Implementing Email Authentication: A Primer

One of the most basic elements of our work at Return Path is ensuring that clients use best practices in their email delivery processes. A common recommendation we give is to implement email authentication. Email authentication has two primary benefits: It stymies forgery of email messages and allows senders to build a positive reputation with receivers based upon their mailing behavior. Yet many companies, particularly small ones, have never heard of email authentication — and those who have heard of it have not yet initiated a project to implement it.

How does email authentication work? The most common schemes today — SPF, SenderID, and DomainKeys — use the Domain Name System (DNS) to publish “records.” Each record, which is available to the entire Internet community, details the specific machines that are authorized to send mail for a specific email domain.

Before a message arrives in a user’s email inbox, the receiving email server can attempt to verify that the mail is coming from an authorized source by checking email authentication records. Suppose a spammer forges your domain in his spam message. Unless he has hacked your network (a different, and bigger, problem) he is transmitting messages from IP addresses different from yours. When he sends his forged message, a receiver who checks for email authentication records will query for your domain’s records in DNS to determine your authorized mail sending hosts. Since your records won’t include the spammer’s IPs, the receiver can now take greater precautions in handling the message: rejecting it outright, subjecting it to spam-filtering technologies, or directing it straight to a junk folder.

In brief, here’s how to implement email authentication:

Step 1. Find the authentication scheme best suited to your needs. You can find detailed information about the three dominant schemes on the following Web sites:


It is also a good idea to coordinate with your IT group early in this process. They are likely to be familiar with the specifications and can help in planning the process and publishing your records once you’ve built them.

Step 2. Take inventory of systems that send your mail. Identify all machines that send mail on your behalf, which includes all internal and external systems — from corporate mail servers to third parties authorized to send mail on behalf of your company. Once you identify these senders, you need to obtain the IP addresses and host names for each. Be sure to consider the following potential sources:

  • Advertising/PR agencies
  • Bulk mailings
  • Corporate email
  • Customer support and services
  • Events marketing
  • Forwarding services
  • Human resources
  • Investor relations
  • Newsletters
  • Order and shipping confirmations

Step 3. Create your authentication records. There are excellent online tools available for creating valid SPF and Sender ID records. The following wizards can assist you:

Sender ID:

DomainKeys differs slightly in that it requires you to create a public and private encryption key pair for your record. The public key is then published in your DomainKeys record in DNS. Details can be found at

Step 4. Publish your authentication records. Work with whoever manages your DNS records to publish the email authentication records you’ve collected. The actual publishing is easy — finding the responsible party who controls your DNS is often the tricky part.

Step 5. Test your authentication records. SPF, SenderID, and DomainKeys all provide options to publish your records in “test” mode. This provides the opportunity for testing without risking delivery failures for mistakes in your record. Testing will ensure that the mail servers you’ve authorized are being verified by receivers and will determine if you’ve missed identifying any mail servers in your inventory.

Some testing options:

Once the records are published and tested, appoint a staff person to make sure they remain current.

Since your circumstances and sender inventories will vary, some complexities may emerge in your planning and implementation. The benefits of strengthening your company’s reputation for transparency and accountability, however, will be worth the effort.

minute read

Popular stories



BriteVerify email verification ensures that an email address actually exists in real-time


The #1 global data quality tool used by thousands of Salesforce admins


Insights and deliverability guidance from the only all-in-one email marketing solution

GridBuddy Cloud

Transform how you interact with your data through the versatility of grids.

Return Path

World-class deliverability applications to optimize email marketing programs

Trust Assessments

A revolutionary new solution for assessing Salesforce data quality


Validity for Email

Increase inbox placement and maximize subscriber reach with clean and actionable data

Validity for Data Management

Simplify data management with solutions that improve data quality and increase CRM adoption

Validity for Sales Productivity

Give your sales team back hours per day with tools designed to increase productivity and mitigate pipeline risks in real-time