Understanding email authentication

Last updated at:

You will learn

Learn about the email authentication protocols that are used to prevent email fraud and their benefits. 

About email authentication

“Email authentication” refers to the technical standards that allow for the verification of an email sender's identity. The most commonly used email authentication standards are SPF, DKIM, and DMARC. Mail servers use these authentication protocols to verify that incoming emails are from legitimate senders, protecting your brand and your customers from malicious actors. In addition to preventing phishing and spoofing attempts, implementing these protocols can help improve deliverability, as mailbox providers will be able to confirm the identity of the sender. 

When sending with Klaviyo, you do not need to add your own SPF and DKIM records. If you are sending on Klaviyo’s shared sending domain, the necessary records have already been set. On a dedicated sending domain, the Klaviyo CNAME records added during setup enable DKIM and SPF authentication.


Sender Policy Framework (SPF) is an email authentication method designed to detect forged sender addresses during the delivery of the email. SPF allows the receiving mail server to verify that emails coming from a specific domain were sent through an IP address authorized by that domain's administrators.

When an email is sent from an IP address that has not been allowed through SPF, the receiving mail server may reject the email, or divert it away from the primary inbox. Without SPF records you could not authenticate IPs using your sending domain, allowing malicious actors to easily impersonate your brand. 


DomainKeys Identified Mail (DKIM) acts as a digital signature that is added to the header of an email to further verify the identity of the sender. Receiving email servers will verify that the DKIM signature matches that of the associated sending domain. Since the DKIM signature exists in the header of an email, it will also remain when an email is forwarded, unlike SPF authentication.


DMARC stands for domain-based message authentication, reporting, and conformance. It is a protocol that uses SPF and DKIM to determine the authenticity of an email, giving domain owners the ability to protect their domain from unauthorized use.

DMARC provides instructions to receiving servers about how to handle incoming mail. In order to get delivered, messages need to pass DKIM and SPF alignment checks according to the requirements set by the DMARC policy. Messages that do not pass DMARC checks can be rejected, reported back to the domain owner, or placed in the spam folder.

Implementing a DMARC policy on your domain can help protect you from spoofing, limiting your brand’s and recipients' exposure to potentially fraudulent and harmful messages. 

Making your Klaviyo emails DMARC compliant

In order to be DMARC compliant, you need to connect a dedicated sending domain to your account that matches the domain in your sender email address (i.e. your from-address). For example, if you send an email using sales@example.com as the from-address and example.com is protected by DMARC, your account will need to use a dedicated sending domain like send.example.com to meet DMARC requirements.

Setting up DMARC

DMARC is not required to send marketing emails on Klaviyo. To fully configure and implement a DMARC policy, we recommend working with your IT team and a 3rd-party DMARC service provider.

A DMARC policy can be placed as a TXT record on a domain's DNS control panel, but needs to follow specific syntax rules. For instructions on how to set up DMARC for your domain, we recommend reading the following resources:

Additional resources

Was this article helpful?
65 out of 125 found this helpful