SPF, DKIM, and DMARC: How to make sure your emails pass these 3 types of email authentication

Deliverability Podcasts
Jump ahead


In episode 6 of the Deliverability Defined podcast, my co-host Melissa Lambert and I dive deep into email authentication, and what you need to know to be sure your emails pass SPF, DKIM, and DMARC.

Authentication (SPF, DKIM, and DMARC)

Email authentication can be very complex, but it's crucial for your email deliverability. In this episode, we talk about why authentication exists, how to quickly determine if your emails are passing authentication, and the three types of authentication you should become familiar with.

Main takeaways

Authentication exists to verify that a message is coming from a specific sender.

  • This prevents spam and phishing and makes email more secure.
  • Authentication also protects senders’ reputation from being harmed by a spammer who uses the sender’s domain to send malicious emails.

All emails have two “from” addresses, the friendly-from and the return-path.

  • The friendly-from address is the address that subscribers see and recognize
  • The return-path address is hidden in the headers of your email and isn’t typically seen by subscribers. This address is usually your
  • Email Service Provider’s (ESP) domain.
    A quick way of determining if you’re passing authentication is to send yourself a test email and pull the message headers.

There are three types of authentication: SPF, DKIM, and DMARC

SPF (Sender Policy Framework)

  • SPF is essentially a list of IP addresses that are allowed to send mail on behalf of your domain.
  • SPF is checked on the return-path domain, not the friendly-from domain
  • This means, ConvertKit (and most other ESPs) takes care of SPF for you

DKIM (DomainKeys Identified Mail)

  • DKIM uses a public key and a private key to verify the sender is not being spoofed and that the message hasn’t been tampered with
  • DKIM isn’t tied to the return-path or the friendly-from. Instead, it is checked using the domain listed in the DKIM header of the message

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

  • DMARC ties SPF and DKIM to the friendly-from domain, making emails much more secure
  • DMARC does require some upkeep and proper setup, so be sure you fully understand the repercussions of DMARC before setting it up for your domain
  • If you want to use DMARC on your domain and you’re a ConvertKit user, be sure to verify the sending domain in your ConvertKit account


Try ConvertKit's deliverability in action

It's now free to use ConvertKit with an audience of up to 1,000 subscribers! Start building your audience and reaching their inboxes: convertkit.com/pricing.

Stay in touch

Apple Podcasts
Deliverability Defined Website

To receive email notifications when new episodes of Deliverability Defined are available, or to submit topic suggestions, sign up to our email list.

Sign Up

Alyssa Dulin

Alyssa is a Deliverability Lead located in Nashville, TN. She loves helping senders reach the inbox of their subscribers. Outside of work, Alyssa enjoys traveling, indoor cycling, and spending time with family.

The future belongs to creators

ConvertKit helps creators like you take their projects from idea to reality. It's never been easier to build an audience and grow a business. And you can do it all for free.

Launch your next project