Email authentication guides
Practical, no-nonsense guides to SPF, DKIM and DMARC. Fix what is broken and keep your mail out of spam.
SPF vs DKIM: What's the Difference and Do You Need Both?
SPF checks the sending server, DKIM signs the message itself. This guide settles the real question with a side-by-side comparison: you need both because forwarding breaks SPF while DKIM survives it, and Gmail, Yahoo and Microsoft now require both plus DMARC. Includes record examples and how to spot which one your domain is missing.
DKIM CNAME vs TXT Record: Which Should You Use (and Why It Matters)
A DKIM public key always lives in a TXT record. A CNAME at your selector is just a pointer that delegates that TXT record to your email provider so they can rotate keys for you. This guide explains the real difference, gives a side-by-side of manual TXT control versus CNAME auto-rotation, covers nested-CNAME resolution gotchas, and shows how to check what actually resolves at selector._domainkey.
DKIM Body Hash (bh=) Mismatch: Why It Fails and How to Fix It
A DKIM body hash mismatch means the message body changed after signing, so the bh= value no longer matches what the receiver computes. This guide explains the difference between the body hash and the header signature, walks through the usual culprits (footer appenders, link rewriters, MIME re-encoding, canonicalization), and gives you a raw-body compare method plus the golden rule: sign at the last content-changing hop.
DKIM Key Rotation: How Often to Rotate Keys Without Breaking Mail
A practical DKIM key rotation guide: rotate every 6 months by default, every 3 months for 1024-bit keys, and monthly for high-value senders. Includes a zero-downtime dual-selector runbook, automated rotation with CNAME-hosted keys, and an emergency procedure for a suspected key compromise, all without bouncing legitimate mail.
Multiple DKIM Selectors on One Domain: Signing for Google, SendGrid, Mailchimp and More
DKIM is designed for many keys on one domain. Each sending service publishes its own public key under a unique selector, so Google, SendGrid, Mailchimp and every other stream can sign mail independently. This guide maps the common selector conventions per provider, explains the one rule you cannot break, and shows how to verify every stream.
DKIM Fails but SPF Passes: Why It Happens and How to Fix the Signature
When DKIM fails but SPF passes, the sending IP was authorized but the signature broke. This guide diagnoses the signature-level causes: body hash mismatch from list footers and forwarding, altered headers, missing selectors, truncated keys, and l= body-length quirks. Includes a symptom-to-cause table, a step-by-step verification loop, and how signature failures differ from DMARC alignment failures so you fix the right thing.
SPF, DKIM and DMARC Explained
The three records that decide whether your email is trusted or spoofed. What each one does, how they work together, and how to check yours.
How to Set Up DKIM
DKIM signs your mail so receivers can prove it came from you. Here is how to generate the key, publish the record, enable signing, and confirm it works.
How to Fix DKIM Alignment Failures
DKIM can pass while DMARC still fails. The reason is alignment. Here is what alignment means and how to make your signature match your From domain.