Email authentication guides
Practical, no-nonsense guides to SPF, DKIM and DMARC. Fix what is broken and keep your mail out of spam.
Google Workspace SPF, DKIM & DMARC Setup: A Complete Step-by-Step Guide
A precise, ordered walkthrough for authenticating a Google Workspace domain. Copy the exact SPF value, run the Admin Console DKIM "Start Authentication" flow with the 2048-bit key set correctly, then add DMARC last. Validate each record live before moving on so you never stack a second mistake on top of the first.
Amazon SES SPF, DKIM & DMARC Setup: The Complete DNS Configuration
Amazon SES passes SPF by default but does not align it for DMARC until you configure a custom MAIL FROM subdomain. This guide walks through Easy DKIM's three CNAME records, domain identity verification, the SPF TXT and MX records that fix DMARC alignment, and how to verify the whole stream in the checker before you enforce a reject policy.
SendGrid Domain Authentication: SPF, DKIM & DMARC Setup (Automated vs Manual Security)
SendGrid Domain Authentication publishes CNAME records on a delegated em1234 subdomain so SPF and DKIM pass without touching your root SPF. This guide explains the delegated-subdomain model, contrasts Automated Security (CNAME) versus Manual (TXT), and shows how to add the DMARC policy SendGrid will not create for you, then confirm every CNAME resolves.
How to Set Up SPF, DKIM, and DMARC for Mailchimp (2026 Step-by-Step)
Mailchimp authentication in 2026 is simpler than most guides claim: two CNAME records for DKIM and one TXT record for DMARC, with no SPF include to edit. This guide shows the exact records to paste, how to verify them with a free checker, and how to read your first DMARC report so campaigns align and stop landing in spam.
HubSpot Email Authentication: Connecting Your Domain with SPF, DKIM & DMARC
HubSpot sends your email from its own servers, so your DNS has to authorise it. This guide walks the connect-sending-domain flow record by record: the two DKIM CNAMEs, the return-path that makes SPF align on your own domain, why you usually leave your root SPF alone, and the DMARC policy that clears the Google and Yahoo bulk rules. Confirm every record resolves before you click Verify in HubSpot.
Klaviyo SPF and DKIM Setup: Authenticate Your Sending Domain Correctly
Klaviyo does not want you to add its servers to your root SPF record. You point a branded sending subdomain at Klaviyo with CNAME records, and Klaviyo hosts SPF and DKIM for you. This guide gives the exact records for a Klaviyo branded sending domain, explains why a raw SPF include is a mistake, and shows how to add and validate the one record Klaviyo will not create for you: your DMARC policy.
Zoho Mail SPF, DKIM & DMARC Setup: Complete DNS Configuration
Zoho Mail needs three DNS records to pass authentication: one SPF record with include:zohomail.com, a DKIM TXT record enabled per domain in the admin console with Zoho's selector, and a DMARC policy you move from none to reject over a few weeks. This guide gives the exact records, the single-SPF-record rule, the correct DKIM selector, and a staged rollout you verify live.
DMARC Relaxed vs Strict Alignment Explained (and Which to Use)
DMARC alignment decides whether the domain in your visible From address matches the domain SPF or DKIM authenticated. Relaxed mode allows subdomains of the same organizational domain to align, and it is the default. Strict mode demands an exact match. This guide shows the difference with a mail.brand.com example, gives the literal aspf and adkim syntax, and walks through moving to strict only after your reports are clean.
How to Move DMARC From p=none to p=reject Safely: A Phased Enforcement Roadmap
Moving DMARC from p=none to p=reject protects your domain from spoofing, but rushing it blocks real mail. This roadmap gives you gated exit criteria for each phase, a realistic multi-week timeline, the pct ramp, sp handling for subdomains, and a checklist you run against your own DMARC aggregate reports before you advance a single step.
The DMARC pct Tag Explained: How to Ramp Enforcement Without Blocking Real Mail
The DMARC pct tag controls what fraction of your failing mail gets your policy applied, so you can enforce gradually. The catch most guides miss: unselected mail is not skipped, it drops down one policy level, so p=reject with pct=50 rejects half and quarantines the rest. This guide gives a 10/25/50/100 ramp tied to reading reports, and flags that DMARCbis deprecates pct.
Email Warm-Up Schedule: How to Warm a New Domain or IP Without Landing in Spam
A copy-paste 4 to 6 week warm-up schedule for a new sending domain or IP, with the exact daily volumes, segment targeting, and engagement tactics that Gmail and Outlook reward. Verify SPF, DKIM and DMARC alignment first, then ramp slowly and read your progress in Postmaster Tools.
Business Email Compromise (BEC): The Email Authentication Checklist That Actually Reduces Risk
Business email compromise is not one attack, it is three: exact-domain spoofing, cousin-domain spoofing, and a genuinely compromised account. DMARC at reject only stops the first. This checklist maps each control to the attack it actually blocks, then ranks them so you fix the highest-leverage gaps first, starting with a free authentication check of your own domain.