Guides

Email authentication guides

Practical, no-nonsense guides to SPF, DKIM and DMARC. Fix what is broken and keep your mail out of spam.

dmarc

HubSpot Email Authentication: Connecting Your Domain with SPF, DKIM & DMARC

HubSpot sends your email from its own servers, so your DNS has to authorise it. This guide walks the connect-sending-domain flow record by record: the two DKIM CNAMEs, the return-path that makes SPF align on your own domain, why you usually leave your root SPF alone, and the DMARC policy that clears the Google and Yahoo bulk rules. Confirm every record resolves before you click Verify in HubSpot.

Apr 3, 20266 min read
dkim

Klaviyo SPF and DKIM Setup: Authenticate Your Sending Domain Correctly

Klaviyo does not want you to add its servers to your root SPF record. You point a branded sending subdomain at Klaviyo with CNAME records, and Klaviyo hosts SPF and DKIM for you. This guide gives the exact records for a Klaviyo branded sending domain, explains why a raw SPF include is a mistake, and shows how to add and validate the one record Klaviyo will not create for you: your DMARC policy.

Apr 1, 20267 min read
spf

Zoho Mail SPF, DKIM & DMARC Setup: Complete DNS Configuration

Zoho Mail needs three DNS records to pass authentication: one SPF record with include:zohomail.com, a DKIM TXT record enabled per domain in the admin console with Zoho's selector, and a DMARC policy you move from none to reject over a few weeks. This guide gives the exact records, the single-SPF-record rule, the correct DKIM selector, and a staged rollout you verify live.

Mar 29, 20267 min read
basics

SPF vs DKIM: What's the Difference and Do You Need Both?

SPF checks the sending server, DKIM signs the message itself. This guide settles the real question with a side-by-side comparison: you need both because forwarding breaks SPF while DKIM survives it, and Gmail, Yahoo and Microsoft now require both plus DMARC. Includes record examples and how to spot which one your domain is missing.

Mar 27, 20267 min read
dkim

DKIM CNAME vs TXT Record: Which Should You Use (and Why It Matters)

A DKIM public key always lives in a TXT record. A CNAME at your selector is just a pointer that delegates that TXT record to your email provider so they can rotate keys for you. This guide explains the real difference, gives a side-by-side of manual TXT control versus CNAME auto-rotation, covers nested-CNAME resolution gotchas, and shows how to check what actually resolves at selector._domainkey.

Mar 20, 20267 min read
dkim

DKIM Body Hash (bh=) Mismatch: Why It Fails and How to Fix It

A DKIM body hash mismatch means the message body changed after signing, so the bh= value no longer matches what the receiver computes. This guide explains the difference between the body hash and the header signature, walks through the usual culprits (footer appenders, link rewriters, MIME re-encoding, canonicalization), and gives you a raw-body compare method plus the golden rule: sign at the last content-changing hop.

Mar 18, 20268 min read
dkim

DKIM Key Rotation: How Often to Rotate Keys Without Breaking Mail

A practical DKIM key rotation guide: rotate every 6 months by default, every 3 months for 1024-bit keys, and monthly for high-value senders. Includes a zero-downtime dual-selector runbook, automated rotation with CNAME-hosted keys, and an emergency procedure for a suspected key compromise, all without bouncing legitimate mail.

Feb 20, 20267 min read
dkim

Multiple DKIM Selectors on One Domain: Signing for Google, SendGrid, Mailchimp and More

DKIM is designed for many keys on one domain. Each sending service publishes its own public key under a unique selector, so Google, SendGrid, Mailchimp and every other stream can sign mail independently. This guide maps the common selector conventions per provider, explains the one rule you cannot break, and shows how to verify every stream.

Feb 18, 20267 min read
dkim

DKIM Fails but SPF Passes: Why It Happens and How to Fix the Signature

When DKIM fails but SPF passes, the sending IP was authorized but the signature broke. This guide diagnoses the signature-level causes: body hash mismatch from list footers and forwarding, altered headers, missing selectors, truncated keys, and l= body-length quirks. Includes a symptom-to-cause table, a step-by-step verification loop, and how signature failures differ from DMARC alignment failures so you fix the right thing.

Feb 15, 20268 min read
basics

SPF, DKIM and DMARC Explained

The three records that decide whether your email is trusted or spoofed. What each one does, how they work together, and how to check yours.

Feb 1, 20266 min read
dkim

How to Set Up DKIM

DKIM signs your mail so receivers can prove it came from you. Here is how to generate the key, publish the record, enable signing, and confirm it works.

Jan 28, 20264 min read
dkim

How to Fix DKIM Alignment Failures

DKIM can pass while DMARC still fails. The reason is alignment. Here is what alignment means and how to make your signature match your From domain.

Jan 18, 20264 min read
PreviousPage 2 of 2