Email authentication is very important to ensure that your emails reach recipients’ inboxes. Especially when it comes to transactional email, there’s no room for error. The main authentication methods are SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance).
Here are the main elements to look for in email headers to verify these configurations and get details on how they work.
1. SPF Header (Sender Policy Framework)
Received-SPF
header indicates the result of the SPF check performed by the receiving server, and the Authentication-Results
header indicates the result of the SPF check.
Example of SPF header
Received-SPF: pass (google.com: domain of sender@example.com designates 192.0.2.1 as permitted sender) client-ip=192.0.2.1;
- pass : SPF check successful.
- client-ip=192.0.2.1 : The IP address of the sending server.
- domain of sender@example.com designates 192.0.2.1 as permitted sender : The sender’s domain has authorized the IP address of the sending server.
2. DKIM Header (DomainKeys Identified Mail)
The DKIM-Signature
header contains the email’s DKIM signature, and the Authentication-Results
header indicates the result of the DKIM verification.
Example of DKIM-Signature header
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=selector1;
h=from:to:subject:date:message-id:mime-version:content-type;
bh=5W5ab6rUnkSdF8Lp2Lp2xJjZ1xTzFxx4xPa1r1QJ5Rs=;
b=GkzY7Z6r8D5dzxLZ+j5YFExGp5D6pzzvY72Gp5QzFz0LzpGd7z6zL3FzqGp2F5G5zFzQzzG5GpF==;
- d=example.com : The domain that signed the email.
- s=selector1 : The selector used to find the DKIM public key in DNS.
- bh=5W5ab6rUnkSdF8Lp2Lp2xJjZ1xTzFxx4xPa1r1QJ5Rs= : The hash of the email body.
- b=GkzY7Z6r8D5dzxLZ+j5YFExGp5D6pzzvY72Gp5QzFz0LzpGd7z6zL3FzqGp2F5G5zFzQzzG5GpF== : DKIM signature.
3. DMARC Header (Domain-based Message Authentication, Reporting & Conformance)
The Authentication-Results
header indicates the result of the DMARC verification.
Example of Authentication-Results header for DMARC
Authentication-Results: mx.google.com;
dmarc=pass (p=NONE) header.from=example.com
- dmarc=pass : The DMARC check was successful.
- p=NONE : DMARC policy applied (in this case, no specific action is defined).
- header.from=example.com : Sender’s domain verified by DMARC.
4. Detailed Explanation of the Authentication-Results Header
In addition to the SPF and DKIM specific headers, the Authentication-Results
header provides an overview of the email authentication results.
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of sender@example.com designates 192.0.2.1 as permitted sender) smtp.mailfrom=sender@example.com;
dkim=pass header.i=@example.com header.s=selector1 header.b=Gw+yUxcC;
dmarc=pass (p=NONE) header.from=example.com
4.1. SPF (Sender Policy Framework) Line
spf=pass (google.com: domain of sender@example.com designates 192.0.2.1 as permitted sender) smtp.mailfrom=sender@example.com;
Explanation
- spf=pass : Result of the SPF check.
- pass : The SPF check succeeded.
- fail : The SPF check failed.
- neutral : The receiving server could not determine authorization.
- softfail : The SPF check partially failed.
- permerror : A permanent error occurred during the SPF check.
- temperror : A temporary error occurred during the SPF check.
- (google.com: domain of sender@example.com designates 192.0.2.1 as permitted sender) :
- google.com : Receiving server that performed the SPF check.
- domain of sender@example.com : Domain of the sender used in the SMTP envelope.
- designates 192.0.2.1 as permitted sender : The domain authorizes the IP address 192.0.2.1 to send emails.
- smtp.mailfrom=sender@example.com : Email address used in the SMTP envelope.
4.2. DKIM (DomainKeys Identified Mail) Line
dkim=pass header.i=@example.com header.s=selector1 header.b=Gw+yUxcC;
Explanation
- dkim=pass : Result of the DKIM check.
- pass : The DKIM check succeeded.
- fail : The DKIM check failed.
- neutral : The DKIM check result is inconclusive.
- permerror : A permanent error occurred during the DKIM check.
- temperror : A temporary error occurred during the DKIM check.
- header.i=@example.com : Domain of the sender that signed the email.
- header.i : Identity of the sender.
- @example.com : Domain that signed the email.
- header.s=selector1 : DKIM selector used to find the public key.
- header.s : DKIM selector.
- selector1 : Specific selector used.
- header.b=Gw+yUxcC : Value of the DKIM signature.
- header.b : Signature value.
- Gw+yUxcC : Specific DKIM signature.
4.3. DMARC (Domain-based Message Authentication, Reporting & Conformance) Line
dmarc=pass (p=NONE) header.from=example.com
Explanation
- dmarc=pass : Result of the DMARC check.
- pass : The DMARC check succeeded.
- fail : The DMARC check failed.
- permerror : A permanent error occurred during the DMARC check.
- temperror : A temporary error occurred during the DMARC check.
- (p=NONE) : DMARC policy applied.
- p=NONE : No specific action defined (only monitoring).
- p=QUARANTINE : Non-compliant emails are quarantined.
- p=REJECT : Non-compliant emails are rejected.
- header.from=example.com : Domain of the sender verified by DMARC.
- header.from : Sender’s domain.
- example.com : Domain used in the
From
field.
The Authentication-Results
header provides an overview of the results of SPF, DKIM, and DMARC checks. Each line gives details on the verification status, the identity and domain of the sender, and the policies applied. By analyzing these headers, you can verify that your email authentication configuration is correct and identify potential issues to address.
Conclusion
To check that email authentication (SPF, DKIM, DMARC) is correct, examine the Received-SPF
, DKIM-Signature
, and Authentication-Results
headers. Make sure the results indicate pass for SPF, DKIM and DMARC.
You can also use online tools such as DKIMValidator, Mail-tester, About My Email and the excellent LearnDMARC to test and analyze your emails in detail.
If you’d like to find out more about deliverability, read our deliverability guide or read about the different possible statuses of an e-mail.