Email Authentication Basics

What is Email Authentication?

Email authentication is a process used to verify the authenticity and integrity of an email message or sender. It helps to prevent email spoofing, phishing, and other forms of email fraud by confirming that the message is sent from the claimed sender and has not been tampered with during transmission.

ISPs like Gmail and Yahoo have mandated the use of authentication methods like SPF, DKIM, and DMARC as a part of their latest deliverability guidelines. These methods were always recommended, and they help protect users from unsolicited, spam, and fraudulent emails. Compliance with these will have a direct impact on the effectiveness and deliverability of email campaigns.


What are SPF, DKIM, and DMARC?

SPF, DKIM, and DMARC are authentication methods that brands can implement to increase the trustworthiness of their email communications and reduce the risk of email scams and impersonation attacks.

  • Sender Policy Framework (SPF): SPF allows domain owners to publish a list of authorized IPs that are allowed to send emails on behalf of their domain. When an email is received, the recipient's mail server checks the SPF records in the domain's DNS to verify if the sending IP in the email request is authorized to send emails for that domain.
  • DomainKeys Identified Mail (DKIM): DKIM uses a digital signature that is added to the email header to verify that the message has not been tampered with. The sender's domain signs the email with a private key, and the recipient's mail server uses the public key stored in the DNS records to validate the signature.
  • Domain-based Message Authentication, Reporting, and Conformance (DMARC): DMARC is an email authentication policy framework that builds on SPF and DKIM. It allows domain owners to specify how their emails should be handled if they fail authentication checks. DMARC provides instructions to receiving mail servers on how to handle emails that fail SPF or DKIM checks, such as marking them as spam or rejecting them. Moreover, DMARC allows for reports to be sent to the admin to identify where the unauthenticated emails are sent from.

If you are on a MoEngage email, we share these records with you in the form of DNS records for them to be updated in your Domain Name Server (DNS) as part of your onboarding.

What are DNS Records?

DNS stands for Domain Name System, and it acts as a directory for the internet. It translates domain names into IP addresses, allowing computers to locate and communicate with each other. DNS records are a set of instructions that tell servers how to handle different aspects of your domain.

There are three different types of DNS records that MoEngage shares with you at the time of onboarding.

  1. For Domain and IP Authentication
    • SPF (Record type: CNAME) for authentication
    • DKIM (Record type: CNAME) for authentication
    • Domain lookup for dedicated IP (Record type: A)
    • DMARC (Record type: TXT)

  2. DNS records for URL branding
    • DNS Link branding (Record type: CNAME)

  3. DNS record to access your Domain Reputation in Google Postmaster
    • Google Postmaster (Record type: CNAME)

An example of what these records look like is attached below: 

Screenshot 2024-01-29 at 21.14.50.png

How do I know if these are set for my domains or not?

You can send a test email to your Gmail address and check if your authentication is up to date based on the screenshot below. Click on the 3-dot menu on the top right and click on "Show Original".

  • Search for "Received: from" and look for the following
    • The Received from domain about your IP should be the subdomain of your domain.
    • The "Authentication-Results:" should show dkim=pass, spf=pass, and dmarc=pass.

Screenshot 2024-01-29 at 20.48.54.png

  • Hover over the images and links in the email and the link domain shown at the bottom left should be the subdomain of your domain.

    Screenshot 2024-01-29 at 20.56.50.png

If these don't match, what do I do? 

Reach out to your MoEngage Customer Success Manager and get the exact records that need to be set up in your DNS.

Where do I update them?

You will need to know who your domain registrar is. You can find the exact steps based on the most common providers below. If you don't have the required access, you can share these details with your IT admin and they can help you in setting these up.

  1. GoDaddy
  2. Cloudflare
  3. Microsoft Azure
  4. Google Domains
  5. Shopify
  6. Akamai
  7. AWS - Amazon Route 53

Was this article helpful?
0 out of 0 found this helpful

How can we improve this article?