How Email Authentication Works
Learn how to protect your emails from scammers and spammers.
Email authentication helps mailbox providers confirm that a message really comes from your domain and was not forged. It relies on three main standards: SPF, DKIM, and DMARC.
Reteno provides the SPF and DKIM values you need to add to your DNS to authenticate your sending domain. DMARC is configured in your own DNS because it defines your domainās email policy.
To set up SPF and DKIM for your domain, see Setting Up Email Domain Authentication.
What Is SPF?
SPF (Sender Policy Framework) is a DNS TXT record that lists the servers allowed to send email for your domain.
When a message arrives, the receiving server checks whether it came from one of the servers authorized in your SPF record. If it did not, the message may be rejected or marked as spam.
SPF authorizes Reteno to send email on behalf of your domain.
What Is DKIM?
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails.
The receiving server uses a public key published in your DNS to verify that signature. This confirms that an authorized sender signed the message and that it was not altered after signing.
After your domain is authenticated, Reteno signs emails with your domain's DKIM key.
What Is DMARC?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on SPF and DKIM. It tells mailbox providers how to handle messages that fail DMARC and can provide reporting about sources sending email on behalf of your domain.
A DMARC record sets one of three policies:
noneā monitor authentication without requesting quarantine or rejection of messages that fail DMARC.quarantineā treat failed messages as suspicious, usually placing them in the spam folder.rejectā reject failed messages.
DMARC does not limit how many emails you can send. It defines how mailbox providers should handle messages that fail DMARC and enables authentication reporting.
For how a strict DMARC policy affects domain warm-up, see Domain Warm-up.
Do I Need to Set Up DMARC?
DMARC is not required to verify a domain in Reteno, but we recommend publishing a DMARC record for your domain.
If you are not ready to enforce a strict policy, start with a monitoring policy, such as p=none, and review DMARC reports before moving to p=quarantine or p=reject.
BIMI generally requires an enforced DMARC policy, such as p=quarantine or p=reject. See Adding a BIMI Logo.
What Is Domain Alignment?
Passing SPF or DKIM alone is not always enough for DMARC. At least one mechanism ā SPF or DKIM ā must both pass authentication and align with the domain in the visible From address.
For example, if a message is sent from [email protected], DMARC expects either SPF or DKIM to pass and align with yourdomain.com.
This is why Reteno signs emails with your authenticated domain instead of relying only on a Reteno domain. If the only passing DKIM signature uses a Reteno domain and SPF does not align with the visible From domain, the message will fail DMARC.
Which Records Does Reteno Provide?
When you authenticate your domain, Reteno provides the SPF and DKIM values required for the setup. Add them to your DNS using the record types and values shown in Reteno.
DMARC is configured separately because it defines your domain's authentication policy.
See Setting Up Email Domain Authentication for setup steps.
How Can I Check Email Authentication?
Send a test message to Mail-Tester for a quick check of SPF, DKIM, and DMARC.
You can also verify published DNS records with the DNS tools listed in Setting Up Email Domain Authentication.
Related Articles
- Setting Up Email Domain Authentication
- Domain Verification Troubleshooting
- Domain Warm-up
- Adding a Sender
- Adding a BIMI Logo
Updated 4 days ago
