The Spamhaus Project


Authentication and encryption for email

One of the first steps to ensuring good domain/IP reputation and consequently successful email deliverability is authentication and encryption - it helps receivers "trust" your email. This article provides a clear overview of what's required including SPF, DKIM and DMARC.

by The Spamhaus TeamFebruary 15, 20225 minutes reading time

Jump to


One of the first steps to ensuring good domain/IP reputation and consequently successful email deliverability is authentication and encryption.

WARNING…This is going to get a little technical for some marketers reading this. Our advice is that if you don’t have a deliverability team to lean on, work together with your IT team to check and ensure your authentication is appropriately set up.### Why are authentication and encryption necessary?

Correctly deployed authentication allows an email receiver to verify that an email’s sender is whom they say they are. Why is this necessary? Everything in an email header except the IP address that connects to the recipient’s server can be forged.

Authentication makes it possible for an email receiver to increase their trust in the domains used in headers and the “Friendly-From’ field. The “Friendly From” name and address are user-defined fields that identify the sender to the recipient and are visible in an email client, i.e., what the end-user sees. If you’d like to take a deeper dive into understanding the various elements of an email header, read “Understanding the source code of a malicious email.”

An overview of key authentication and encryption to set up for email

Here are the critical factors associated with email authentication and encryption:

  • Sender Policy Framework (SPF) – allows a sender to specify to a receiver where mail should be coming from. You can use Single IPs, IP ranges, or hostnames.
  • DomainKeys Identified Mail (DKIM) – uses a cryptographic signature to verify that the sender has permission to use the domain in the “from” field and that the content hasn’t been tampered with.
  • Domain-based Message Authentication, Reporting, and Conformance (DMARC) – tells the recipient what to do with unauthenticated mail.
  • Transport Layer Security (TLS) – encrypts the transmission phase of sending email.

SPF and DKIM authentication protocols should be considered a must – and are required in any modern email marketing infrastructure. The lack of SPF and DKIM authentication will damage reputation and affect deliverability and inbox placement. DMARC uses SPF and DKIM protocols and is rapidly increasing in importance, particularly within the financial industry.


  • SPF allows the authoritative owner of a given domain to specify to a receiver which networks or ISPs are authorized to send mail using that domain as a ‘from’ address.
  • Single IPs, IP ranges, or hostnames can be used.
  • An SPF TXT record should be as narrow as possible for the greatest security.
  • This TXT record lives in the DNS zone file for the sending domain.


  • DKIM uses a cryptographic signature of a designated portion of the email header and the email body.
  • It validates the authority of the sending domain.
  • It validates that designated headers and content have not been modified in transit.
  • It makes use of a public/private key pair.
  • It has become a crucial part of deliverability, and you should never send email without it. Failure to include a valid DKIM signature will negatively affect deliverability and inbox placement at many ISPs.


  • DMARC is an authentication policy published through a short entry in DNS. It enables senders to specify to receivers how to respond when email fails SPF or DKIM checks.
  • It allows senders to request aggregated and anonymized reports from recipients regarding unauthenticated email that claims to be from their domains.
  • It creates a way for ISPs to supply this data in a standardized format. In turn, this allows domain owners to monitor possible spoofing of their domains, which is especially useful for commonly abused businesses such as banks, online payment systems, various social media, etc.
  • It does not allow senders to bypass spam filters.

Some ISPs consider whether or not DMARC “passes” in their filtering decisions. For DMARC to pass, there must be alignment.

  • In DMARC alignment: a message must pass ‘SPF authentication’ and ‘SPF alignment’ and/or ‘DKIM authentication’ and ‘DKIM alignment.’
  • DKIM alignment: ‘d=’ must match FRIENDLY FROM
  • SPF alignment: RETURN-PATH must match the FRIENDLY FROM domain


  • TLS is an encryption method used to encrypt the communication channel between two computers. It is the successor to Secure Sockets Layer (SSL), and the two terms are often used interchangeably. SSL/TLS are widely used to encrypt connections over the internet. For example, whenever a lock appears in the browser bar, the browser encrypts communication between you and the website you are connected to.
  • TLS can be used to encrypt email during the transmission stages. Some recipients require it and refuse mail that is not TLS encrypted, but that is not very common (yet). Many MTAs have the option to request TLS if it is available and will failover to an unencrypted connection if it is not.

With all the above correctly configured, you will have built the foundations for increasing your email reputation and having good inbox placement.

Having taken a closer look at the world of email authentication and encryption, we’ll move onto what kind of opt-in method to choose when building your mailing lists.

Further resources:

Additional reading

The official websites for:

Useful tools: