Email Authentication

Email Marketing

Also: Email Deliverability Authentication · Sender Authentication

PurposeProve you are who you say you are
ProtocolsSPF, DKIM and DMARC
Without itEmails land in spam or get blocked
Required byGoogle and Yahoo as of 2024

Quick definition

Email authentication is a set of technical standards that verify an email is genuinely from the domain it claims to be from. The three key protocols — SPF, DKIM and DMARC — work together to tell receiving email servers that your messages are legitimate, improving deliverability and protecting your domain from being used for spam.

How it varies across Australia

Email authentication gaps are common among Australian SMBs and cause significant deliverability problems that go unnoticed until open rates drop. Businesses sending to Gmail and Yahoo accounts without full SPF, DKIM and DMARC configuration risk having their emails quarantined or rejected following Google and Yahoo's 2024 sender requirements.

See Digital Maturity and Retention scores by industry

The three authentication protocols

SPF(Sender Policy Framework)

A DNS record that lists which mail servers are authorised to send email on behalf of your domain. Receiving servers check this list when an email arrives claiming to be from your domain.

Authorised senders list
DKIM(DomainKeys Identified Mail)

A cryptographic signature added to outgoing emails that proves the message was not altered in transit. The receiving server verifies the signature against a public key in your DNS records.

Digital signature
DMARC(Domain-based Message Authentication Reporting and Conformance)

A policy that tells receiving servers what to do when SPF or DKIM fails — nothing, quarantine (move to spam) or reject. Also sends reports to you about failed authentication attempts.

Policy and reporting
BIMI(Brand Indicators for Message Identification)

An emerging standard that displays your brand logo in the inbox beside authenticated emails. Requires a DMARC policy of quarantine or reject. Supported by Gmail, Yahoo and Apple Mail.

Logo in inbox

What it actually means

Email authentication is the technical plumbing that proves your emails come from you. Without it, receiving email servers have no way to verify that a message claiming to be from yourcompany.com.au is actually sent by you, rather than by a spammer spoofing your domain.

SPF tells the world which servers are allowed to send on behalf of your domain. DKIM adds a cryptographic signature to each message that proves it was not tampered with in transit. DMARC ties the two together and gives you a policy for what happens when authentication fails.

In 2024, Google and Yahoo introduced bulk sender requirements that made SPF, DKIM and DMARC mandatory for businesses sending more than 5,000 emails per day. Businesses that do not meet these requirements risk having their emails blocked or sent to spam across the entire Gmail and Yahoo ecosystem.

For most businesses, the setup is a one-time technical task: adding DNS records provided by your email sending platform (Klaviyo, Mailchimp, HubSpot, Salesforce, etc.) and configuring a DMARC policy. Once done correctly it requires minimal ongoing maintenance.

Authentication does not make your emails more interesting. It makes sure they arrive at all.

How it shows up

Authentication problems show up as lower-than-expected open rates, higher bounce rates and deliverability failures. Tools like Google Postmaster Tools, MXToolbox and your email platform's deliverability reports will flag authentication issues. A DMARC report will show you how many emails are failing SPF or DKIM checks.

The Australian context

Australian businesses sending from custom domains (yourcompany.com.au) through third-party platforms (Klaviyo, HubSpot, Mailchimp) need to ensure each sending platform has its own DKIM keys configured and that the SPF record includes all authorised sending services. Many Australian businesses use multiple email tools — transactional email, marketing email, CRM — and each one needs to be included in the authentication setup.

Where people get this wrong

Setting DMARC to 'none' and never progressingDMARC with a 'none' policy sends reports but does not protect your domain or improve deliverability. The goal is to move to 'quarantine' or 'reject' once you are confident that all legitimate sending sources are authenticated. Many businesses set 'none' during testing and forget to graduate.
Not updating SPF when adding new email toolsEvery new email sending service you connect to your domain needs to be added to your SPF record. If you add a new marketing automation tool and do not update SPF, its emails will fail authentication.
Assuming your email platform handles authentication automaticallyMost email platforms provide the DKIM keys and instructions. The actual DNS record configuration must be done by whoever manages your domain DNS — typically your IT team or domain registrar. Platforms do not have access to your DNS by default.

Related terms

Email DeliverabilityEmail MarketingEmail Open RateEmail MarketingServer-Side TrackingAnalytics & DataTechnical SEOSEOMarketing AutomationAnalytics & Data

Common questions

How do I check if my email authentication is set up correctly?

Send a test email from your marketing platform to a Gmail or Google Workspace account and click 'Show original' in Gmail to see the authentication headers. Use MXToolbox.com to look up your domain's SPF and DMARC records. Most email platforms also have a built-in authentication checker. Google Postmaster Tools provides ongoing deliverability and authentication monitoring for your sending domain.

What happens if I do not set up DMARC?

Without DMARC, your domain has no policy for handling emails that fail SPF or DKIM checks. This leaves your domain open to spoofing — where someone sends emails pretending to be from your domain. It also means you miss out on DMARC reporting, which tells you about authentication failures. Following Google and Yahoo's 2024 requirements, sending without DMARC at scale can result in emails being rejected.

Does email authentication affect transactional emails as well as marketing emails?

Yes. Authentication applies to all emails sent from your domain — transactional (receipts, confirmations, password resets) and marketing. Both should be fully authenticated. Transactional emails are often handled by a separate sending service (SendGrid, Postmark, AWS SES) that also needs its own DKIM keys and SPF inclusion.

Keep exploring

About New Rebellion

New Rebellion is a marketing intelligence consultancy. We build tools, score Australian businesses on how their marketing actually performs, and publish Debrief every day. This dictionary is part of how we work in the open.

How we think →