Email Authentication (SPF, DKIM & DMARC)
Email authentication is the set of technical protocols, specifically SPF, DKIM, and DMARC, that prove to receiving mail servers that your emails are genuinely sent from you and not forged by a third party.
What Is Email Authentication (SPF, DKIM & DMARC)?
Think of email authentication as the ID check at the door. SPF (Sender Policy Framework) tells the world which mail servers are allowed to send email on behalf of your domain. DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to every message you send, so the receiving server can verify the email hasn't been tampered with in transit. DMARC (Domain-based Message Authentication, Reporting and Conformance) sits on top of both, telling receiving servers what to do when an email fails those checks and sending you reports about what's happening with your domain's email traffic. None of these protocols work in isolation. SPF alone can be fooled. DKIM alone doesn't stop spoofing of the visible 'From' address. DMARC ties them together by requiring at least one of SPF or DKIM to 'align' with the domain your subscribers actually see in their inbox. Together, they build a complete picture. An email that passes all three checks is far more likely to land in the inbox. One that fails them is likely to be junked, quarantined, or rejected outright. In early 2024, Google and Yahoo made these protocols non-negotiable for bulk senders, requiring SPF, DKIM, and a DMARC policy of at least p=none for anyone sending more than 5,000 emails a day to Gmail addresses. That shift moved authentication from a best practice to a baseline requirement. By 2026, most major inbox providers treat unauthenticated email with deep suspicion, regardless of volume.
Why It Matters for Newsletters
If your authentication isn't set up correctly, your newsletters won't reach the people who signed up for them. It's that simple. Poor authentication signals to inbox providers that you might be a spammer or a phisher, even if your content is perfectly legitimate and your list is entirely opt-in. Getting blacklisted or consistently landing in spam because of missing DNS records is one of the most preventable deliverability problems a newsletter creator can face. There's also the brand protection angle. Without a DMARC policy in place, anyone can send email that appears to come from your domain. Phishers do this to scam your subscribers, which destroys the trust you've spent months or years building. A strict DMARC policy (p=reject) closes that door entirely. For newsletter creators who have built a reputation and a relationship with their audience, protecting that domain is as important as any content or growth strategy.
Best Practices
- Set up SPF first by adding a TXT record to your DNS that lists every service authorised to send email from your domain, including your newsletter platform, CRM, and transactional email provider.
- Enable DKIM signing through every email service you use and publish the corresponding public key as a TXT record in your DNS. Most newsletter platforms provide step-by-step instructions for this.
- Publish a DMARC policy starting at p=none with a reporting address so you can monitor your email traffic without blocking anything while you diagnose issues.
- Analyse your DMARC reports regularly (tools like dmarcian or Google Postmaster Tools make this readable) to catch unauthorised senders or misconfigured services before they damage your sender reputation.
- Graduate your DMARC policy from p=none to p=quarantine and eventually p=reject once you're confident all legitimate sending sources are properly authenticated and aligned.
How Aldus Handles This
Aldus guides newsletter creators through authentication setup as part of onboarding, flagging any missing SPF, DKIM, or DMARC records before they become a deliverability problem. Rather than leaving you to piece together DNS documentation from multiple sources, Aldus surfaces exactly what needs to be configured and checks alignment across your sending infrastructure so your newsletters land where they're supposed to.