Guides

Email authentication guides

Practical, no-nonsense guides to SPF, DKIM and DMARC. Fix what is broken and keep your mail out of spam.

deliverability

Google Postmaster Tools: How to Set It Up and Read Every Dashboard

Google Postmaster Tools shows how Gmail actually treats your mail: domain reputation, spam rate, authentication pass rates, delivery errors and the feedback loop. This guide walks through TXT-record verification, explains why the dashboards stay empty until SPF, DKIM and DMARC line up, and decodes every graph in plain English so you know exactly what to fix.

Apr 24, 20268 min read
deliverability

Domain Reputation vs IP Reputation: Which One Controls Your Inbox Placement

Domain reputation and IP reputation both decide whether your mail lands in the inbox, but they behave differently. This guide compares what each one measures, how portable it is, and how long it takes to recover, plus the 2026 reality that Gmail now weighs your domain more than your sending IP. Includes a decision guide for shared versus dedicated IP senders and how authentication alignment ties the two together.

Apr 22, 20267 min read
security

How to Set Up DANE and TLSA Records for Email (SMTP)

DANE lets you pin your mail server's TLS certificate in DNS so sending servers refuse to deliver over a downgraded or spoofed connection. This guide gives you the exact build order: confirm DNSSEC end to end, generate the hash from your STARTTLS certificate with OpenSSL, publish a TLSA record at _25._tcp.your-mx-host, and pick the right usage, selector, and matching type. Includes validation steps and the DNSSEC mistake that breaks most first attempts.

Apr 17, 20268 min read
deliverability

BIMI Without a VMC: How Self-Asserted BIMI and CMCs Actually Work

You can publish BIMI without a VMC. Self-asserted BIMI shows your logo in Yahoo, AOL and Fastmail with no certificate at all. A Common Mark Certificate adds Gmail logo display without a registered trademark. A Verified Mark Certificate is the only path to the Gmail blue checkmark. This guide gives you a clear decision map, the record syntax, and the DMARC prerequisites every path shares.

Apr 15, 20267 min read
dkim

SendGrid Domain Authentication: SPF, DKIM & DMARC Setup (Automated vs Manual Security)

SendGrid Domain Authentication publishes CNAME records on a delegated em1234 subdomain so SPF and DKIM pass without touching your root SPF. This guide explains the delegated-subdomain model, contrasts Automated Security (CNAME) versus Manual (TXT), and shows how to add the DMARC policy SendGrid will not create for you, then confirm every CNAME resolves.

Apr 8, 20266 min read
dkim

How to Set Up SPF, DKIM, and DMARC for Mailchimp (2026 Step-by-Step)

Mailchimp authentication in 2026 is simpler than most guides claim: two CNAME records for DKIM and one TXT record for DMARC, with no SPF include to edit. This guide shows the exact records to paste, how to verify them with a free checker, and how to read your first DMARC report so campaigns align and stop landing in spam.

Apr 5, 20267 min read
dkim

Klaviyo SPF and DKIM Setup: Authenticate Your Sending Domain Correctly

Klaviyo does not want you to add its servers to your root SPF record. You point a branded sending subdomain at Klaviyo with CNAME records, and Klaviyo hosts SPF and DKIM for you. This guide gives the exact records for a Klaviyo branded sending domain, explains why a raw SPF include is a mistake, and shows how to add and validate the one record Klaviyo will not create for you: your DMARC policy.

Apr 1, 20267 min read
spf

SPF PermError vs TempError: What Each One Means and How to Fix It

SPF PermError and TempError are two distinct results, not versions of "fail." PermError means a permanent misconfiguration you must fix now, usually more than 10 DNS lookups or two v=spf1 records. TempError means a transient DNS problem that self-resolves but signals trouble if it repeats. This guide gives a side-by-side decision table, a root-cause checklist for each, and shows how to read the exact cause.

Mar 22, 20267 min read
dkim

DKIM CNAME vs TXT Record: Which Should You Use (and Why It Matters)

A DKIM public key always lives in a TXT record. A CNAME at your selector is just a pointer that delegates that TXT record to your email provider so they can rotate keys for you. This guide explains the real difference, gives a side-by-side of manual TXT control versus CNAME auto-rotation, covers nested-CNAME resolution gotchas, and shows how to check what actually resolves at selector._domainkey.

Mar 20, 20267 min read
dkim

DKIM Body Hash (bh=) Mismatch: Why It Fails and How to Fix It

A DKIM body hash mismatch means the message body changed after signing, so the bh= value no longer matches what the receiver computes. This guide explains the difference between the body hash and the header signature, walks through the usual culprits (footer appenders, link rewriters, MIME re-encoding, canonicalization), and gives you a raw-body compare method plus the golden rule: sign at the last content-changing hop.

Mar 18, 20268 min read
dmarc

DMARC Relaxed vs Strict Alignment Explained (and Which to Use)

DMARC alignment decides whether the domain in your visible From address matches the domain SPF or DKIM authenticated. Relaxed mode allows subdomains of the same organizational domain to align, and it is the default. Strict mode demands an exact match. This guide shows the difference with a mail.brand.com example, gives the literal aspf and adkim syntax, and walks through moving to strict only after your reports are clean.

Mar 15, 20267 min read
dmarc

How to Move DMARC From p=none to p=reject Safely: A Phased Enforcement Roadmap

Moving DMARC from p=none to p=reject protects your domain from spoofing, but rushing it blocks real mail. This roadmap gives you gated exit criteria for each phase, a realistic multi-week timeline, the pct ramp, sp handling for subdomains, and a checklist you run against your own DMARC aggregate reports before you advance a single step.

Mar 13, 20268 min read
PreviousPage 3 of 5Next