Guides

Email authentication guides

Practical, no-nonsense guides to SPF, DKIM and DMARC. Fix what is broken and keep your mail out of spam.

basics

SPF vs DKIM: What's the Difference and Do You Need Both?

SPF checks the sending server, DKIM signs the message itself. This guide settles the real question with a side-by-side comparison: you need both because forwarding breaks SPF while DKIM survives it, and Gmail, Yahoo and Microsoft now require both plus DMARC. Includes record examples and how to spot which one your domain is missing.

Jul 3, 20267 min read
dkim

DKIM CNAME vs TXT Record: Which Should You Use (and Why It Matters)

A DKIM public key always lives in a TXT record. A CNAME at your selector is just a pointer that delegates that TXT record to your email provider so they can rotate keys for you. This guide explains the real difference, gives a side-by-side of manual TXT control versus CNAME auto-rotation, covers nested-CNAME resolution gotchas, and shows how to check what actually resolves at selector._domainkey.

Jul 3, 20267 min read
dkim

DKIM Body Hash (bh=) Mismatch: Why It Fails and How to Fix It

A DKIM body hash mismatch means the message body changed after signing, so the bh= value no longer matches what the receiver computes. This guide explains the difference between the body hash and the header signature, walks through the usual culprits (footer appenders, link rewriters, MIME re-encoding, canonicalization), and gives you a raw-body compare method plus the golden rule: sign at the last content-changing hop.

Jul 3, 20268 min read
dkim

DKIM Key Rotation: How Often to Rotate Keys Without Breaking Mail

A practical DKIM key rotation guide: rotate every 6 months by default, every 3 months for 1024-bit keys, and monthly for high-value senders. Includes a zero-downtime dual-selector runbook, automated rotation with CNAME-hosted keys, and an emergency procedure for a suspected key compromise, all without bouncing legitimate mail.

Jul 3, 20267 min read
dkim

Multiple DKIM Selectors on One Domain: Signing for Google, SendGrid, Mailchimp and More

DKIM is designed for many keys on one domain. Each sending service publishes its own public key under a unique selector, so Google, SendGrid, Mailchimp and every other stream can sign mail independently. This guide maps the common selector conventions per provider, explains the one rule you cannot break, and shows how to verify every stream.

Jul 3, 20267 min read
dkim

DKIM Fails but SPF Passes: Why It Happens and How to Fix the Signature

When DKIM fails but SPF passes, the sending IP was authorized but the signature broke. This guide diagnoses the signature-level causes: body hash mismatch from list footers and forwarding, altered headers, missing selectors, truncated keys, and l= body-length quirks. Includes a symptom-to-cause table, a step-by-step verification loop, and how signature failures differ from DMARC alignment failures so you fix the right thing.

Jul 3, 20268 min read
basics

SPF, DKIM and DMARC Explained

The three records that decide whether your email is trusted or spoofed. What each one does, how they work together, and how to check yours.

Jul 3, 20266 min read
dkim

How to Set Up DKIM

DKIM signs your mail so receivers can prove it came from you. Here is how to generate the key, publish the record, enable signing, and confirm it works.

Jul 3, 20264 min read
dkim

How to Fix DKIM Alignment Failures

DKIM can pass while DMARC still fails. The reason is alignment. Here is what alignment means and how to make your signature match your From domain.

Jul 3, 20264 min read
PreviousPage 2 of 2
Email Authentication Guides - SPF, DKIM and DMARC | SPFWise