Email Authentication Guide
Proper email authentication prevents spoofing, improves deliverability, and builds trust with receiving mail servers. This guide walks through each layer of email security in order.
Start with SPF
SPF is the foundation. Add a single TXT record at your domain root listing every server authorised to send email on your behalf. Use include: mechanisms for third-party providers (Google Workspace, Mailchimp, Sendgrid, etc.). End with -all to reject unauthorised senders.
Check your SPF configuration at https://mxfend.com/spf-checker/
Add DKIM
DKIM adds a cryptographic signature to your outgoing emails. Your email provider generates a private/public key pair. You publish the public key as a TXT record in DNS at <selector>._domainkey.<yourdomain>.
DKIM survives email forwarding and is required for DMARC enforcement to be fully effective. Check your DKIM record at https://mxfend.com/dkim-checker/
Enforce DMARC
Once SPF and DKIM are in place, add a DMARC record at _dmarc.yourdomain.com. Start with p=none to collect aggregate reports without affecting delivery. Review the reports to identify all sending sources. Move to p=quarantine, then p=reject once you are confident all legitimate mail passes authentication.
Check your DMARC policy at https://mxfend.com/dmarc-checker/
Check your MX records
MX records tell other mail servers where to deliver email for your domain. Missing or misconfigured MX records mean you cannot receive email. Verify your MX records point to your mail provider and resolve correctly.
Check your MX records at https://mxfend.com/mx-checker/
Monitor blacklist status
IP addresses used to send email can end up on DNS blacklists — through spam complaints, compromised accounts, or misconfiguration. Check your mail server IP regularly against major DNSBL providers including Spamhaus ZEN, Spamcop, and Barracuda.
Check your IP blacklist status at https://mxfend.com/blacklist-checker/
Secure mail transport with SMTP TLS and MTA-STS
SMTP TLS (STARTTLS) encrypts email in transit between servers. Verify that your mail server supports and advertises STARTTLS, and that the TLS certificate is valid and not expired.
MTA-STS goes further: it publishes a policy requiring sending servers to use TLS, preventing downgrade attacks. Check both at https://mxfend.com/smtp-tls-checker/ and https://mxfend.com/mta-sts-checker/
Add TLS reporting
TLS-RPT gives you visibility into TLS failures when other servers try to connect to yours. Publish a _smtp._tls.<yourdomain> TXT record with an rua= address to receive JSON reports of connection failures and policy violations.
Check your TLS-RPT record at https://mxfend.com/tls-rpt-checker/
Add BIMI for brand trust
BIMI (Brand Indicators for Message Identification) allows your verified logo to appear next to your emails in Gmail, Apple Mail, and other supported clients. BIMI requires DMARC with p=quarantine or p=reject, a valid SVG Tiny PS logo, and a Verified Mark Certificate for major mail providers.
Check your BIMI configuration at https://mxfend.com/bimi-checker/
Run a full email security score
Once you have implemented the above steps, run MXFend's Email Security Score for a comprehensive weighted report covering SPF, DMARC, MX, blacklists, SMTP TLS, BIMI, MTA-STS, and TLS-RPT.
Get your score at https://mxfend.com/email-security-score/
Frequently asked questions
What should I configure first?
Start with SPF and DKIM, then add DMARC monitoring with p=none.
When should I move DMARC to reject?
Move to reject only after reports show that legitimate senders pass SPF or DKIM alignment.
Do I need MTA-STS and TLS-RPT?
They are not required for basic deliverability, but they improve transport security and visibility into TLS failures.
What is the fastest way to audit my setup?
Run the MXFend Email Security Score to check SPF, DMARC, MX, blacklists, SMTP TLS, BIMI, MTA-STS, and TLS-RPT in one report.