Deliverability Insights: Common email authentication protocols

Email Authentication

What you need to know and do to verify your emails

Email authentication involves a few technical protocols that an email sender can use to verify their emails. Like a unique digital signature, email authentication helps prove your identity as the sender so your emails are more likely to reach the inbox, and identify forged or fake emails so that they get rejected as spam.

Email authentication can seem complicated but we’re here to help!

In this article we’ll explain the different types of email authentication methods and their impact on your email deliverability. Once you know more about them and your role in the process, you can confidently send emails knowing you’re helping them reach your audience.

If you’re just looking for detailed instructions on DKIM authentication, see the DKIM authentication setup guide.

Important to know 

Before we dive into the world of email authentication, it’s important to understand some common terms and concepts.

  • Email Delivery is whether the email gets accepted (delivered) or rejected (bounced) by the receiving mail server.
  • Email Deliverability is where the email lands after it is accepted for delivery, like the inbox or the spam folder
  • Sending Domain is the domain (after the “@” in an email address) used to send emails
  • DNS (Domain Name System) is like the telephone directory of the internet. It’s a record of all domain names (like on the web

It’s also useful to know that every email has two “from” addresses.

  • Header-From/Friendly From is the address we’re all familiar with in our inbox, like “[email protected]”. It is meant to be read and understood by humans receiving the email.
  • Envelope-From/Return-Path is the address we don’t usually see in the inbox, and it looks like “[email protected]”. It’s for the machines sorting incoming emails.

Setting up email authentication requires some technical know-how because you’ll need to access and create DNS records for your Sending Domain. If you’re uncertain how to do this, ask your IT team or a technically savvy friend to help.


What you need to know

SPF (Sender Policy Framework) authentication checks the DNS records of the domain in the Return-Path address (the one for the machines), and the IPs authorized to send emails for that domain. If a sender’s IP address is not listed in the DNS records of the Return-Path domain, their email is rejected. As the Return-Path domain is Emma’s Sending Domain ( we maintain the correct SPF records and emails sent via Emma meet the requirements of SPF authentication.

What you can do

We manage the SPF record for our Sending Domain, and as an option you can also include Emma’s domain in your DNS records.

If you already have an SPF record you can edit the existing SPF record and include "". Otherwise you’ll need to create an SPF record and include “” in it. More information on SPF records can be found at


What you need to know

DKIM (Domain Keys Identified Mail) allows a mailbox provider (like Gmail, Yahoo, Outlook) to verify that an email’s content hasn’t been tampered or changed in transit and the Friendly From address (the one for humans) matches the DKIM record domain.

DKIM authentication happens in two parts, one on the sender side and the other at the receiving end.

Part 1 - the Emma system generates an alphanumeric code (let’s call it code 1) that represents the Friendly From address and email content. The system then encrypts code 1 and sends it with your email.

Part 2 - When the mailbox provider receives your email, it generates its own alphanumeric code (let's call it code 2). It then encrypts code 2 and compares code 2 with code 1. If both codes match then your email hasn’t been tampered or changed while in transit.

If this all seems a bit complicated, it’s because it is! The important thing is that DKIM authentication uses the domain in the Friendly From address, which is your sending domain, to verify emails. Setting up DKIM authentication means the Friendly From domain and the DKIM domain match.

How email clients treat emails without DKIM

A lack of DKIM authentication can result in some mailbox providers flagging your emails as coming from a sender other than you. This can potentially cause the mailbox provider to show an alert message to your recipients, filter them as spam, or confuse your audience into thinking they're receiving spam from someone purporting to be you.

Without DKIM authentication some mail clients, like Gmail, will show a “via” message next to your Friendly From address in the inbox. After DKIM authentication is added to your sending domain, only your email address is shown without the extra “via” message.

What you need to do

We recommend all clients to set up DKIM authentication for their sending domain, as this helps distinguish your emails from other email senders and builds your unique domain reputation as a trusted email sender.

We have a detailed step-by-step guide on the DKIM authentication setup page.


What you need to know

DMARC (Domain-based Message Authentication, Reporting & Conformance) combines parts of SPF and DKIM authentication to tell mailbox providers what to do with unauthenticated emails.

DMARC was created to destroy the deliverability of email senders forging or faking other people’s Sending Domain, also known as spoofing. If you send emails from your own sending domain, we recommend setting up DKIM as a minimum. If you’re concerned that your domain is being misused for spamming or spoofing, you may consider carefully implementing DMARC.

A DMARC policy also doesn’t guarantee your email will always land in the inbox and senders still need to follow deliverability best practices and anti-spam requirements.

To meet the requirements of a DMARC check:

  • the Friendly From domain must match the domain in the DKIM record
  • OR, the Friendly From domain must match the Return-Path domain, and the sender’s IP address must be listed in the Return-Path domain’s DNS records

Setting up DKIM authentication in your Emma account means the Friendly From domain and the DKIM domain will match, and your emails will meet the requirements of a DMARC check.

What you need to do

Before creating a DMARC policy for your domain, you need to correctly set up DKIM authentication for your Emma account. If not, you risk a large segment of your emails being rejected by mailbox providers.

Implementing DMARC requires someone who really understands DNS! It involves a significant amount of testing, reviewing technical reports, and securing all your mail streams carefully. We recommend getting help from service providers who specialize in DMARC.

Below are three services that can help you through the DMARC implementation process:

Wrap Up

Email authentication is a great way to build trust, protect your domain reputation, and secure your brand identity. Not all authentication methods are required for good sending but some are more helpful than others. Understanding the different authentication methods helps you make an informed decision on what suits your business needs, technical ability, and resources.

Want to engage your audience and grow your brand? Try Emma's robust easy-to-use product today.