Updated February 22, 2021

Email authentication gives mailbox providers (like Gmail or Outlook) confidence that the messages they see from senders are authentic and not messages sent by a bad actor. The more confidence a mailbox provider has that the messages you send are legitimate, the more likely that provider is to deliver the message to the inbox. Full use of email authentication tools is best practice for email senders since spammers have become very smart about disguising malicious email under the veil of a trusted brand.

By pretending to send email from your domain, a practice known as phishing, spammers are tricking your customers into giving out their passwords, account information, and other personally identifiable information for their own financial gain. Not only is this a bad experience for your customers, having your brand spoofed also decreases overall trust in your brand and in your messages.

In today’s world, email authentication is a “must do” for legitimate organizations in order to secure their online reputation and maintain customer trust in their brand. While authentication can be tricky, it’s imperative that any web application that sends email adds this to the top of their best practice list. Here’s how:

1. Use consistent sender addresses

Be consistent with the from addresses and friendly from names you use. It can be tempting to have subscribers open a message out of curiosity, but trust in a message starts with a recipient easily recognizing the sender as a brand they trust. Constantly changing from names and from addresses can train your recipients to be more susceptible to phishing.

Similarly, avoid using cousin domains or domains that are slight variations of your standard brand’s domain as this also erodes trust in your messages and trains recipients to be more susceptible to phishing attacks. For example, if your domain is example.com, you’ll want to avoid using a similar domain like examplemail.com.

2. Authenticate your IP addresses with SPF

SPF stands for Sender Policy Framework and compares the email sender’s actual IP address to a list of IP addresses authorized to send mail from that domain. The SPF record is added to a sender’s domain name system (DNS) and contains a list of authorized IP addresses. For senders utilizing SendGrid’s automated security, we take care of the SPF record for you. Learn all about SPF records in our article, Sender Policy Framework (SPF): A Layer of Protection in Email Infrastructure.

3. Configure DKIM signatures for your messages 

DomainKeys Identified Mail (DKIM) is an authentication standard that cryptographically signs the messages you send so that receiving servers are confident the message was not altered in transit. When you set up an authenticated domain with SendGrid, we will use that domain to sign your messages. We have more information on DKIM authentication in our article, How to Use DKIM to Prevent Domain Spoofing.

4. Protect your domain with DMARC authentication 

Domain-based Message Authentication, Reporting & Conformance (DMARC) is a protocol that uses Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to further prevent messages from being spoofed by phishers. 

A DMARC record is published alongside your DNS records and requires both SPF and DKIM to pass. It also requires the from address domain and the domain used in the message’s authentication to match. The DMARC record allows the owner of the domain to both instruct receiving servers what to do with messages that appear to be spoofed (such as block them outright or put them in the spam folder) as well as receive forensic reports regarding failed messages and potential spoofing of the domain. We have a great post on how to implement DMARC

Another important part of DMARC is monitoring. SendGrid has partnered with Valimail to offer free DMARC monitoring for our customers. We even created a joint guide on how to protect your sender identity, authenticate your email, and reduce phishing. Download the guide to learn more.

5. Prepare for BIMI 

Brand Indicators for Message Identification (BIMI) is an extra bit of goodness atop the authentication cake that provides an even better inbox trust experience for your recipients. While it is not live in the wild just yet, for senders with a good sending reputation, DMARC in place and at enforcement, and a published BIMI record, BIMI will allow them to provide their brand’s logo in the inbox so that subscribers can quickly and easily identify their message as trusted.

In terms of authentication, BIMI is the only visual clue a typical email user will be able to use to identify a message’s source and authenticity. Check out our blog post on BIMI for more information.

As you go about authenticating your email, keep in mind that the positive impacts are much broader than simply managing your sending reputation. Anything you can do to build trust with your recipients and help prevent your brand from being spoofed will ultimately lead to happier, more engaged subscribers. And remember, SendGrid customers can always contact our email deliverability experts for help when needed.



Will Boyd
Will has spent the last 5 years in the email delivery world helping senders get their messages to the folks that want them. Having spent most of his life in his home state of Tennessee, Will is loving the ‘real’ mountains of Colorado and lack of humidity. When he’s not thinking about email delivery, Will is an avid blues music fan and amateur blues historian. "