Domain authentication
SPF, DKIM, and DMARC — the foundation of email deliverability.
Email authentication tells inbox providers that your emails are legitimate and not spoofed. Without it, your emails are far more likely to land in spam.
The three layers
SPF (Sender Policy Framework)
SPF declares which mail servers are authorized to send email for your domain. When you use AWS SES, Amazon's SPF records cover your sends — Sendra handles this automatically.
DKIM (DomainKeys Identified Mail)
DKIM cryptographically signs each email so inbox providers can verify it wasn't tampered with in transit. When you verify your domain in Sendra, the CNAME records you add enable DKIM signing through SES.
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
DMARC ties SPF and DKIM together and tells inbox providers what to do if authentication fails. You set it up by adding a TXT record to your DNS:
Recommended progression:
- Start with
p=none— monitor only, no emails are rejected - Move to
p=quarantine— failing emails go to spam - Move to
p=reject— failing emails are blocked entirely
Move through these stages over weeks as you gain confidence that all your legitimate emails pass authentication.
Checking your setup
Use these free tools to verify your authentication is working:
- MX Toolbox — check DMARC records
- Mail Tester — send a test email and get a deliverability score
- Google Postmaster Tools — monitor your domain's reputation with Gmail
Common issues
| Problem | Cause | Fix |
|---|---|---|
| DKIM failing | DNS records not added or not propagated | Re-check CNAME records, wait for propagation |
| DMARC failing | SPF or DKIM misaligned | Ensure you're sending from a verified domain |
| Emails going to spam despite auth | Domain reputation is low | See sender reputation |