When you purchase through links on our site, we may earn a commission. Here’s how it works.
Email authentication is used to not only ensure that you are able to send and receive messages without them ending up in your spam folder, but also to authenticate that the emails you are sending and receiving actually come from the specified sender or receiver. As spam and phishing attempts proliferate, the need for email authentication only grows stronger. The three main players in email authentication are the SPF, DKIM, and DMARC protocols. Sound like another language? Don’t worry, we break it all down into laymen’s terms for you.
Be Careful With This Message: Gmail Verification Alert
Did a friend tell you that email you sent them from your domain is getting flagged as spam? For example, they may have gotten a notice from Gmail that looks as follows:
Be Careful With This Message (Authentication Alert)
Gmail could not verify that it actually came from [domain redacted].com. Avoid clicking links, downloading attachments, or replying with personal information.
What your email provider may not have explained to you is the importance of email authentication (setting up your sending email server so it can prove that emails sent from your domain actually come from your domain).
What Are SPF, DKIM, And DMARC?
There are authentication protocols that can help verify the identity of the email sender. Which of these do you really need? As far as our experts are concerned:
- SPF is a must
- DKIM will fix the authentication alert above
- DMARC is only required sometimes
SPF, or Sender Policy Framework, is an email authentication method designed to detect forging sender addresses during the delivery of the email. The reason we recommend combining SPF with DKIM and DMARC is because SPF on its own is limited to detecting a forged sender claim in the envelope of the email (used when the mail gets bounced).
DKIM, or DomainKeys Identified Mail, is used to detect forged sender addresses in email (think phishing and email spam). DKIM allows the receiver to check that an email claimed to have come from a specific domain was authorized by the owner of that domain.
DMARC, or Domain-based Message Authentication, Reporting & Conformance, is used to give email domain owners the ability to protect their domain from unauthorized use (think spoofing – i.e. making it look like an email came from a particular domain when actually it was sent from elsewhere).
How To Setup SPF
You’ll want to add the following TXT DNS record to your email hosting provider (the provider hosting the domain name you use to send email from):
- Type: TXT
- Hostname: @
- Value: v=spf1 include:example.com ~all (where example.com is your email domain). You can change the ~all value as follows to enforce SPF failures:
- ~all: results in a soft fail (Not authorized, but not explicitly unauthorized – the one used in our example)
- -all: results in a hard fail (Unauthorized)
- ?all: neutral (As if there is no policy at all)
- If you have more than one domain you send mails from (example2.com), you can add them with the include statement in the TXT value field:
- v=spf1 include:emailsrvr.com include:example2.com ~all
Save your record and verify with your mail provider that it has taken hold.
How To Setup DKIM
Check with your mail hosting provider for a TXT DNS record to add (just like you did above) to enable DKIM. This will include a key for the hostname, and record for the value. For example:
- Type: TXT
- Hostname: 12345._domainkey
- Value: v=DKIM1; k=rsa; p=1Cnao7#fn5WqGEUtSX (this will typically be a much longer string of randomly generated characters)
How To Setup DMARC
Once your DMARC record is setup, you can handle suspicious emails with the following tag values (you’ll need to change these from the default ‘p’ value):
- Tag: v
- Value: DMARC1
- Translation: The DMARC version should always be “DMARC1”. Note: A wrong, or absent DMARC version tag would cause the entire record to be ignored
- Tag: p (default)
- Value: none
- Translation: Policy applied to emails that fails the DMARC check. Authorized values: “none”, “quarantine”, or “reject”. “none” is used to collect feedback and gain visibility into email streams without impacting existing flows. “quarantine” allows Mail Receivers to treat email that fails the DMARC check as suspicious. Most of the time, they will end up in your SPAM folder. “reject” outright rejects all emails that fail the DMARC check.
- Tag: rua
Voila there you have it! If you setup at least an SPF record on your email domain you should now be well on your way to avoiding getting flagged as a spammer. Speaking of which, email authentication may help others using your email domain to send spam, but it will not prevent you from receiving spam. Don’t worry, we’ve got a solution for that as well
Stop Spam For Good
Our experts review the best spam blockers with pros, cons, compatibilities, and more.
Were you able to solve your email woes? Let us know in the comments!Tagged With: Email