Email authentication guides
Practical, no-nonsense guides to SPF, DKIM and DMARC. Fix what is broken and keep your mail out of spam.
How to Find Where Your DNS Is Hosted (So You Can Add SPF, DKIM, and DMARC)
Before you can add SPF, DKIM, or DMARC, you have to find the provider that actually controls your DNS records. Your nameservers tell you exactly who that is, and it is often not the company you bought the domain from. This guide shows you how to look up your nameservers, tell your registrar apart from your DNS host, and jump straight to the right setup steps for Cloudflare, GoDaddy, Namecheap, or Route 53.
What DNS Records Does Your Domain Need to Send and Receive Email?
A complete, ordered map of the DNS records a domain needs to send and receive email: MX and its A/AAAA target to receive, SPF, DKIM and DMARC to authenticate, plus optional MTA-STS and BIMI. Learn which records are mandatory versus optional and the exact order to add them so nothing breaks mid-setup, then confirm each one with a free scan.
What Is a DNS TXT Record? A Plain-English Guide for Email Authentication
A DNS TXT record stores plain text in your domain's DNS, and for most people the only reason to touch one is email authentication: SPF, DKIM, and DMARC all live in TXT records. This guide shows annotated real examples, explains the host, value, and TTL fields, and covers the 255-character split and multiple-strings gotchas that quietly break records.
550 5.7.1 'Email Rejected Per DMARC Policy': Causes and Step-by-Step Fix
A 550 5.7.1 email rejected per DMARC policy bounce means the receiving server enforced your p=reject or p=quarantine policy because the message failed DMARC. This guide shows how to tell whether it is your own mail or a forgotten third-party tool, how to read the bounce, and how to add the missing SPF include or DKIM key instead of weakening your policy.
550 5.7.23 'SPF Validation Failed': Why It Happens and How to Resolve It
The 550 5.7.23 bounce means the receiver rejected your mail because SPF authentication failed and a policy told it to reject. It usually points to one of three things: a hard -all fail from a sender that is not listed, an SPF PermError from too many DNS lookups or broken syntax, or forwarding that rewrites the path. This guide separates the three causes and shows how to confirm which one you have.
How to Check Your Email Deliverability: A Free Step-by-Step Audit
Check your email deliverability for free by running the checks in the order a pro would: authentication with our scanner first, then blocklist status, a real seed and inbox-placement test, Google Postmaster Tools and Microsoft SNDS reputation, and finally content and spam scoring. This audit gives you a full inbox-placement picture without paying for a suite.
Google Postmaster Tools: How to Set It Up and Read Every Dashboard
Google Postmaster Tools shows how Gmail actually treats your mail: domain reputation, spam rate, authentication pass rates, delivery errors and the feedback loop. This guide walks through TXT-record verification, explains why the dashboards stay empty until SPF, DKIM and DMARC line up, and decodes every graph in plain English so you know exactly what to fix.
Domain Reputation vs IP Reputation: Which One Controls Your Inbox Placement
Domain reputation and IP reputation both decide whether your mail lands in the inbox, but they behave differently. This guide compares what each one measures, how portable it is, and how long it takes to recover, plus the 2026 reality that Gmail now weighs your domain more than your sending IP. Includes a decision guide for shared versus dedicated IP senders and how authentication alignment ties the two together.
How to Set Up DANE and TLSA Records for Email (SMTP)
DANE lets you pin your mail server's TLS certificate in DNS so sending servers refuse to deliver over a downgraded or spoofed connection. This guide gives you the exact build order: confirm DNSSEC end to end, generate the hash from your STARTTLS certificate with OpenSSL, publish a TLSA record at _25._tcp.your-mx-host, and pick the right usage, selector, and matching type. Includes validation steps and the DNSSEC mistake that breaks most first attempts.
BIMI Without a VMC: How Self-Asserted BIMI and CMCs Actually Work
You can publish BIMI without a VMC. Self-asserted BIMI shows your logo in Yahoo, AOL and Fastmail with no certificate at all. A Common Mark Certificate adds Gmail logo display without a registered trademark. A Verified Mark Certificate is the only path to the Gmail blue checkmark. This guide gives you a clear decision map, the record syntax, and the DMARC prerequisites every path shares.
SendGrid Domain Authentication: SPF, DKIM & DMARC Setup (Automated vs Manual Security)
SendGrid Domain Authentication publishes CNAME records on a delegated em1234 subdomain so SPF and DKIM pass without touching your root SPF. This guide explains the delegated-subdomain model, contrasts Automated Security (CNAME) versus Manual (TXT), and shows how to add the DMARC policy SendGrid will not create for you, then confirm every CNAME resolves.
How to Set Up SPF, DKIM, and DMARC for Mailchimp (2026 Step-by-Step)
Mailchimp authentication in 2026 is simpler than most guides claim: two CNAME records for DKIM and one TXT record for DMARC, with no SPF include to edit. This guide shows the exact records to paste, how to verify them with a free checker, and how to read your first DMARC report so campaigns align and stop landing in spam.