How to Authenticate Your Email in 5 Steps (Email Authentication 101)

May 28, 2023
Written by
Will Boyd
Opinions expressed by Twilio contributors are their own

How to Authenticate Your Email in 5 Steps (Email Authentication 101)

Email authentication gives mailbox providers (like Gmail or Outlook) confidence that the messages from senders are authentic and not sent by a bad actor. The more confidence a mailbox provider has that the messages you send are legitimate, the more likely that provider is to deliver the message to the inbox. Full use of email authentication tools is a best practice for email senders since spammers have become very smart about disguising malicious emails under the veil of a trusted brand.

By pretending to send email from your domain, a practice known as phishing, spammers trick your customers into giving out their passwords, account information, and other personally identifiable information for their financial gain. Not only is this a bad experience for your customers, but having your brand spoofed also decreases overall trust in your brand and your messages.

In today’s world, email authentication is a must-do for legitimate organizations to secure an online reputation and maintain brand trust with customers. While authentication can be tricky, it’s imperative that any web application that sends an email adds this to the top of a best practice list.

How to authenticate email

1. Use consistent sender addresses

Be consistent with the from addresses and friendly from names you use. It can be tempting to have subscribers open a message out of curiosity, but trust in a message starts with a recipient easily recognizing the sender as a brand they trust. Constantly changing from names and from addresses makes your recipients more susceptible to phishing.

Similarly, avoid using cousin domains or domains that are slight variations of your standard brand's domain, as this also erodes trust in your messages and trains recipients to be more susceptible to phishing attacks. For example, if your domain is, you'll want to avoid using a similar domain like

2. Authenticate your IP addresses with SPF

SPF stands for Sender Policy Framework and compares the email sender’s actual IP address to a list of IP addresses authorized to send mail from that domain. The SPF record is added to a sender's domain name system (DNS) and contains a list of authorized IP addresses. For senders utilizing Twilio SendGrid's automated security, we take care of the SPF record for you. Learn all about SPF records in our article, Sender Policy Framework (SPF): A Layer of Protection in Email Infrastructure.

3. Configure DKIM signatures for your messages

DomainKeys Identified Mail (DKIM) is an authentication standard that cryptographically signs the messages you send so that receiving servers are confident there was no altering of the message in transit. When you set up an authenticated domain with Twilio SendGrid, we will use that domain to sign your messages. We have more information on DKIM authentication in our article, How to Use DKIM to Prevent Domain Spoofing.

4. Protect your domain with DMARC authentication

Domain-based Message Authentication, Reporting & Conformance (DMARC) is a protocol that uses SPF and DKIM to further prevent phishers from spoofing messages.

A DMARC record is published alongside your DNS records and requires both SPF and DKIM to pass. It also requires the from address domain and the domain used in the message's authentication to match. The DMARC record allows the owner of the domain to both instruct receiving servers what to do with messages that appear to be spoofed (such as block them outright or put them in the spam folder) as well as receive forensic reports regarding failed messages and potential spoofing of the domain. We have a great post on how to implement DMARC

Another important part of DMARC is monitoring. Twilio SendGrid has partnered with Valimail to offer free DMARC monitoring for our customers. We even created a joint guide on how to protect your sender identity, authenticate your email, and reduce phishing. Download the guide to learn more.

5. Prepare for BIMI

Brand Indicators for Message Identification (BIMI) is an extra bit of goodness atop the authentication cake that provides an even better inbox trust experience for your recipients. For senders with a good sending reputation, DMARC in place and at enforcement, and a published BIMI record, BIMI will allow them to provide their brand's logo in the inbox so that subscribers can quickly and easily identify their message as trusted.

In terms of authentication, BIMI is the only visual clue a typical email user can use to identify a message’s source and authenticity. Check out our blog post on BIMI for more information.

What is email authentication?

Email authentication is a daunting subject. There’s often an alphabet soup of acronyms and initialisms. But the core concepts are not complicated, and most everyone will be able to quickly understand them.

Email authentication is a process used to verify the legitimacy and integrity of an email message. It establishes trust between senders and recipients by ensuring your identity is verified.

Email authentication relies on several methods and standards, including the following:
  • Sender Policy Framework (SPF)
  • DomainKeys Identified Mail (DKIM)
  • Domain-based Message Authentication, Reporting, and Conformance (DMARC)
  • Brand Indicators for Message Identification (BIMI)

Sender Policy Framework

SPF allows a sender to verify their authenticity. Let’s think about it this way: if you receive a letter in your mailbox printed on official letterhead, you can be reasonably sure that it’s authentic. So another way to think of an email that passes SPF is a certified letter from the post office. There is a tracking number provided, and you can verify who the sender is by calling the post office.

SPF is also similar to confirming a return address. If you received a letter where the business name didn’t match any businesses listed at the letter’s return address, you would be rightly skeptical of that letter. This kind of check is usually unnecessary for physical mail, but it’s necessary for email messages, too, because it’s easy to send a message claiming to be from someone else.

During SPF, a receiving email server can ask the domain that the email claims to be from for a list of IP addresses that are allowed to send email on that domain’s behalf. If the domain doesn’t list the originating server as a valid sender, then the email is most likely not genuine and the SPF check will fail.

DomainKeys Identified Mail

DKIM is like a wax seal on a letter. Before reliable postal infrastructure, letters were authenticated with a sealing wax embossed with a signet ring belonging to the sender. The hardened wax bonded with the parchment and made it nearly impossible to tamper with the letter without leaving evidence.

Let’s imagine another way to ensure the authenticity of the sender. Think of a box with a locking drawer and a locking lid. The drawer can only be locked with the sender’s key. We’ll call this key the sender’s private key.

The lid can be locked and unlocked by a key that is freely available. Anybody can request a copy of the key. In fact, the sender has provided all of the post offices along the delivery route with a copy of this key. We’ll call this the public key.

Under the lid is a pane of glass. By unlocking the lid anyone can inspect the package through the glass, but cannot tamper with it without breaking the glass and leaving evidence. Upon inspection, an interested party can confirm the official letterhead, see that the glass is intact, and verify that the drawer is locked with the key that only the sender has. Each post office along the way opens the lid to make sure that the package is still intact.

DKIM works in a similar way to this box. The sender has a cryptographic private key that is used to encode the message headers. The public key is made available on a decentralized public internet registry called the DNS or Domain Name System. Any of the servers involved in passing the message along to the final destination can retrieve the public key and decrypt the headers to verify that the message is valid.

Domain Message Authentication Reporting and Conformance

Imagine that someone sends you one of these fancy double lockboxes. The courier bringing the package performs one final check before delivering it. She looks up the delivery conformance policy for the sender of the package. Their policy says that the package should have originated from a trusted address (SPF).

The package should also have been in a locked box from a trusted source holding a private key and should be verifiably unaltered in transit (DKIM). The policy further stipulates that if the SPF and DKIM conditions are not met, the courier should quarantine the package and inform the sender of the violation.

This policy is analogous to a Domain Message Authentication Reporting and Conformance policy. DMARC is the latest authentication tool, built on both SPF and DKIM. It’s a way for senders to inform recipients which authentication methods to check for and what to do if a message claiming to be from them does not pass the required checks. Instructions might include marking the message as quarantined and therefore likely to be suspicious or rejecting the message completely.

You might wonder why senders would ever want to allow messages that don’t pass DMARC to be delivered. DMARC also provides a feedback loop so senders can monitor whether emails that appear to be originating from their domains are conforming with the policy or not.

What email authentication means for senders

With DMARC, domain owners finally have full control over the “from” address over that appears in a recipient’s’ email client. Large mailbox providers like Yahoo! and AOL have already implemented strict policies. Emails that appear to originate from these domains but that fail authentication checks will get dropped. You can view updates on Gmail here and on Microsoft here.

What this means is that you should never send from domains that are not configured to allow your server via DKIM and SPF. If you send emails on behalf of clients, you’ll want to ensure your clients have the correct DNS entries in place to enable this.

For recipients, the increased popularity of these technologies means a reduction in phishing and spam emails that get delivered. And that’s always a good thing.

And if you want help with your email authentication or you’re having difficulty with your email deliverability, SendGrid has email plans and expert services to help with it all.

Get started with email authentication

As you go about authenticating your email, keep in mind that the positive impacts are much broader than simply managing your sending reputation. Anything you can do to build trust with your recipients and help prevent your brand from spoofing will ultimately lead to happier, more engaged subscribers. And remember, Twilio SendGrid customers can always contact our email Deliverability Experts for help when needed.

Recommended For You

Most Popular

Send With Confidence

Partner with the email service trusted by developers and marketers for time-savings, scalability, and delivery expertise.