Email authentication guides
Practical, no-nonsense guides to SPF, DKIM and DMARC. Fix what is broken and keep your mail out of spam.
HubSpot Email Authentication: Connecting Your Domain with SPF, DKIM & DMARC
HubSpot sends your email from its own servers, so your DNS has to authorise it. This guide walks the connect-sending-domain flow record by record: the two DKIM CNAMEs, the return-path that makes SPF align on your own domain, why you usually leave your root SPF alone, and the DMARC policy that clears the Google and Yahoo bulk rules. Confirm every record resolves before you click Verify in HubSpot.
Klaviyo SPF and DKIM Setup: Authenticate Your Sending Domain Correctly
Klaviyo does not want you to add its servers to your root SPF record. You point a branded sending subdomain at Klaviyo with CNAME records, and Klaviyo hosts SPF and DKIM for you. This guide gives the exact records for a Klaviyo branded sending domain, explains why a raw SPF include is a mistake, and shows how to add and validate the one record Klaviyo will not create for you: your DMARC policy.
Zoho Mail SPF, DKIM & DMARC Setup: Complete DNS Configuration
Zoho Mail needs three DNS records to pass authentication: one SPF record with include:zohomail.com, a DKIM TXT record enabled per domain in the admin console with Zoho's selector, and a DMARC policy you move from none to reject over a few weeks. This guide gives the exact records, the single-SPF-record rule, the correct DKIM selector, and a staged rollout you verify live.
DMARC Relaxed vs Strict Alignment Explained (and Which to Use)
DMARC alignment decides whether the domain in your visible From address matches the domain SPF or DKIM authenticated. Relaxed mode allows subdomains of the same organizational domain to align, and it is the default. Strict mode demands an exact match. This guide shows the difference with a mail.brand.com example, gives the literal aspf and adkim syntax, and walks through moving to strict only after your reports are clean.
How to Move DMARC From p=none to p=reject Safely: A Phased Enforcement Roadmap
Moving DMARC from p=none to p=reject protects your domain from spoofing, but rushing it blocks real mail. This roadmap gives you gated exit criteria for each phase, a realistic multi-week timeline, the pct ramp, sp handling for subdomains, and a checklist you run against your own DMARC aggregate reports before you advance a single step.
The DMARC pct Tag Explained: How to Ramp Enforcement Without Blocking Real Mail
The DMARC pct tag controls what fraction of your failing mail gets your policy applied, so you can enforce gradually. The catch most guides miss: unselected mail is not skipped, it drops down one policy level, so p=reject with pct=50 rejects half and quarantines the rest. This guide gives a 10/25/50/100 ramp tied to reading reports, and flags that DMARCbis deprecates pct.
Email Warm-Up Schedule: How to Warm a New Domain or IP Without Landing in Spam
A copy-paste 4 to 6 week warm-up schedule for a new sending domain or IP, with the exact daily volumes, segment targeting, and engagement tactics that Gmail and Outlook reward. Verify SPF, DKIM and DMARC alignment first, then ramp slowly and read your progress in Postmaster Tools.
Business Email Compromise (BEC): The Email Authentication Checklist That Actually Reduces Risk
Business email compromise is not one attack, it is three: exact-domain spoofing, cousin-domain spoofing, and a genuinely compromised account. DMARC at reject only stops the first. This checklist maps each control to the attack it actually blocks, then ranks them so you fix the highest-leverage gaps first, starting with a free authentication check of your own domain.
How to Read a DMARC Aggregate (RUA) Report: The XML Decoded Field by Field
A DMARC aggregate report is a daily XML file listing every IP that sent mail as your domain and whether each passed DMARC. This guide walks a real annotated sample field by field: report_metadata, policy_published, and record rows, including the difference between raw and aligned results. Then it gives three triage patterns so you can tell legitimate-but-failing senders from spoofing and know the exact action for each, no paid dashboard required.
Does DMARC Stop Phishing? What It Blocks and What It Doesn't
DMARC at p=reject stops attackers who forge your exact domain, including most CEO-fraud that spoofs your address. It does nothing about lookalike domains, display-name tricks, or a hijacked mailbox that logs in legitimately. This guide gives an honest yes/no matrix, pairs every gap with the control that actually closes it, and shows where DMARC fits in a layered defense so you stop treating it as a silver bullet.
How to Read the Authentication-Results Header: Decode SPF, DKIM and DMARC
The Authentication-Results header is your receiving mail server's verdict on whether SPF, DKIM and DMARC passed. This guide annotates real headers from Gmail, Outlook and Yahoo field by field, gives a lookup table for every result value from pass to permerror, explains smtp.mailfrom, header.i and dis=, and ends with an if-X-failed-fix-Y decision tree so you can turn a confusing string into a fix.
How to Stop Someone From Spoofing Your Email Domain
A step-by-step playbook to stop attackers from sending email as your domain: audit every legitimate sending source, get SPF and DKIM passing and aligned, then move DMARC to a reject policy. Includes what this stops, what it does not (lookalike domains and display-name spoofing), and a free lookup to check your current status.