Email authentication guides
Practical, no-nonsense guides to SPF, DKIM and DMARC. Fix what is broken and keep your mail out of spam.
HubSpot Email Authentication: Connecting Your Domain with SPF, DKIM & DMARC
HubSpot sends your email from its own servers, so your DNS has to authorise it. This guide walks the connect-sending-domain flow record by record: the two DKIM CNAMEs, the return-path that makes SPF align on your own domain, why you usually leave your root SPF alone, and the DMARC policy that clears the Google and Yahoo bulk rules. Confirm every record resolves before you click Verify in HubSpot.
Klaviyo SPF and DKIM Setup: Authenticate Your Sending Domain Correctly
Klaviyo does not want you to add its servers to your root SPF record. You point a branded sending subdomain at Klaviyo with CNAME records, and Klaviyo hosts SPF and DKIM for you. This guide gives the exact records for a Klaviyo branded sending domain, explains why a raw SPF include is a mistake, and shows how to add and validate the one record Klaviyo will not create for you: your DMARC policy.
Zoho Mail SPF, DKIM & DMARC Setup: Complete DNS Configuration
Zoho Mail needs three DNS records to pass authentication: one SPF record with include:zohomail.com, a DKIM TXT record enabled per domain in the admin console with Zoho's selector, and a DMARC policy you move from none to reject over a few weeks. This guide gives the exact records, the single-SPF-record rule, the correct DKIM selector, and a staged rollout you verify live.
SPF vs DKIM: What's the Difference and Do You Need Both?
SPF checks the sending server, DKIM signs the message itself. This guide settles the real question with a side-by-side comparison: you need both because forwarding breaks SPF while DKIM survives it, and Gmail, Yahoo and Microsoft now require both plus DMARC. Includes record examples and how to spot which one your domain is missing.
Do Subdomains Need Their Own SPF Record?
SPF does not climb from a subdomain to your root domain, so a subdomain with no record returns "none" and is trivially spoofable. This guide shows why SPF inheritance is a myth, how to write per-subdomain records, how to lock down subdomains that never send mail, and how the DMARC sp= tag fills the gap SPF leaves open.
SPF PermError vs TempError: What Each One Means and How to Fix It
SPF PermError and TempError are two distinct results, not versions of "fail." PermError means a permanent misconfiguration you must fix now, usually more than 10 DNS lookups or two v=spf1 records. TempError means a transient DNS problem that self-resolves but signals trouble if it repeats. This guide gives a side-by-side decision table, a root-cause checklist for each, and shows how to read the exact cause.
DKIM CNAME vs TXT Record: Which Should You Use (and Why It Matters)
A DKIM public key always lives in a TXT record. A CNAME at your selector is just a pointer that delegates that TXT record to your email provider so they can rotate keys for you. This guide explains the real difference, gives a side-by-side of manual TXT control versus CNAME auto-rotation, covers nested-CNAME resolution gotchas, and shows how to check what actually resolves at selector._domainkey.
DKIM Body Hash (bh=) Mismatch: Why It Fails and How to Fix It
A DKIM body hash mismatch means the message body changed after signing, so the bh= value no longer matches what the receiver computes. This guide explains the difference between the body hash and the header signature, walks through the usual culprits (footer appenders, link rewriters, MIME re-encoding, canonicalization), and gives you a raw-body compare method plus the golden rule: sign at the last content-changing hop.
DMARC Relaxed vs Strict Alignment Explained (and Which to Use)
DMARC alignment decides whether the domain in your visible From address matches the domain SPF or DKIM authenticated. Relaxed mode allows subdomains of the same organizational domain to align, and it is the default. Strict mode demands an exact match. This guide shows the difference with a mail.brand.com example, gives the literal aspf and adkim syntax, and walks through moving to strict only after your reports are clean.
How to Move DMARC From p=none to p=reject Safely: A Phased Enforcement Roadmap
Moving DMARC from p=none to p=reject protects your domain from spoofing, but rushing it blocks real mail. This roadmap gives you gated exit criteria for each phase, a realistic multi-week timeline, the pct ramp, sp handling for subdomains, and a checklist you run against your own DMARC aggregate reports before you advance a single step.
The DMARC pct Tag Explained: How to Ramp Enforcement Without Blocking Real Mail
The DMARC pct tag controls what fraction of your failing mail gets your policy applied, so you can enforce gradually. The catch most guides miss: unselected mail is not skipped, it drops down one policy level, so p=reject with pct=50 rejects half and quarantines the rest. This guide gives a 10/25/50/100 ramp tied to reading reports, and flags that DMARCbis deprecates pct.
How to Set Up MTA-STS: Step-by-Step Guide with Policy File and DNS Records
A copy-paste walkthrough of all three MTA-STS parts: the _mta-sts TXT record, the mta-sts.txt policy file served over HTTPS at the well-known path, and the mx, mode, and max_age directives. Includes dig and curl validation steps to confirm each piece resolves before you switch from testing to enforce mode, plus how MTA-STS relates to TLS-RPT, DANE, and DMARC.