Users getting together to help each other learn.

Email Authentication Check List

  • [ ] You must have access to your DNS zone records
  • [ ] Email marketing account generates:
    • [ ] the CNAME record names and values you need to update your DNS settings.

SPF – the bouncer

💡 SPF prevents spammers from sending unauthorized messages that appear to be from your domain. If you’re not on the list, you don’t get in.

💡 Sender Policy Framework (SPF) is a protocol that lists the IP addresses of mail servers and domain names that are authorized to send mail on your behalf.

  • [ ] List the IP addresses that are allowed to send email for a given domain/subdomain.
  • [ ] Check SPF settings for all sending domains. <aside> 💡 The SPF record for your domain should reference all email senders for your domain. </aside>
  • [ ] Ensure all authorized sources are listed (this includes Mailgun, Sendgrid and other tools). <aside> 💡 If you’re sending transactional emails through Mailgun, a different ESP for marketing emails, and use Google Workspace for internal emails, all three need to be identified on your SPF record. </aside>
  • [ ] If SPF is out of alignment, go to your DNS provider and rotate credentials between your DNS and ESP.

Example SPF DNS records:

v=spf1 ip4:61.949.100.188 ip6:98.422.200.766 a:smtp.example.com -all
v=spf1 ip4: ip4: include:examplesender.email -all
v=spf1 include:spf.sendinblue.com include:_spf.google.com include:zoho.com -all

Domain-keys Identified Mail (DKIM) authentication

💡 Receiving servers use DKIM to verify that the domain owner actually sent the message.

  • [ ] Turn on DKIM for the domain that sends your email
  • [ ] Using a DKIM TXT record Create key pairings to identify your sending domains.
  • [ ] Using DKIM CNAME records names and values.
  • [ ] Check DKIM settings for all sending domains. <aside> 💡 DKIM is specific to the sending platform. If the client uses Google for inboxes, AWS for transactional and MailChimp for email marketing, you should setup DKIM individually for each one and they should each have their own confirmation system within the platform. </aside>
  • [ ] Ensure selectors indicate where receiving servers can find the public key.
  • [ ] If DKIM is out of alignment, go to your DNS provider and rotate credentials between your DNS and ESP.

Domain-based Message Authentication, Reporting and

Conformance (DMARC)

💡 DMARC lets you tell receiving servers what to do with messages from your domain that don’t pass SPF or DKIM.

  • [ ] Let receiving mail servers know what to do with authentication failures.
  • [ ] Set up DMARC with your DNS provider (SPF and DKIM are required).
  • [ ] Ensure the domain listed in the From: header is aligned with domains for SPF/ DKIM.

💡 If using a p=none DMARC policy, consider eventually enforcing p=quarantine or p=reject.

One-click unsubscribe

💡 List-Unsubscribe is a small piece of text that can be inserted in the header section of your email. The List-Unsubscribe header will insert an “unsubscribe” button, or link, next to the From address at the top of your email. A recipient can click this link to notify you that they would like to unsubscribe from your emails.

  • [ ] Make it easy for subscribers to opt-out of marketing emails.
  • [ ] Include an unsubscribe link in the body of the email that removes the subscriber from all marketing communications within 48 hours.

💡 Avoid spam complaints

  • Keep your spam complaint rate under 0.1% and never exceed 0.3%.
  • Review your current sending practices, including frequency.
  • Conduct list hygiene to remove or segment unengaged and outdated contacts.