Email Authentication: What It Is and How to Get Started

Email authentication is a must if you send mass emails, Google and Yahoo say. Here’s what you need to know about the new sending requirements – and how to start authenticating your emails to reach the inbox. 

Google and Yahoo are about to push their biggest update in years on February 1, 2024. All of a sudden, mass email senders were facing a question: what is email authentication and how do I do it?

As 2023 rolled into 2024, email authentication became the most trending topic in email marketing. It went from being something a few of the hardcore email geeks discussed, to the subject of countless articles, podcasts, and webinars. 

As true email geeks ourselves, we recently hosted a webinar on email authentication, too. It was our most attended webinar to date, with more than 800 people joining from Cancun, Mexico to the United Kingdom. (Thank you all!)

However, we know some of you weren’t able to make it. Or maybe you’re more of a reader? Either way, you’ve come to the right place. 

We’ve got the entire video right here, or you can read the most important details below. 

Brian Minick, Chief Operating Officer of ZeroBounce, was the host.

Brian talked about the rules and everything you need to know to stay in Google and Yahoo’s good graces and get your emails to the inbox. 

What is email authentication?

Before we get into Brian’s tips, let’s see what email authentication is and how it helps your email deliverability. 

Email authentication is a set of protocols verifying that an email sent from your domain is legitimate. Email authentication tools protect your domain from spoofing and fraud and also tell email service providers – like Google and Yahoo – whether an email was sent by you or someone faking your domain. 

Now, let’s see what Brian Minick said about the new rules for Google and Yahoo and the benefits of email authentication. 

Google and Yahoo agreed on enforcing email authentication

Today we are going to talk about claiming the inbox with email security and how we’re going to get ahead of the Google and Yahoo anti-spam rules. 

So what’s interesting here – and I don’t hear it talked about a lot – is that Google and Yahoo got together and agreed on something. They agreed on a policy implementation and on how they’re going to do it. 

I’m excited to share with you what updates are required and how to handle them because they’re going to be important. 

Email authentication is now a must

On February 1st, 2024, Google and Yahoo are making changes that are going to impact every single company that sends email worldwide. 

So what do you need to do? Brian answers this question below.

What are the three big changes from Google and Yahoo?

Here are the new sending requirements for Google and Yahoo:

• Mass senders must use email authentication. However, all senders would benefit from authenticating their emails. 
• A one-click unsubscribe is necessary. Your email service provider (ESP) should handle this.
• You must have a low spam complaint rate of 0.3% or lower. However, 0.1% is ideal. That means that you shouldn’t have more than one spam complaint for every thousand emails you send.

Who will need to follow these rules? 

Any organization or person sending 5,000 emails a day to Google and Yahoo users. 

However, keep in mind that anyone who sends emails will likely run into problems if they don’t follow these rules. 

Suppose you have different departments – like marketing and sales along with people working behind the scenes – that are all sending emails. The email volume could fluctuate and push you over the threshold.

What happens if you don’t address email authentication?

If you aren’t in compliance, the following will happen:

• Your emails will be marked as spam and land in the spam folder.
• Google and Yahoo may reject your emails completely.
• Your email deliverability will deteriorate.

We all know the importance of email to businesses, and being in the inbox is key. This is the entire mission of ZeroBounce. Making sure you’re in the inbox is of the utmost importance. Without hitting the inbox, you are not going to get the results you’re hoping for.

So what is email authentication?

Email authentication is a way to certify that the emails being sent from your domain are legitimate. Emails must pass one or more checks to be compliant and delivered.  

Email authentication is something everybody should already be doing.

Why do Google and Yahoo require email authentication?

I have personally seen the amount of spoofing, phishing, and spam that’s taking place on domains is becoming bigger and bigger. Attackers are finding loopholes. 

Email authentication stops these types of attackers from using your domain. 

To be authenticated you must hit a few of the qualifications. Let’s delve into the three qualifications.

Sender Policy Framework (SPF)

SPF establishes the domain or IP address you send emails from. This is a record that would go onto your DNS and list the domains or IP addresses that you send mail from. 

Generally speaking, when you sign up for a service like MailChimp or Constant Contact, it provides you something upon setup called SPF records. You or someone who manages your domain must add the SPF record to your DNS.

The SPF can be a little tricky if you’re using multiple platforms. 

Suppose you use Constant Contact for your main newsletter and Klaviyo for automation, like for people that are shopping on your Shopify store. Both of those tools would provide you with a SPF record. 

Where people might make mistakes is if they add them separately. They need to be combined into one SPF record so there’s some syntax to this that’s very important. There are so many components so it’s very easy to make mistakes. 

Try the ZeroBounce SPF generator

DomainKeys Identified Mail (DKIM) 

DomainKeys Identified Mail (DKIM) is a signature that goes out on the emails you send out, in the headers. Your domain has a public key that would be added to your DNS. DNS basically tells the world how to react and what to do with your domain. 

Your public key is given to you by any of your major providers. 

But, what good is a public key if everyone can access it?

Every time you send mail on that platform, your ESP has a private key. That is being added to the email that’s being sent, in the headers, where no one looks. When your email is delivered, the public key and the private key must align.

There is no way to get around this if you don’t have access to the domain. These two pieces play a unique role:

• SPF says “here’s the domains and IPs I send from”  
• DKIM says “here it is in the message.”

These two things are powerful and you should have them set up already. 

Domain-based Message Authentication, Reporting & Conformance (DMARC)

Then, there’s one more piece to this – and that’s DMARC. It’s the overarching policy to how receiving mail servers react if SPF is not there or if DKIM is failing. So if DKIM or SPF fail, DMARC determines what to do. That is taking place at the end user and is not something you have control over. 

DMARC is basically what pulls the levers and the switches. It’s an email security tool. Because spam is getting out of control, it attempts to reduce the amount of spam, phishing or spoofing. 

DMARC is simple to set up. You have choose one of three options:

• Monitor 
• Quarantine
• Reject

How do I get started with DMARC email authentication? 

It’s simple. 

1. Consult your ESP regarding SPF and DKIM. You may have received information when you registered your domain.
2. Feel free to use ZeroBounce’s free generators for SPF, DKIM, and DMARC.
3. Monitor your email domain with a DMARC policy. You are required to monitor DMARC by February 1, 2024.

DMARC monitoring is a very simple configuration and monitors every single email that’s being sent from your domain. DMARC tells you whether you sent it or a spoofer. 

See how the ZeroBounce DMARC Monitor works

You may be saying “oh, it’s just me and someone else, so I don’t have to monitor.” You do – especially as we bring in contractors and tools. Everyone needs to set up monitoring and understand what’s happening with the emails going out of your domain. If you have suspicious activity, a good DMARC monitor will highlight these issues.

ZeroBounce DMARC Monitor in action

I’m going to show you how to set up a new DMARC on a domain. Log in to the ZeroBounce platform.

1. Go to “Tools.”
2. Select “DMARC Monitor” at the top. You’ll be able to view the current monitors.
3. If you want to add a new domain, click “Add Domain.”
4. You must have ownership of the domain to add it.
5. You will be presented with a DNS record that you’ll need to add to your domain.
6. All you need to do is go to your domain, create a new text record and add this as the host name.
7. Copy the “value” and paste it.
8. Save the record and select “verify DMARC.”

Once your domain is set up, you’ll be able to see the domain appearing in the dashboard of the DMARC Monitor tab.

Clicking on the domain will allow you to see insights. You should see how many emails are being reported as well as the percent of DMARC Compliance. You should have a green checkmark for both SPF and DKIM.

Also, you’ll be able to access who has been sending emails, how many, from what countries and IP addresses. 

How DMARC monitoring helps you

DMARC monitoring allows you to understand what’s happening with your domain and take action if something goes wrong. As you get further into it, you can look to get more aggressive and go past monitoring. However, don’t start with quarantine as you’re going to run into issues.

For minimum compliance with Google and Yahoo, set up DMARC and monitoring on your domain now. If SPF or DKIM are failing, you’re still compliant with email authentication. 

If you want to make sure you’re compliant, create a new domain on zerobounce.net under DMARC, add it to your DNS, click Verify and you can take a deep breath. You can do it in about 15 minutes or less if you’re quick. 

Monitor for a month or a minimum of two weeks, touch all the platforms that you send mail from and see what’s going on. Then you can take actions like quarantine or reject. 

If you have an issue, you can clearly see it on your monitor. Reach out to your email service provider and say, hey can you confirm my SPF and DKIM records so that I can fix this? It’s not aligning. They know exactly what to do; they do this every day and can help you and make sure you’re in a good place. 

I recommend you do this today – or at least by February 1st. Google suggested that if you do it early, it’s going to give you a little deliverability boost.

Implement one-click unsubscribe

The one-click unsubscribe is not something you should have to deal with too much. Your email service provider should make this easy for you, so reach out to them to make sure everything is set up properly.  

Monitor your spam complaint rate

Having a low spam complaint rate is also a must, according to Google and Yahoo. For anyone who’s not aware, ZeroBounce is excellent for monitoring your spam complaint rate. Our platform gets data feeds of known people who mark emails as spam 10 or more times. 

If you have never emailed them before and they’re not expecting your email, you do not want to email people that we identify as known complainers or abuse emails, as some call them. Make sure you’re keeping that number very low so you don’t develop delivery issues.  

Bonus tip: Did you know that 78% of people report an email as spam just because “it looks like spam”? To avoid spam complaints, keep your emails on-brand and remember to validate your email list regularly and remove abuse contacts.

When you monitor your spam complaint rate, you will know for certain that you won’t get delivery issues and will secure priority inbox placement. 

You can imagine the number of people who are not going to do this by February 1. Those people will find their inbox placement will drop. You, on the other hand, will enjoy an email deliverability boost that they won’t. Keeping spam reports at bay allows you to get your emails into the inbox and make sales from your campaigns.