Email Authentication – Don’t Let Your Emails End Up in Spam

By Brian Jackson Updated on August 28, 2018

The dreaded spam folder. One thing all businesses try to avoid when it comes to sending out emails. Winding up in the spam folder can drastically diminish your total number of email opens, which in turn affects the number of clicks back to your website. In a lot of email clients, such as Gmail, the spam folder is sometimes hidden underneath a drop-down menu. A lot of times emails end up in spam due to email authentication not being set up properly, or DNS changes were made and never updated. Today we will walk you through how to authenticate your domain for emails. This can help get your emails back in your customer’s inboxes, where they belong.

What is Email Authentication?

Nobody likes getting spam and ISPs are constantly working to reduce it by looking at the source of an email and trying to check to see if it is valid. Email authentication, also referred to as domain authentication or validation, refers to the process of better identifying the sending origin or domain so that ISPs can better route your email. This is a great technique to help prevent spoofing and phishing scams in case the email message appears to be from one domain, but it actually delivered from another.

isp routing

In other words, email authentication allows your email marketing tool to send email on your behalf, but as your domain. For example, with MailChimp, it removes the default authentication information ( “via” or “on behalf of”) that shows up next to your campaign’s From name. You will want to use your own domain name for newsletters, both for deliverability and branding purposes.

Even though email authentication is not required, we typically have seen that those that don’t set it up end up with a large majority of their emails going straight to spam. Setting up email authentication is simply a matter of creating a few additional DNS records or uploading a file to your server using information provided from your email marketing tool. Don’t worry, we will guide you through the entire process further below.

4 Primary Email Authentication Methods

First, let’s dive into the four primary authentication methods that are used by ISPs.

1. DKIM / DomainKeys

DKIM stands for DomainKey Identified Mail. According to the DKM website: “DKIM attaches a new domain name identifier to a message and uses cryptographic techniques to validate authorization for its presence. The identifier is independent of any other identifier in the message, such as the author’s From: field.” Various forms of validation can be used, such as a CNAME record or TXT record.

how DKIM works

How DKIM authentication works (Img src: Mailjet)

Below is an example of a DKIM record which MailChimp uses for authentication.

CNAME record:
Value (resolves to):

And here is an example of a DKIM record with MailerLite using a TXT record.

TXT Name:

2. SPF

SPF stands for Sender Policy Framework. According to the SPF website: “SPF authenticates the envelope HELO and MAIL FROM identities by comparing the sending mail server’s IP address to the list of authorized sending IP addresses published by the sender domain’s owner in a “v=spf1″ DNS record.” Currently, these are in the form of a TXT record.

how spf records works

How SPF authentication works (Img src: Inside-Out)

In other words, when you receive an email, your ISP uses the SPF record to check the IP address of the sender as well as the IPs of the website. If they match up, then your good to go. Large companies such as Google, Comcast, Verizon,, and all use SPF records. Below is an example of an SPF TXT record which MailChimp uses for authentication.

v=spf1 ?all

3. Sender ID

Sender ID, developed by Microsoft, is sometimes lumped together with SPF. However, they are slightly different. While both validate email sender addresses and utilize the same method for doing so, the Sender ID checks against the purported responsible address (PRA), which is the visible sender address in the message. Sender ID was used primarily by Hotmail and Windows Live Mail, both of which no longer exist. It is however still used in solutions such as on-premise Exchange servers. There are some ISPs such as Comcast and AT&T which also utilize Sender ID. Many online email marketing tools won’t actually need anything from you pertaining to the Sender ID.

Here is an example of a Sender ID record.

v=spf1 ?all  spf2.0/pra ?all


DMARC is a policy that allows a sender to indicate that their emails are protected by SPF and/or DKIM. These are not required, but they can help protect your customers and brand against phishing and spoofing attacks. DKIM and SPF are required before you can use DMARC.


DMARC (Image source:

Below is an example of a DMARC record using a TXT record.


Read more about how to construct your DMARC resource record.

Confused Yet?

Don’t worry, just follow the steps below on how to setup email authentication. If you have already been using your email marketing tool for a long time, you still might want to double check to ensure the correct records are in place and validated. If you have change DNS providers recently you might need to set your records back up.

We had a client actually have this happen recently. They moved DNS providers and their newsletter was then going to the spam folder for almost a month before anyone realized it. This was due to missing authentication records. And here is what happened to their campaign statistics. By going straight to spam their open rate decreased by 4.79% from the previous month and their click rate decreased by 1.56%. That is why you don’t want to end up in the spam folder. You could miss out on free traffic and potential customers!

spam folder stats

Statistics from campaign going to spam folder in April

How to Set up Email Authentication in MailChimp

Today we are going to walk you through how to set up email authentication in MailChimp, one of the most well known and widely used email marketing tools on the web. We use MailChimp ourselves here at Kinsta to deliver our weekly newsletter. The process below will be very similar no matter what email marketing solution you currently use.

Step 1

Log in to MailChimp and hover over your avatar in the top right. Click on “Account.”

mailchimp account

MailChimp account

Step 2

Click into “Settings” and then “Verified domains.” If you have never set this up you will want to click on “Verify a domain.” Otherwise, you will see a list of your current verified domains and green/red indicators to show you if they are currently validated.

verified domains mailchimp

MailChimp verified domains

Step 3

Input an email that resides on the domain you are trying to verify. Then click on “Send Verification Email.” If you don’t have an email address on your domain, we recommend G Suite.

send verification email

Send verification email

Step 4

Click the verification link you receive in your email or manually input the verification code.

verify domain

Verify domain

Step 5

MailChimp will then provide you with both the DKIM and SPF DNS records you will need to add to successfully complete your domain authentication. You add these with your DNS provider or domain registrar.

mailchimp domain authentication records

MailChimp domain authentication records

In our example, we are going to show you how to do it with Kinsta’s premium DNS. This again will be very similar whether you are using another 3rd party DNS provider or your domain registrar. In MyKinsta simply click into “Kinsta DNS” on the left-hand side. Then on your domain, click on “Manage.”

manage dns kinsta

Manage DNS in MyKinsta

Step 6

Click on “Add a DNS Record” on the top.

add a dns record

Add a DNS record

Step 7

We first need to add a CNAME record using the values from MailChimp. This is for the DKIM authentication method.

For the Type, choose CNAME from the drop-down. In the “Hostname” field we enter the following. Most DNS management tools will append the domain automatically. So be careful not to enter in the entire value that MailChimp gives you.


In the “Point To” field we enter the following:
add cname DKIM


Then click on “Add DNS Record.”

Step 8

We now need to add a TXT record using the values from MailChimp. Click on “Add a DNS Record” again. This is for the SPF authentication method.

For the Type, choose TXT from the drop-down. Leave the “Hostname” field blank so it will simply use the root domain. Then in the “Content” field enter the following:

v=spf1 ?all


Then click on “Add DNS Record.”

Step 9

Back in MailChimp click on “Authenticate Domain.”

mailchimp domain authentication records

Domain Authentication

It can take a while for DNS records to propagate. If it doesn’t work right away you can come back and try later. Or you can use whatsmydns to verify the status of your records.

Did you know that 83% of WordPress sites are vulnerable to hacker attacks?

WordPress sites hosted by Kinsta are automatically secured. We utilize firewalls, monitor sites uptime, and mitigate any attacks 24/7. If your site is hacked, we’ll fix it for free!

For example, you can input your CNAME to check on the current values across the globe.

verify DKIM record

Verify DKIM record

You can also check your TXT record.

verify SPF record

Verify SPF record

If all the records were entered correctly you should see green across the board.

verified domains

Verified domains

And that’s it! Your email and domain are now authenticated. It is also recommended that you change the From address on your list to your domain name.

list name from email address

List name defaults


Hopefully, you know a little more now about email authentication, the different types of methods, and how to configure it within your email marketing tool. This will help you stay out of the spam folder and have a much higher chance of hitting your subscriber’s inboxes.

If you are looking for more handy email marketing tips make sure you read our guide 7 Email Marketing Tips to Increase Your B2B Sales.

What has been your experience with email authentication? Let us know below.

If you enjoyed this article, then you'll love Kinsta's WordPress hosting platform. Whether it's speeding up your website or getting 24x7 support from our veteran WordPress team, we're here to help your business succeed. Our Google Cloud powered infrastructure focuses on auto-scaling, performance, and security. Let us show you the Kinsta difference! Check out our features

Hand-picked related articles

Comment policy: We love comments and appreciate the time that readers spend to share ideas and give feedback. However, all comments are manually moderated and those deemed to be spam or solely promotional will be deleted.
  1. Gravatar for this comment's author
    Creativetacos | Free Resources April 27, 2017 at 3:42 pm

    Thanks Brian, i was unaware of this. I have applied all of the setting on my mailerlite account. Waiting for propagation.

    B.T.W. Have you tried SendGrid email marketing ? If you have, then how is it ?

    We are using their SMTP and it is good but don’t know about their email.

    Well, thanks for this amazing article :)

    1. Gravatar for this comment's author
      Brian Jackson April 28, 2017 at 9:23 am

      Awesome! I personally use MailerLite on one of my personal blogs as well and setup is very similiar for email authentication.

      I have used SendGrid before and their email building tools/dashboard are seriously lacking. They started out as simply a transactional email service (which they are amazing at) and are just now moving into more of the marketing realm for small businesses. There were a lot of annoying things though if you use them like you do MailChimp/MailerLite. I am sure they are making improvements though on the marketing side. I would expect one day for a non-techie user to be able to also use them.

      1. Gravatar for this comment's author
        Creativetacos | Free Resources April 28, 2017 at 9:32 am

        That is very helpful, thank you very much for sharing :)

  2. Gravatar for this comment's author
    Kevin Donnigan April 30, 2017 at 7:14 am

    Thanks for the great post! I did my domain verification in MailChimp years ago. Going through this post again and making sure I did it, I see that MailChimp has since updated the TXT record. Just a note to those who have done this in the past; update your TXT records and verify again.

    1. Gravatar for this comment's author
      Brian Jackson April 30, 2017 at 9:14 pm

      Thanks Kevin! And yes, great tip. Always good to double check records. One little DNS or record could could easily break the domain verification.

  3. Gravatar for this comment's author
    Chris Grande May 9, 2017 at 6:21 am

    hey Brian I just did this. Never thought to do it – thanks! Do you happen to know if Gmail will more likely put my mails in the inbox tab if I use GApps as my mail server? Thanks again you’re the man!

    1. Gravatar for this comment's author
      Brian Jackson May 9, 2017 at 8:34 am

      I don’t think there is any proof of using GApps for better deliver-ability. But it is one of those things that definitely couldn’t hurt :) Sometimes using Google products together in my opinion can work better.

  4. Gravatar for this comment's author
    nerdyworm July 7, 2017 at 10:52 am

    Thanks Brian. What a simple to follow walk through!

    Do you think there is a way to automate this for customers?

    1. Gravatar for this comment's author
      Brian Jackson September 17, 2017 at 8:20 pm

      Thanks! Unfortunately not, because a lot of times the host and or email marketing tool doesn’t have access to your DNS records. This is something only can add yourself.

  5. Gravatar for this comment's author
    Chris June 7, 2018 at 9:51 pm

    Hey Brian,

    I’ve added the appropriate records for SPF and DKIM a while ago. Mailchimp says I’m fully verified, however, if I use a tools like I get an error saying “You’re not fully authenticated”. It provides more details saying:

    Your domains are not aligned. We can’t check DMARC.

    A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and give instruction if neither of those authentication methods passes. Please be sure you have a DKIM and SPF set before using DMARC.

    Before using DMARC, you should make sure the domains used in the Envelope From (e.g., Return-Path or Mail-From), the “Friendly” From (i.e., “Header” From) and the d=domain in the DKIM-Signature are the same

    DMARC DNS entry found for the domain

    “v=DMARC1; p=none; pct=100;; sp=none; aspf=r;”

    I’ve done a ton of Googling to figure out how to fix this, but haven’t been able to land on a fix. Any insight?

    1. Gravatar for this comment's author
      Brian Jackson June 18, 2018 at 2:14 pm

      Hey Chris!

      DMARC records are not necessarily required and MailChimp for one doesn’t use them at all. Most just use SPF + DKIM. We’ve added a small section to the post above about DMARC records. Hopefully, that helps.

Leave a Reply

Use WordPress?

Use WordPress?

Join 20,000+ others who get our FREE weekly newsletter with WordPress tips on how to drive more traffic and revenue to your business!


You have Successfully Subscribed!

Send this to a friend