

Join Stripo to design beautiful emails effortlessly
Was this article helpful?
Tell us your thoughts
Thanks for your feedback!
Stripo editor
Simplify email production process.
Stripo plugin
Integrate Stripo drag-n-drop editor to your web application.
Order a Custom Template
Our team can design and code it for you. Just fill in the brief and we'll get back to you shortly.

Stripo editor

For email marketing teams and solo email creators.

Stripo plugin

For products that could benefit from an integrated white-label email builder.