Guides

Email authentication guides

Practical, no-nonsense guides to SPF, DKIM and DMARC. Fix what is broken and keep your mail out of spam.

dmarc

HubSpot Email Authentication: Connecting Your Domain with SPF, DKIM & DMARC

HubSpot sends your email from its own servers, so your DNS has to authorise it. This guide walks the connect-sending-domain flow record by record: the two DKIM CNAMEs, the return-path that makes SPF align on your own domain, why you usually leave your root SPF alone, and the DMARC policy that clears the Google and Yahoo bulk rules. Confirm every record resolves before you click Verify in HubSpot.

Jul 3, 20266 min read
dkim

Klaviyo SPF and DKIM Setup: Authenticate Your Sending Domain Correctly

Klaviyo does not want you to add its servers to your root SPF record. You point a branded sending subdomain at Klaviyo with CNAME records, and Klaviyo hosts SPF and DKIM for you. This guide gives the exact records for a Klaviyo branded sending domain, explains why a raw SPF include is a mistake, and shows how to add and validate the one record Klaviyo will not create for you: your DMARC policy.

Jul 3, 20267 min read
spf

Zoho Mail SPF, DKIM & DMARC Setup: Complete DNS Configuration

Zoho Mail needs three DNS records to pass authentication: one SPF record with include:zohomail.com, a DKIM TXT record enabled per domain in the admin console with Zoho's selector, and a DMARC policy you move from none to reject over a few weeks. This guide gives the exact records, the single-SPF-record rule, the correct DKIM selector, and a staged rollout you verify live.

Jul 3, 20267 min read
dmarc

DMARC Relaxed vs Strict Alignment Explained (and Which to Use)

DMARC alignment decides whether the domain in your visible From address matches the domain SPF or DKIM authenticated. Relaxed mode allows subdomains of the same organizational domain to align, and it is the default. Strict mode demands an exact match. This guide shows the difference with a mail.brand.com example, gives the literal aspf and adkim syntax, and walks through moving to strict only after your reports are clean.

Jul 3, 20267 min read
dmarc

How to Move DMARC From p=none to p=reject Safely: A Phased Enforcement Roadmap

Moving DMARC from p=none to p=reject protects your domain from spoofing, but rushing it blocks real mail. This roadmap gives you gated exit criteria for each phase, a realistic multi-week timeline, the pct ramp, sp handling for subdomains, and a checklist you run against your own DMARC aggregate reports before you advance a single step.

Jul 3, 20268 min read
dmarc

The DMARC pct Tag Explained: How to Ramp Enforcement Without Blocking Real Mail

The DMARC pct tag controls what fraction of your failing mail gets your policy applied, so you can enforce gradually. The catch most guides miss: unselected mail is not skipped, it drops down one policy level, so p=reject with pct=50 rejects half and quarantines the rest. This guide gives a 10/25/50/100 ramp tied to reading reports, and flags that DMARCbis deprecates pct.

Jul 3, 20267 min read
deliverability

Email Warm-Up Schedule: How to Warm a New Domain or IP Without Landing in Spam

A copy-paste 4 to 6 week warm-up schedule for a new sending domain or IP, with the exact daily volumes, segment targeting, and engagement tactics that Gmail and Outlook reward. Verify SPF, DKIM and DMARC alignment first, then ramp slowly and read your progress in Postmaster Tools.

Jul 3, 20268 min read
security

Business Email Compromise (BEC): The Email Authentication Checklist That Actually Reduces Risk

Business email compromise is not one attack, it is three: exact-domain spoofing, cousin-domain spoofing, and a genuinely compromised account. DMARC at reject only stops the first. This checklist maps each control to the attack it actually blocks, then ranks them so you fix the highest-leverage gaps first, starting with a free authentication check of your own domain.

Jul 3, 20268 min read
dmarc

How to Read a DMARC Aggregate (RUA) Report: The XML Decoded Field by Field

A DMARC aggregate report is a daily XML file listing every IP that sent mail as your domain and whether each passed DMARC. This guide walks a real annotated sample field by field: report_metadata, policy_published, and record rows, including the difference between raw and aligned results. Then it gives three triage patterns so you can tell legitimate-but-failing senders from spoofing and know the exact action for each, no paid dashboard required.

Jul 3, 20266 min read
dmarc

Does DMARC Stop Phishing? What It Blocks and What It Doesn't

DMARC at p=reject stops attackers who forge your exact domain, including most CEO-fraud that spoofs your address. It does nothing about lookalike domains, display-name tricks, or a hijacked mailbox that logs in legitimately. This guide gives an honest yes/no matrix, pairs every gap with the control that actually closes it, and shows where DMARC fits in a layered defense so you stop treating it as a silver bullet.

Jul 3, 20267 min read
deliverability

How to Read the Authentication-Results Header: Decode SPF, DKIM and DMARC

The Authentication-Results header is your receiving mail server's verdict on whether SPF, DKIM and DMARC passed. This guide annotates real headers from Gmail, Outlook and Yahoo field by field, gives a lookup table for every result value from pass to permerror, explains smtp.mailfrom, header.i and dis=, and ends with an if-X-failed-fix-Y decision tree so you can turn a confusing string into a fix.

Jul 3, 20267 min read
security

How to Stop Someone From Spoofing Your Email Domain

A step-by-step playbook to stop attackers from sending email as your domain: audit every legitimate sending source, get SPF and DKIM passing and aligned, then move DMARC to a reject policy. Includes what this stops, what it does not (lookalike domains and display-name spoofing), and a free lookup to check your current status.

Jul 3, 20267 min read
PreviousPage 2 of 3Next
Email Authentication Guides - SPF, DKIM and DMARC | SPFWise