Skip to content

Email Authentication Basics (4 Steps)

Email authentication ensures your emails land in the right place. We rely on SPF, DKIM, BIMI, and DMARC when messaging prospective and current customers.

This is a technical process in your DNS records that enables sales and marketing initiatives to be far more successful—making more money for your business.

It’s worth learning about email authentication, if for no other reason than that email marketing works.

Email is one of the most popular and most effective ways to communicate with buyers. It’s an open format that’s universally adopted. And it’s evolving every day.

59% of B2B marketers cite email as their top channel for revenue generation.


So how do we use email authentication to send emails that deliver? SPF, DKIM, BIMI, and DMARC happen in your DNS (Domain Name System) records. DNS records govern how computers and services interact with your domain. And when we say domain, we mean a website such as

Using Email Authentication for Sales and Marketing

Let’s assume you own a domain and have an email address associated with that domain. Moreover, that you will use that email address for sales and marketing activities. That email address would be something like or

DNS Records Basics

SPF, DKIM, BIMI, and DMARC are a collection of email authentication methods that demonstrate to internet service providers (ISPs) and email service providers (ESPs) that senders are genuinely authorized to send email from a given domain, what to do, and what to do if they’re not.

In order to proceed, you need to be able to access your website’s DNS records. Even if you can access them, you may not be able to implement all of these things because different providers offer different levels of support for these specifications—DKIM in particular, as outlined below.

Failing to configure your DNS records correctly can result in your emails landing in spam—or not deliver at all. This can affect your domain reputation, prevent you from communicating with customers, and cost your money.

What is SPF for Email

SPF or Sender Policy Framework is an email validation system for detecting and blocking email spoofing. It enables mail exchangers to validate that incoming mail from a certain domain originates from a sender or IP address that has been permitted by the domain’s administration.

For example, if you are using Google as your email service provider, you would specifically include Google in your SPF records as someone who can send email through your domain. Many email providers do this by default. It gets more complicated if you are adding additional senders like an email newsletter or billing software—this is beyond the scope of this introductory article.

What is DKIM for Email

DKIM (DomainKeys Identified Mail) allows the message handler to assume responsibility for a message while it is in transit. It adds a new domain name identification to a message and utilizes cryptographic techniques to verify its validity.

In other words, there are actually two DKIM records. A private key and a public key. They work together to indicate an email is from you. Not every ESP supports DKIM. If your ESP doesn’t’ support DKIM, then you can’t use it because they can’t store your DKIM record. Check for this before signing up for a service.

What is BIMI for Email

BIMI (Brand Indicators for Message Identification) is an emerging specification that we should touch on here. Let’s hear how the BIMI group describes it, since they’re the industry group who is developing this specification.

(BIMI) is an emerging email specification that enables the use of brand-controlled logos within supporting email clients. BIMI leverages the work an organization has put into deploying DMARC protection, by bringing brand logos to the customer’s inbox.

For the brand’s logo to be displayed, the email must pass DMARC authentication checks, ensuring that the organization’s domain has not been impersonated.

BIMI Group

This is a form of email authentication that is going to be especially relevant for marketers. BIMI requires additional considerations that are going to affect your DMARC policy. We can break that down in the future if there’s interest. And in case you’re ever talking about BIMI with someone, it’s pronounced: Bih-mee.

What is DMARC for Email

DMARC (Domain-Based Message Authentication Reporting and Conformance) is an additional authentication mechanism that references both SPF and DKIM to verify that an email was sent by the owner of the “Friendly-From” domain that the viewer sees. SPF and DKIM must both pass, and at least one of them must be aligned, for DMARC to pass.

This is where it all comes together. Either a sender is approved through SPF or a key indicates it’s legitimate through DKIM. Your DMARC policy dictates what should happen with an email if either, neither, or both SPF and DKIM checks pass. When emails flow through email service providers, DMARC reports are generated that capture that activity. Meanwhile BIMI relies on your DMARC policy in order to display your brand mark.

Takeaways for Improving Email Deliverability

This is a basic overview of the email authentication specifications you can use to improve your email deliverability. At Intro, we set these up for our clients every day. Deliverability is essential in our work generating new business on behalf of our clients.

We’d love to hear which of these specifications is most interesting, or most confusing, to you. Comment below or contact us.