You may spend hours or even days crafting the perfect email as a marketer. However, if your message winds up in the spam folder, then your latest campaign is almost certainly dead in the water.

Fortunately, there is a way to side-step the dreaded spam folder black hole. By implementing email authentication, you can prove to the Internet Service Providers (ISPs) that your marketing emails are legitimate and deserve a spot in recipients’ inboxes.

This post will discuss what email authentication is, why it’s essential, and how it works. We’ll then show you how to implement it across three of the most popular email marketing tools.

Let’s get started!

What Email Authentication Is (and How It Works)

Nobody likes spam. ISPs are constantly working to reduce the number of unwanted messages we receive in our inboxes. They do this by examining the source of the email and verifying whether it’s from a legitimate sender – or a potential spammer.

That’s where email authentication comes in. It’s a set of methods that the receiving server can use to verify that the message isn’t forged.

As part of this check, the server will verify that the message came from the person listed in the From field. In this way, email authentication can prevent spoofing and phishing scams, where an email appears to be from a legitimate domain but is sent by a malicious third party.

The recipient server will also determine whether the email has changed during transit. This can protect your contacts from machine-in-the-middle attacks.

There are various ways to implement email authentication. Each approach has its setup process and puts a unique spin on authentication. However, you’ll typically establish rules for authenticating emails sent from your domain. You’ll then configure your servers and email infrastructure to implement these rules, and then publish them in your Domain Name System (DNS) records for each sending domain.

The receiving email servers can refer to these rules when authenticating incoming emails. If your message appears legitimate, the server will deliver it to the recipient’s inbox. However, if your message fails this check, it may be rejected, quarantined, or sent straight to spam.

Why Email Authentication Is Important

For the recipient, email authentication serves a clear purpose. It helps protect the person from spam, phishing scams, and other malicious emails.

Without authentication, third parties can easily change the source of emails to bypass the spam filters. They might even copy your unique branding to trick your customers into believing this is legitimate communication.

Any attack that impersonates your business is a massive threat to customer trust. For this reason, email authentication is a critical tool for protecting your reputation and retaining your audience.

Authentication increases the chance that the receiving server will trust your emails. By contrast, if your messages appear to originate from an unknown or unexpected domain, there’s a high chance that they will wind up in spam folders.

Poor email deliverability rates almost inevitably translate to a poor Return On Investment (ROI) from your content marketing. By implementing email authentication, you should notice a positive impact on your email conversion rates.

Today, many businesses send their emails using a third-party platform, such as Mailchimp, Constant Contact, or other alternative tools. You can use these platforms to create automated campaigns and perform segmentation.

The Mailchimp platform
Mailchimp.

By authenticating your domain and email, these platforms can send messages on your behalf from your website’s domain. For example, Mailchimp will remove the default authentication information (via mcsv.net or on behalf of mcsv.net) that appears alongside your campaign’s From field. This improves your brand visibility and may encourage your contacts to open your emails.

You may be concerned about adding lots of complex content to your emails. However, most authentication information is transmitted in the message header, so it isn’t visible. This means that authentication shouldn’t impact the quality of your email content.

5 Primary Email Authentication Methods

Email authentication requires the sending and receiving servers to coordinate and cooperate. Fortunately, email authentication standards ensure that all email clients and providers speak the same language. Before we show you how to implement authentication, let’s look at these underlying standards.

1. DomainKeys Identified Mail (DKIM)

DomainKeys Identified Mail (DKIM) provides a unique public key that pairs with a private key. This DKIM signature is a header added to the message and secured with encryption.

In this way, DKIM can verify that the email is from a legitimate sender. A DKIM signature can also prevent hackers from tampering with an email while it’s in transit as part of a machine-in-the-middle attack.

Here’s an example of a DKIM record that Mailchimp uses for authentication:

CNAME record: k1._domainkey.yourdomain.com

Value (resolves to): dkim.mcsv.net

Meanwhile, here’s an example of a DKIM record with MailerLite, using a TXT record:

TXT Name: ml._domainkey.yourdomain.com
TXT Value: k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdgIGns7EFVltvAkNNdbXD9KYSzAUNQky8POXwH6

Usually, DKIM signatures are not visible to the recipient, as the validation is performed on the server level. This means adding DKIM records can improve your deliverability rates without impacting the quality of your emails.

2. Sender Policy Framework (SPF)

Sender Policy Framework (SPF) is an authentication standard that verifies your identity as the email’s sender. This policy compares the sending mail server’s IP address to a list of IP addresses authorized to send mail from that domain. The SPF record is added to the sender’s DNS.

Whenever a server receives an email, your ISP will use the SPF record to check the sender’s IP address. Assuming that this value matches the SPF record, the email will be delivered successfully.

If you don’t provide SPF authentication, the recipient server may reject your messages since they appear from an unverified sender address. Here’s an example of an SPF TXT record that Mailchimp uses to perform email authentication:

v=spf1 include:servers.mcsv.net ?all

Some of the biggest companies in the world use SFP, including Google, Comcast, Verizon, Live.com, and Cox.net.

3. Sender ID

Developed by Microsoft, Sender ID is often lumped together with SPF. Both Sender ID and SPF check the sender’s IP address against the domain’s registered owner. However, their approaches are slightly different.

Sender ID uses the Purported Responsible Address (PRA) algorithm to examine the visible sender address in the message. Let’s take a look at an example of a Sender ID record:

v=spf1 include:servers.mcsv.net ?all spf2.0/pra include:servers.mcsv.net ?all

Sender ID was primarily used by Hotmail and Windows Live Mail, both of which no longer exist. Since it wasn’t widely adopted, Microsoft has removed the official Sender ID website.

While it’s easy to consider Sender ID obsolete, it’s still used in a few solutions, particularly on-premise Microsoft Exchange servers. Some ISPs such as Comcast and AT&T also utilize Sender ID.

4. Domain Message Authentication Reporting and Conformance (DMARC)

Domain Message Authentication Reporting and Conformance (DMARC) is a policy for handling emails that fail SPF or DKIM authentication. This gives you more control over your email authentication system and helps protect the recipient against phishing and spoofing attacks.

Using DMARC, you can tell the receiving email server how it should react when it receives a message that appears to be from your domain but doesn’t pass the SPF or DKIM authentication requirements. Here’s an example of a DMARC record using a TXT record:

v=DMARC1;p=reject;pct=100;rua=mailto:yourdomain.com

You can also use DMARC to request reports from email servers regarding failed messages and potential spoofing of your domain. These reports can help you identify any authentication issues and malicious activity relating to messages sent from your domain.

5. Brand Indicators for Message Identification (BIMI)

The Brand Indicators for Message Identification (BIMI) standard attaches your brand’s logo to your authenticated emails. Behind the scenes, BIMI is a text record stored in your DNS records and contains the location of your company’s logo.

The email provider will retrieve your BIMI text record using a DNS lookup whenever it receives a message. Once the provider finds your logo, it will attach this graphic to the email in the recipient’s inbox.

This simple visual verification helps recipients spot your message and verify its authenticity. If they ever receive a message that doesn’t contain your logo, your contacts will immediately know it is a suspicious message.

Unlike the other verification methods we’ve explored, BMI is the only approach that provides a visual clue to recipients. This should also lead to fewer people incorrectly flagging your messages as spam, which can boost your deliverability rates.

The typical internet user receives dozens or even hundreds of emails every day. By displaying your logo in the recipient’s inbox, BIMI can help you capture the recipient’s attention and encourage them to interact with your emails.

BIMI can also be a way to market your brand, regardless of whether the individual chooses to interact with your messages. Even if the person never opens your email, they will still see your subject line, sender address, and logo. This is a great way to establish brand recognition.

How to Set Up Email Authentication

Email authentication may sound complex, but it’s relatively straightforward to set up. Even if you’ve previously implemented authentication and have been using the same email marketing tool for a while, it’s still wise to ensure that the correct records are in place and validated.

If you recently changed DNS providers, you’ll want to check your records, as this can easily affect your email authentication. One of our clients recently moved DNS providers, and their newsletter was sent straight to spam folders for almost a month before anyone realized it. This was due to a missing authentication record.

As a result of this slip-up, their open rate dropped by 4.79 percent from the previous month, and their click rate decreased by 1.56. This perfectly illustrates why you cannot risk sending your messages to spam.

Let’s make sure this doesn’t happen to your emails. Here’s how to set up authentication for three of the most popular email platforms.

1. Mailchimp

Mailchimp is one of the most well-known and widely-used email marketing tools on the web.

By default, Mailchimp applies DKIM authentication to all of your campaigns. However, if you use a custom email domain, setting up your own DKIM authentication is wise. Mailchimp will then display your domain’s information in the email header. This can boost your delivery rates and instantly makes your communication appear more professional. It also aligns with your DMARC and enables you to use BIMI.

To authenticate your domain, you’ll need to copy/paste information from Mailchimp into your domain’s CNAME records. If you haven’t already, you’ll also need to authenticate your domain. This enables Mailchimp to verify that you have permission to send emails from this address.

To authenticate your domain, log into your Mailchimp account. Then select the Web button that appears along the left-hand side of the screen.

Select the Web button in your Mailchimp account
Login to Mailchimp and select the “Web” button.

Next, navigate to Domains > Add & Verify Domain. When prompted, enter the email address at the domain you want to verify, and click on Send Verification Email.

If you don’t already have a professional email address with a custom domain, we recommend Google Workspace.

Verify your domain name in Mailchimp
Verify your domain name in Mailchimp.

Mailchimp will then provide both the DKIM and SPF DNS records. To complete your domain authentication, you’ll need to add these with your DNS provider or domain registrar.

Let’s see how you can achieve this using Kinsta’s premium DNS. To get started, log into your MyKinsta dashboard and select Kinsta DNS.

Select Kinsta DNS in the MyKinsta dashboard
Select Kinsta DNS.

Find the domain you want to associate with your email platform, then click on its accompanying Manage link. In the upper-right corner, click on Add a DNS record:

Click on add a dns record
Click on the “Add a DNS record” button.

For the DKIM authentication method, select the CNAME tab. You can now add the CNAME record using the values provided by Mailchimp.

Select the CNAME tab
Select the CNAME tab.

In the Hostname field, enter the following: k1._domainkey. Just be aware that most DNS management tools will append the domain automatically, so be careful not to enter the entire value that Mailchimp provided.

In the Point To field, enter the following: dkim.mcsv.net. Then click on Add DNS Record.

You’ll add a TXT record using the Mailchimp values for the SPF authentication method. This means clicking on Add a DNS record again and selecting TXT.

Select TXT
Select TXT.

You can leave the Hostname field blank. In the Content field, enter the following: v=spf1 include:servers.mcsv.net ?all.

Next, click on Add DNS Record. Switch back to the Mailchimp dashboard and select Authenticate Domain. It can take a while for DNS records to propagate, so you may need to be patient. You can check the status of your records using whatsmydns.

whatsmydns homepage
whatsmydns.net homepage.

As soon as these records propagate, your email and domain will be authenticated. At this point, we recommend that you change the From address on your list so that it corresponds with your domain name. This helps avoid confusion, resulting in your messages being incorrectly flagged as spam.

2. Constant Contact

Constant Contact is a popular email marketing application that provides an excellent alternative to Mailchimp. This tool boasts a wide range of mobile-optimized templates and intuitive editing tools.

After launching your campaign, you can track it in real-time using Constant Contact’s built-in analytics and reporting tools.

Constant Contact homepage
Constant Contact.

All mail from Constant Contact is already DKIM signed and should pass an SPF check. However, the company recommends enabling the Constant Contact Authentication feature. This allows you to register as an authorized sender from the Constant Contact mailing domain.

Constant Contact Authentication can strengthen your branding and make your messaging recognizable to recipients. This can minimize the number of people who flag your messages as spam.

Log into the Constant Contact dashboard and select My Account to activate this feature. In the My Profile section, navigate to Campaign Email Authentication Settings > Enable Authentication with Constant Contact.

You can now enter the email address you want to authenticate, including free webmail addresses such as those from Gmail and Outlook. After entering your address, click on Save. Note that it can take up to 24 hours to provision an account with authentication, so you may need to wait.

The ISP will see your sender header address in the email whenever you send an email. It will then examine your published authentication records and confirm that you are a legitimate sender.

Just be aware that the Sender Header Address will be visible to the recipient, although its appearance may vary depending on the email client. However, your Reply-To-Address value remains the same so that any replies will be delivered directly to your email address rather than the Constant Contact server.

3. HubSpot

Powered by the popular Customer Relationship Management (CRM), HubSpot’s email marketing tools have everything you need to create professional-looking campaigns. After designing your emails, HubSpot provides A/B testing and analytics that you can use to optimize your campaigns and deliver the best results.

If you want to send messages from your domain using DKIM email authentication, you can connect your email sending domain to HubSpot. The first step is authenticating your domain inside your HubSpot account. In the HubSpot dashboard, click on the Settings icon in the main navigation bar.

Click on "Settings" in the HubSpot dashboard
Click on “Settings” in the HubSpot dashboard.

Next, navigate to Website > Domains & URLs > Connect a domain. In the next dialog box, select Email Sending, and then click on Connect. You’ll now be directed to the domain connection screen.

When prompted, enter the email address you want to use for all the emails you send from this domain. Then, click on Next.

If you don’t see any domain settings, you may not have permission to view this part of the HubSpot portal. To rectify this situation, reach out to your super admin, who should grant you the necessary permissions.

Now that you’ve created your DKIM signature, you can connect it to your DNS records. Kinsta customers can log into the MyKinsta dashboard and choose Kinsta DNS from the left-hand menu. You can then find the domain in question and click on its accompanying Manage link.

In the upper-right corner, click on Add a DNS record. Next, select the TXT tab. You can now input all of the information provided by HubSpot to authenticate your sending domain.

Monitor Your Email Authentication Health

Your email authentication will run in the background most of the time without requiring any day-to-day maintenance. However, authentication can mean the difference between your latest campaign generating sky-high Click-Through Rates (CTRs) or ending up in spam.

With the stakes so high, it’s wise to monitor the health of your email authentication. This means keeping a close eye on your marketing metrics.

Spikes in your bounce rates, or a sudden drop in engagement, may indicate that there is an issue with your email authentication implementation. Fortunately, all of the email marketing platforms we covered in this article feature built-in analytics.

If you’re using Mailchimp, you can view detailed information about your latest email campaign. To start, select the Campaigns icon.

Select the "Campaigns" button in Mailchimp
Select the “Campaigns” button in Mailchimp.

Then, please find the email you want to examine and select its accompanying View Report button. Mailchimp will now display all of the information for this campaign, including the bounce and open rates.

Click on the "View Report" button in Mailchimp
Click on the “View Report” button in Mailchimp.

If you use Constant Contact, your dashboard features a dedicated “Reporting” tab. Here, you can view your analytics over a specific period.

This enables you to check whether your campaigns have experienced a sudden change in engagement levels or a worrying spike in bounce rates. If you discover an issue, you can pinpoint the exact time when this problem occurred by exploring different date ranges.

If you’re a HubSpot fan, you can view the performance metrics from any email by logging into your HubSpot dashboard. Here, navigate to Marketing > Email.

Navigate to Marketing and then Email in HubSpot
Navigate to Marketing and then Email in HubSpot.

Select the email you want to examine on the subsequent screen, followed by See details. This opens the Performance tab, where you can get a high-level overview of this email’s engagement.

Summary

Email marketing is a great way to build brand awareness and nudge your contacts further down the sales funnel. However, if you don’t perform email authentication, your carefully-crafted campaigns may land in recipients’ spam folders.

Let’s quickly recap the five primary email authentication methods:

  1. DomainKeys Identified Mail (DKIM): This method adds an encrypted signature to the header of your marketing messages.
  2. Sender Policy Framework (SPF): A technical standard that enables you to publish a DNS record of all the domains that you use to send your marketing emails.
  3. Sender ID: Championed by Microsoft, only a few select technologies use this standard to detect spoofing today.
  4. Domain Message Authentication Reporting and Conformance (DMARC): This tells the server how to respond if it receives a message that claims to be from your domain, but fails SPF or DKIM authentication.
  5. Brand Indicators for Message Identification (BIMI): This unique method adds your logo to authenticated messages in the recipient’s inbox.

Do you have any questions about implementing email authentication? Let us know in the comments section below!

Salman Ravoof

Salman Ravoof is a self-taught web developer, writer, creator, and a huge admirer of Free and Open Source Software (FOSS). Besides tech, he's excited by science, philosophy, photography, arts, cats, and food. Learn more about him on his website, and connect with Salman on Twitter.