Are you frustrated and tired of dealing with emails consistently landing in recipients’ spam folders? Email deliverability issues can harm your professional reputation, disrupt communication with clients and partners, reduce engagement, and most importantly, negatively affect your sales. One of the leading causes of this issue is incorrect email authentication. Proper email authentication is essential for maintaining your company’s credibility and ensuring your communications are effective, but unfortunately, there are few guides that walk you through this process. This article will help explain why email authentication is important and introduce you to key protocols, like SPF, DKIM, and DMARC, all while showing you how to secure your email domain efficiently.
Why Emails End Up in the Spam Folder
In order to fix this issue, you first need to identify what in your email domain is communicating to the recipient's email server that your emails are potentially unsafe. If you do a quick Google search or ask an AI software like ChatGPT, "Why are my company emails going to spam?" you might end up with a list of potential issues that looks something like this:
· Content: The content may be spam-like, or use excessive spam trigger words
· Design: The email design may not follow best practices, or the HTML may be broken
· Authentication: The email may not be properly authenticated, or the domain or IP reputation may be poor
· Engagement: The email may have poor engagement rates, or the recipients may not remember the sender
· List management: The email list may be unmaintained, or it may contain a large number of unengaged subscribers
· Compliance: The email may violate email marketing laws, such as GDPR, CCPA, or CAN-SPAM
· Other factors: The email may have a misleading subject line, inaccurate "From" information, or missing physical address
If you’ve been doing business and exchanging emails with a variety of reputable companies for many years at this point, you can rule a lot of these out immediately. Email authentication, however, is a critical component in ensuring your emails are trusted by other servers. So, what does it mean for an email to be "properly authenticated?"
To fix our authentication issue, we turned to the help of Google and AI (your best friends if working in IT). It is always good to look at different sources for these things to confirm the information you’re getting. And as you'll see in the eventual solution, getting one tiny thing wrong can cause issues with this process. Google, AI, maybe an instructional YouTube video from a creator you find reliable are all resources that you can use to help you.
The main ways to have your domain authenticated are:
Sender Policy Framework (SPF): A record that outlines which mail servers are authorized to send email from that domain. Basically, a recipient’s server receives an email, and it immediately runs through a check for an SPF record. It looks at the IP address of the incoming mail and compares it to the SPF record. For example, they see an IP address that is confirmed to be from Google, and then they confirm that Google is listed in our SPF record, meaning they are an authorized sender for our domain splashbox.com. Confirming that these match tells the recipient server that this is not a scam or spoofed email. If there was a problem with the SPF record, the email might end up in spam.
DomainKeys Identified Mail (DKIM): DKIM uses public key cryptography to assign a private key to each outgoing email. The recipient's server then uses a public key from the DKIM record to decrypt the signature and verify the email's source and contents. If a recipient domain receives an email that is not authenticated with DKIM, it might also end up in spam.
Domain-Based Message Authentication Reporting & Conformance (DMARC): A security protocol that verifies email senders by building on the Domain Name System (DNS), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF) protocols. DMARC tells receiving email servers what to do if an email fails DKIM or SPF authentication.
Steps to Authenticate your Domain
So now that you understand why your emails might go to spam, you need to find out which of these protocols you do or don’t have set up. The three we’ll look at today are SPF records, DKIM, and DMARC.
Set up an SPF Record: Access your domain management settings via your domain hosting site, like Wix, Bluehost, Hostsinger, GoDaddy, Squarespace, or more. In the domain settings, find the DNS Records section. This should be the section for TXT (text) records. In this section, I did in fact see we had an SPF record set up, and it looked like this:
Host Name - splashbox.com
Value: v=spf1 include:_spf.createsend.com ~all
As I mentioned earlier, the SPF record tells the recipient which mail servers are authorized to send emails on behalf of that domain. So this is saying that CreateSend.com is authorized to send emails on behalf of splashbox.com. What is this? Who is this? Panic! It turns out, no big deal. CreateSend is another name for Campaign Monitor, an email marketing tool that our company uses. At some point in the past, someone must have set up this SPF record for Campaign Monitor, as I assume it's necessary for their service.
That being said, Google was not included in this SPF record, and all our company emails are through Gmail. That is a problem. We need our recipient’s servers to see our emails are coming from splashbox.com and to confirm that Google is authorized to send splashbox.com emails. To do so, I changed the SPF to look like this:
Host Name - splashbox.com
Value: v=spf1 include:_spf.google.com include:createsend.com ~all
This includes both Google and CreateSend as authorized to send mail for splashbox.com. Apply changes, save, and done! This actually immediately solved some of our issues, but not all of them.
DKIM: Just like the SPF record, DKIM is set up in your domain's DNS Records section, as a TXT record, and then activated through Google Admin. Despite the fact an SPF record was made in the past for us, it appeared DKIM was not set up at all. This is a much longer and more complicated record that we need to generate from Google and then paste into the TXT record. To generate this record from Google, follow these steps:
Go to admin.google.com
Navigate to Apps
Click on Google Workspace
Then choose Gmail
And finally, click Authenticate Email
On the Google Admin page, you’ll find two buttons, Generate New Record and Start Authentication. First, press Generate New Record, and a long string of code will appear in the box, along with the host name. I had to press the button a couple times because the first time it was nonresponsive. Because of this, I would suggest refreshing the page a time or two after you generate the code, but before you copy it, ensure you have the most current generated record.
Once again, add a TXT record in your domain’s DNS Records management section and copy/paste these two things from Google:
Host name: google._domainkey
Value: a big long string of letters and numbers that starts with v=DKIM1; k=rsa; p=
Then apply your changes and save. Go back to Google Admin, and press Start Authentication. I received an error in red text telling me authentication was not verified, and I had to wait 24-48 hours to see if I made any changes to the DNS record. This was expected from the research I did, so now it was just waiting.
After 48 hours, I went back and tried the button again, and this time I was greeted with a successful authentication message. In another instance with a different domain, I had some trouble with this and kept receiving the error. However, I just copied and pasted by record again into my domain’s DNS settings and it worked immediately.
DMARC: Setting up DMARC is yet another case of adding a TXT record in your domain’s DNS Records management. This is quite easy to do. This time, to generate the record, I used a site powerdmarc.com/dmarc-record-generator/.
All you need to do here is enter an email address on your domain in the fields labeled Aggregate Report Email and Forensic Feedback Email. This designates an email address to be sent reports on emails that have been rejected and other functions of DMARC. You can use your email on your domain for this, or use something like an info@yourdomain, or even create an email address specifically for receiving these reports.
After entering an email in both those fields, press Generate DMARC record. Just like with the DKIM generation, we receive things to copy and paste into a TXT record on your domain site.
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:info@yourdomain.com; ruf=mailto:info@yourdomain.com;
Apply changes. Save, and you’re done.
To confirm that SPF, DKIM, and DMARC Are Properly Set up:
1. Use tools like mxtoolbox.com to check your DNS records.
2. Send an email from your domain to a personal email address, or any email outside of your domain, and view its authentication status.
3. Click on Gmail’s three vertical dots at the top right of the email and click Show Original. Here you can easily check and see if you PASS or FAIL for SPF, DKIM, and DMARC.
At this point, or at least within 48 hours, your domain should be well authenticated and trusted by recipient email servers. By implementing SPF, DKIM, and DMARC protocols, you can significantly reduce – or even eliminate! – the chance of your emails being flagged as spam. We hope this guide has helped you and your business thrive in the digital space.