6 Common Reasons Why Email Authentication Fails
Did you know that one of the top reasons for emails going to spam is that email authentication fails?
Email authentication is an important topic if you are using a 3rd party ESP (like SendX). If you are using a mailbox provider like - Gmail, Yahoo Mail, AOL, Apple Mail etc., then your emails will be authenticated by default (if everything is set up correctly).
What is Email Authentication and Why is it Important?
Quite simply, email authentication means - that you (owner of the domain) are giving required permissions to a 3rd party ESP, to send emails on your domain's behalf.
In case you are wondering if it is even possible to send emails from a domain without providing permission (from the domain owner), the answer is YES. You would have seen emails having via <some_domain_name> in the email header like the following.
If not, go check your inbox and you are sure to find several emails like this. This simply means Johnny Appleseed's domain is sending this email over the authentication of sendx.io domain. To read in-depth about email authentication I would recommend reading the Email Authentication section of our Email Deliverability guide.
Needless to say, this is not the best way to send emails. And SPAM filters look at such an email with suspicion. A lot of spammers also rely on this technique since they are able to leverage the good domain reputation of the ESP.
Always ask for your ESP to provide email authentication. At SendX, we provide email authentication for free in every plan and strongly encourage our users (during on-boarding) to get their domain authenticated with SendX.
6 Common Mistakes Email Authentication Mistakes
Here are the common mistakes we see people make (when it comes to email authentication):
-
Not Adding SPF Records
It stands for Sender Policy Framework. It is an email authentication method to detect forged sender addresses in emails. It is a TXT DNS record entry which allows an IP or a set of IPs or email servers to send emails for you. All emails not originating from these servers will be considered as unauthenticated.
Email inbox providers check this to either reject the mail entirely or send them to Spam of the receiver's email ID (so that no one else exploits you as a sender). It is a best practice not to allow more than 10 servers to send emails on your behalf.
To test this, you can open any email that you received and check the headers and/or the original mail. The "mailed by" domain tells you whether or not the SPF is applied properly. It should match the domain of the from email address.
In inbox providers like Google Workspace, there is a simplified description of the header in the original email stating whether the SPF passed.
SPF Records Header in Gmail
You can also look up for your SPF Records here.
-
Not Adding DKIM Records
It is the abbreviation for Domain Keys Identified Mail. It provides a mechanism to verify that the email message has come from the domain it is claiming to and the message hasn't been tampered with along the way.
This is done using a two-way (private key and public key combination) authentication. The public key is usually supplied by the ESPs (again, in the form of a TXT DNS entry which can be queried globally) and the private key is used by themselves to encrypt the entire or a part of the email, which can be decrypted on the receiving end by using the public key.
If the decryption fails, the receiver knows that either the domain hasn't allowed this email to be sent or somebody in between has tampered the email (man-in-the-middle attack).
To check whether your DKIM is valid, you can check the email headers and look for "signed by".
In inbox providers like Google Workspace, there is a simplified description of the header in the original email stating whether the DKIM passed.
DKIM Records in Email Header
You can also look up for DKIM here.
-
Not Adding (Or Incorrectly Adding) DMARC
DMARC is a declaration from the sending domain that their owner knows about email authentication and receivers should receive fully authenticated emails (including both SPF and DKIM) originating from them.
It also declares what actions should be done to emails not having the proper authentication. They may include: letting them be or not affecting them, sending them to the spam folder or blocking such emails entirely.
When DMARC is added for any domain, it can be configured so that inbox providers like Gmail, Outlook, Yahoo etc., can send regular email reports as to how many emails were encountered with/without proper email authentication and what actions have been taken.
This can be added directly by domain owners following the steps in https://dmarc.org/overview/. Although the absence of DMARC doesn't cause emails to land in Spam folders currently, most email inbox providers are fighting towards mandating this since the domain owners are much more in charge and help fight email spamming globally.
DMARC entry can be checked in the original email data and inboxes like Gmail also provide simplified headers for it.
-
Using Via Domain
If ESP doesn't provide you with authentication/whitelisting details(SPF/DKIM), then they are using their own domains to send your emails. These temporary domains are authenticated by the ESPs themselves.
This means that not only would your emails go over their servers, but also, your email deliverability would depend on the reputation of these via domains which might be used for their multiple clients with variable email sending habits. This could impact the deliverability and open rates of your campaigns heavily.
You can check the "mailed by" and "via" domains to validate your settings.
-
Domain Present in Email Blacklists
Domain blacklists are quite simply a directory of domains that have been involved in suspicious behavior.
A lot of publicly available blacklists (300+) have been created. SPAM filters refer to one or more of these blacklists.
Check if your domain is in any blacklists.
We proactively help our users with getting them delisted from these blacklists. Do reach out to us for more help in this regard.
-
Domain Age
This one might sound obvious, but in the email world, this is even more important.
It is much easier to spoil your reputation forever when your domain is young.
This is because - buying new domains and sending SPAM over that is a typical signature of an email spammer. So, spam filters are extra cautious about you in your early days.
If you have maintained good email behavior for years it is hard to damage your reputation until something really tragic (like a phishing attack) happens using your domain.
To Conclude
If you can successfully avoid making the most common mistakes that people make when it comes to email authentication, you can ensure that you maintain a great IP reputation that cannot be damaged easily. It will ensure that your emails reach your audience’s inbox regularly and ultimately get you a better lead conversion rate.
FAQ's
1. What is email authentication?Email authentication means that you (owner of the domain) are giving the required permissions to a 3rd party ESP, to send emails on your domain's behalf. This is quite important for email marketing of businesses that may be subject to stringent rules, like iGaming or Crypto.
2. Why does email authentication fail?Here are the most common reasons why email authentication fails:
- Not adding SPF records
- Not adding DKIM records
- Not adding, or incorrectly adding, DMARC
- Using a Via domain
- Domain is present in email blacklists
- Domain is too young
SPF (Sender Policy Framework) is an email authentication method to detect forged sender addresses in emails. It is a TXT DNS record entry which allows an IP or a set of IPs or email servers to send emails for you. All emails not originating from these servers will be considered as unauthenticated.
4. What is DKIM?DKIM (Domain Keys Identified Mail) provides a mechanism to verify that the email message has come from the domain it is claiming to and the message hasn't been tampered with along the way.