How to Test if your Emails are Authenticated

Business
Written By Rachell De Luna
 
 
 

Full authentication of your emails according to this guide will enhance your email deliverability i.e. avoiding spam filters or bounces. The video guide comes with a step-by-step guide that you may download by signing up for our mailing list.

 
 

Ensuring Email Authentication with Google and Yahoo

a.
Squarespace
b.
Video Walkthrough

Introduction

Google and Yahoo will enforce stricter requirements to authenticate emails starting Feb 1, 2024. This applies to all emails across email sources.  In this video, you'll learn:

1. The level of authentication that your emails require depending on the volume of emails that you send

2. How to test and understand if your emails are properly authenticated

3. How to properly set up SPF, DKIM and DMARC authentication for each email source

4. What further steps to take to fill gaps and resolve errors

5. Best practices to avoid domain errors unnecessary steps

Timestamped Overview

  • 0:01 Announcement of stricter email authentication requirements by Google and Yahoo.

  • 0:12 Importance of meeting these requirements to avoid delivery issues.

  • 0:31 Common issues and confusion with setup instructions.

  • 0:49 How to test if your emails are properly authenticated.

  • 01:16 Overview of the types of email sources.

  • 03:03 Definition of a bulk sender and its implications.

  • 04:38 Importance of email authentication to prevent impersonation and malicious messages.

  • 05:18 Steps to test email authentication for marketing emails.

  • 15:00 Troubleshooting and setting up email authentication records (SPF, DKIM, DMARC).

  • 26:06 Summary and final steps for ensuring email authentication for transactional emails.

 

The Importance of Email Sender Authentication

Google and Yahoo recently announced that they will be enforcing stricter requirements for email sender authentication. These changes mean that if emails aren’t authenticated properly, they may either fail to deliver or be marked as spam.

By now, you’ve probably seen a few reminders asking you to set this up. If you’re using different technologies to send your emails, those reminders can sometimes be confusing or conflicting.

This guide will help you take the necessary actions, whether you haven’t done anything yet, or you've already made changes but want to ensure they were set up correctly. Let’s dive in.

 

Email Sources and Proper Authentication

The overarching requirement for any email sender is to ensure emails across all sources are properly authenticated.

What Are Email Sources?

Our emails come from a variety of sources, primarily categorized into three main types:

  1. Direct Emails: Sent via platforms like Google Workspace, Microsoft, or Yahoo Mail.

  2. Marketing Emails: These are sent via email service providers (ESPs) such as ConvertKit, Flowdesk, MailChimp, and ActiveCampaign, to name a few.

  3. Transactional Emails: Typically sent from website hosts, CRMs, or payment gateways like Shopify, Dubsado, or Honeybook.

These email sources are crucial as they represent the different ways we communicate with our audience and clients.

What Does Proper Authentication Mean?

There’s a misconception that email sender authentication is only for bulk email senders. In reality, all emails should be authenticated. However, for bulk senders (those who send close to 5,000 emails within 24 hours), the authentication requirements are much stricter.

It’s important to note that once classified as a bulk sender, that status is permanent. Even if you reduce the number of emails sent per day, your classification will not change. For non-bulk senders, full email authentication is still highly recommended to ensure emails reach inboxes instead of spam folders.

Preparing for Stricter Requirements

Experts foresee that Google and Yahoo will soon expand these requirements to include non-bulk senders, so it’s crucial to be proactive and get your email sender authentication in place. For bulk senders, this is mandatory, and based on the recent announcements, enforcement will be strict.

Why Authentication Matters

Authentication records are essential not just to prevent malicious messages from reaching recipients, but also to protect businesses from being impersonated. A key record to consider is DMARC, which helps monitor whether your brand is being impersonated through email.

 

How to Test and Ensure Proper Authentication

Before diving into implementation, it’s crucial to understand your current authentication status and fill any gaps where needed.

 

Step 1: Testing Marketing Emails

  1. Since a large portion of emails sent are for marketing, it’s essential to test your marketing emails first.

  2. Log in to your ESP (e.g., ConvertKit, Flowdesk).

  3. Send a test email to a personal Gmail account.

  4. Check if the email is sent from a branded domain (e.g., hello@yourdomain.com) or a shared domain (e.g., via convertkit.com). Emails should be sent via your branded domain to comply with authentication requirements.

  5. Shared domains won’t pass DMARC authentication, so if your test fails, you’ll need to troubleshoot by verifying your custom domain with your ESP.

 
 

Step 2: Check SPF, DKIM, and DMARC Records

Once you receive your test email, follow these steps:

Click the ellipsis icon in Gmail and select Show Original to view the email header.

Check for the three required authentication records: SPF, DKIM, and DMARC. All should have a value of “pass.”

If any of these records fail, it’s time to address the issue:

  1. SPF Record: Ensures your email is sent from authorized servers.

  2. DKIM Record: Confirms that the email has not been tampered with.

  3. DMARC Record: Ensures the SPF and DKIM records align with the domain used in the “From” address.

 

Verifying and Fixing Issues with Email Authentication

Ensuring your emails are properly authenticated is critical to protecting your domain reputation and improving deliverability. If you’ve failed any of the sender authentication tests, don’t worry—we’re going to dive into the troubleshooting process step by step. Let’s break it down.

 
 

Verifying Your Custom Domain

If you failed the branded sending domain test, the first step is to review the documentation provided by your email service provider (ESP) on how to verify your custom domain. I've linked resources on how to accomplish this for popular ESPs. Just make sure you have access to your DNS records via your domain host—not your website host. This is crucial.

In the case of Flodesk, you first need to define the sending address. Make sure it's a custom domain, not something like a Gmail or Yahoo address.

Once you've nominated the sender email, the next step is to verify your domain. This is key for sending marketing emails from a branded sending domain.

 

Editing DNS Records for Different ESPs

Depending on your ESP, the process might look different, but the general approach is the same: edit the DNS records via your domain host. For Flodesk, you can either verify your domain automatically or manually. I prefer to verify it manually because it gives me more control over the DNS records.

If you're not confident in editing these records, reach out to your domain host or consult an expert.

When doing it manually, you will be asked to add DNS records like CNAME for DKIM and SPF, and Text for DMARC. Pay close attention to the record type to avoid any errors. Be careful with DMARC records—there should be no duplicate entries.

 
 

Adding CNAME and Text Records

When adding CNAME records, start with DKIM. ESPs often append your domain automatically, so you should only copy the part without the domain. After saving the CNAME record, proceed with the SPF record. If your ESP uses a text record instead of CNAME for SPF, make sure you don’t add duplicate records.


DMARC Records and Avoiding Duplicates

Before adding any text records like DMARC, it's important to check for any existing records. I recommend using a tool like Dmarcian Domain Checker, which I’ve linked below, to verify whether you already have a DMARC or SPF record in place. If you find duplicates, you’ll need to clean those up before proceeding. The DMARC record should follow the format: P=none, which is a basic level of monitoring and authentication.

If you're ready to step up your authentication game, you can modify this DMARC setting for stricter security. Some documentation might recommend adding an email to receive DMARC reports, but until you're ready for more advanced monitoring, a P=none setting is sufficient.


Waiting for Domain Verification

Once you've added all the necessary records, the system might take 48 to 72 hours to verify your domain. Once verified, you can test your email again to ensure you pass all the sender authentication checks.

Different ESPs handle this process differently. For example, services like ConvertKit or Flodesk will follow a similar process of adding CNAME and text records. If you’ve set up your branded sending domain before 2024, you may not have a DMARC record, as it was implemented more recently.

 

Ensuring Full Authentication for Better Deliverability

Once fully authenticated, your deliverability will improve because it’s now based on your domain’s reputation, not a shared domain. Shared domains affect deliverability negatively because all users share the same IP. DMARC is particularly important here because it ensures that the domains in your DKIM and SPF records align with the domain in the email's from field.

Warming Up Your Domain

When switching to a branded domain, it's crucial to gradually increase the sending volume to build a positive sender reputation. This process, known as warming up your domain, involves sending emails to your most engaged segment first, then slowly ramping up volume over a period of two to four weeks.

 

Authenticating Direct Emails

Once your marketing emails are authenticated, you can move on to direct email authentication. I used Flodesk to send an email to my personal Gmail account, and then checked the headers for SPF, DKIM, and DMARC—these should all pass. If your setup isn’t quite there yet, don’t worry—many systems return a neutral SPF result, which is a soft fail. You can address this by setting up SPF and DKIM specific to your email provider.

Troubleshooting Direct Email Authentication

To authenticate your direct emails, you’ll need to check your existing DNS records, especially for SPF and DKIM. Tools like Dmarcian help ensure you don’t have duplicate records. If you already have a DMARC record for marketing emails, you’re in good shape—but double-check the setup to avoid any issues.

 
 

Having Multiple DKIM Records for Different Providers

Yes, you can have multiple DKIM records. I’ve linked a guide to help you turn on DKIM authentication in Google Workspace. After generating the DKIM record, add it to your domain’s DNS settings. This record may take up to 48 hours to authenticate.

Testing After Setup

Once you’ve followed these steps, repeat the test to ensure that SPF, DKIM, and DMARC all pass. Authentication is critical for protecting your email sender reputation and improving deliverability.

 

Authenticating Transactional Emails

Transactional emails are another area to check. These emails can come from different services like your CRM, website host, or payment gateways. If these emails use your domain in the from address, you’ll need to authenticate them by setting up SPF, DKIM, and DMARC. For services like Shopify, follow similar DNS record steps to authenticate your domain.

 

Closing Thoughts

Setting up email sender authentication is crucial not only for complying with Google and Yahoo’s new requirements but also for ensuring that your emails are secure and land in the inbox, not the spam folder. Make sure to check your marketing, direct, and transactional emails, verify your domain, and monitor your email deliverability.

While I can't provide personalized support through comments, I offer high-touch support in my programs for designers or recommend experts to help you with this process.

Let’s get those emails authenticated!

 
Rachell De Luna
Previous

Create a stylish Testimonial Slider
Next

Upgrade to Squarespace 7.1 in One click