Guides

Email authentication guides

Practical, no-nonsense guides to SPF, DKIM and DMARC. Fix what is broken and keep your mail out of spam.

spf

550 5.7.23 'SPF Validation Failed': Why It Happens and How to Resolve It

The 550 5.7.23 bounce means the receiver rejected your mail because SPF authentication failed and a policy told it to reject. It usually points to one of three things: a hard -all fail from a sender that is not listed, an SPF PermError from too many DNS lookups or broken syntax, or forwarding that rewrites the path. This guide separates the three causes and shows how to confirm which one you have.

May 3, 20267 min read
dmarc

550-5.7.26 'Unauthenticated Sender' in Gmail: What It Means and How to Fix It

Gmail returns 550-5.7.26 when a message has no passing, aligned authentication. This guide decodes the exact wording and maps it to three fixable causes: neither SPF nor DKIM passing, an SPF or DKIM pass that does not align with your From domain, and a missing DMARC record. Includes a copy-paste diagnostic checklist and a free domain check that shows which of the three is failing.

May 1, 20266 min read
dkim

Google Workspace SPF, DKIM & DMARC Setup: A Complete Step-by-Step Guide

A precise, ordered walkthrough for authenticating a Google Workspace domain. Copy the exact SPF value, run the Admin Console DKIM "Start Authentication" flow with the 2048-bit key set correctly, then add DMARC last. Validate each record live before moving on so you never stack a second mistake on top of the first.

Apr 12, 20266 min read
dkim

Amazon SES SPF, DKIM & DMARC Setup: The Complete DNS Configuration

Amazon SES passes SPF by default but does not align it for DMARC until you configure a custom MAIL FROM subdomain. This guide walks through Easy DKIM's three CNAME records, domain identity verification, the SPF TXT and MX records that fix DMARC alignment, and how to verify the whole stream in the checker before you enforce a reject policy.

Apr 10, 20267 min read
dmarc

HubSpot Email Authentication: Connecting Your Domain with SPF, DKIM & DMARC

HubSpot sends your email from its own servers, so your DNS has to authorise it. This guide walks the connect-sending-domain flow record by record: the two DKIM CNAMEs, the return-path that makes SPF align on your own domain, why you usually leave your root SPF alone, and the DMARC policy that clears the Google and Yahoo bulk rules. Confirm every record resolves before you click Verify in HubSpot.

Apr 3, 20266 min read
spf

Zoho Mail SPF, DKIM & DMARC Setup: Complete DNS Configuration

Zoho Mail needs three DNS records to pass authentication: one SPF record with include:zohomail.com, a DKIM TXT record enabled per domain in the admin console with Zoho's selector, and a DMARC policy you move from none to reject over a few weeks. This guide gives the exact records, the single-SPF-record rule, the correct DKIM selector, and a staged rollout you verify live.

Mar 29, 20267 min read
basics

SPF vs DKIM: What's the Difference and Do You Need Both?

SPF checks the sending server, DKIM signs the message itself. This guide settles the real question with a side-by-side comparison: you need both because forwarding breaks SPF while DKIM survives it, and Gmail, Yahoo and Microsoft now require both plus DMARC. Includes record examples and how to spot which one your domain is missing.

Mar 27, 20267 min read
spf

Do Subdomains Need Their Own SPF Record?

SPF does not climb from a subdomain to your root domain, so a subdomain with no record returns "none" and is trivially spoofable. This guide shows why SPF inheritance is a myth, how to write per-subdomain records, how to lock down subdomains that never send mail, and how the DMARC sp= tag fills the gap SPF leaves open.

Mar 25, 20267 min read
spf

SPF PermError vs TempError: What Each One Means and How to Fix It

SPF PermError and TempError are two distinct results, not versions of "fail." PermError means a permanent misconfiguration you must fix now, usually more than 10 DNS lookups or two v=spf1 records. TempError means a transient DNS problem that self-resolves but signals trouble if it repeats. This guide gives a side-by-side decision table, a root-cause checklist for each, and shows how to read the exact cause.

Mar 22, 20267 min read
spf

Why Email Forwarding Breaks SPF (and How SRS and ARC Fix It)

Email forwarding breaks SPF because the forwarding server sends from an IP that was never listed in the original domain's SPF record, so the check fails by design under RFC 7208. This guide explains envelope sender versus header From, why aliases and mailing lists fail, and how SRS repairs SPF while DKIM and ARC restore DMARC alignment.

Feb 25, 20266 min read
security

SPF +all Is the Most Dangerous Setting in Email: Here's Why

An SPF record ending in +all tells every receiving server that any IP on the internet is allowed to send mail as your domain. It is the one SPF setting that actively helps attackers spoof you. This guide shows the real phishing and reputation fallout, clears up the -all vs ~all vs ?all confusion, and gives you a safe migration path from softfail to hardfail you can confirm with a free lookup.

Feb 22, 20266 min read
basics

SPF, DKIM and DMARC Explained

The three records that decide whether your email is trusted or spoofed. What each one does, how they work together, and how to check yours.

Feb 1, 20266 min read
PreviousPage 2 of 3Next