Updated February 22, 2021

Email authentication gives mailbox providers (like Gmail or Outlook) confidence that the messages from senders are authentic and not sent by a bad actor. The more confidence a mailbox provider has that the messages you send are legitimate, the more likely that provider is to deliver the message to the inbox. Full use of email authentication tools is a best practice for email senders since spammers have become very smart about disguising malicious emails under the veil of a trusted brand.

By pretending to send email from your domain, a practice known as phishing, spammers trick your customers into giving out their passwords, account information, and other personally identifiable information for their financial gain. Not only is this a bad experience for your customers, but having your brand spoofed also decreases overall trust in your brand and your messages.

In today’s world, email authentication is a must-do for legitimate organizations to secure an online reputation and maintain brand trust with customers. While authentication can be tricky, it’s imperative that any web application that sends email adds this at the top of a best practice list. Here’s how:

1. Use consistent sender addresses

Be consistent with the from addresses and friendly from names you use. It can be tempting to have subscribers open a message out of curiosity, but trust in a message starts with a recipient easily recognizing the sender as a brand they trust. Constantly changing from names and from addresses makes your recipients more susceptible to phishing.

Similarly, avoid using cousin domains or domains that are slight variations of your standard brand’s domain as this also erodes trust in your messages and trains recipients to be more susceptible to phishing attacks. For example, if your domain is example.com, you’ll want to avoid using a similar domain like examplemail.com.

2. Authenticate your IP addresses with SPF

SPF stands for Sender Policy Framework and compares the email sender’s actual IP address to a list of IP addresses authorized to send mail from that domain. The SPF record is added to a sender’s domain name system (DNS) and contains a list of authorized IP addresses. For senders utilizing Twilio SendGrid’s automated security, we take care of the SPF record for you. Learn all about SPF records in our article, Sender Policy Framework (SPF): A Layer of Protection in Email Infrastructure.

3. Configure DKIM signatures for your messages

DomainKeys Identified Mail (DKIM) is an authentication standard that cryptographically signs the messages you send so that receiving servers are confident there was no altering of the message in transit. When you set up an authenticated domain with Twilio SendGrid, we will use that domain to sign your messages. We have more information on DKIM authentication in our article, How to Use DKIM to Prevent Domain Spoofing.

4. Protect your domain with DMARC authentication

Domain-based Message Authentication, Reporting & Conformance (DMARC) is a protocol that uses SPF and DKIM to further prevent phishers from spoofing messages.

A DMARC record is published alongside your DNS records and requires both SPF and DKIM to pass. It also requires the from address domain and the domain used in the message’s authentication to match. The DMARC record allows the owner of the domain to both instruct receiving servers what to do with messages that appear to be spoofed (such as block them outright or put them in the spam folder) as well as receive forensic reports regarding failed messages and potential spoofing of the domain. We have a great post on how to implement DMARC

Another important part of DMARC is monitoring. Twilio SendGrid has partnered with Valimail to offer free DMARC monitoring for our customers. We even created a joint guide on how to protect your sender identity, authenticate your email, and reduce phishing. Download the guide to learn more.

5. Prepare for BIMI

Brand Indicators for Message Identification (BIMI) is an extra bit of goodness atop the authentication cake that provides an even better inbox trust experience for your recipients. While it is not live in the wild just yet, for senders with a good sending reputation, DMARC in place and at enforcement, and a published BIMI record, BIMI will allow them to provide their brand’s logo in the inbox so that subscribers can quickly and easily identify their message as trusted.

In terms of authentication, BIMI is the only visual clue a typical email user can use to identify a message’s source and authenticity. Check out our blog post on BIMI for more information.

As you go about authenticating your email, keep in mind that the positive impacts are much broader than simply managing your sending reputation. Anything you can do to build trust with your recipients and help prevent your brand from spoofing will ultimately lead to happier, more engaged subscribers. And remember, Twilio SendGrid customers can always contact our email Deliverability Experts for help when needed.

Will has spent the last 5 years in the email delivery world helping senders get their messages to the folks that want them. Having spent most of his life in his home state of Tennessee, Will is loving the ‘real’ mountains of Colorado and lack of humidity. When he’s not thinking about email delivery, Will is an avid blues music fan and amateur blues historian. "