What is email authentication and how do I set it up?

We provide email authentication to increase the deliverability and security of your email campaigns. This article explains what authentication is, why it's a good idea to use it, and what your options are for setting it up.

On this page:

How authentication works

Because of the way email was originally built it's very easy to forge, meaning an email sender might not be who they say they are. An example of this is an email message claiming to be from your bank, when it's actually a scam aimed at stealing money or spreading malicious software.

Authentication technology prevents this from happening by giving recipient mail servers a record of identification to check, to ensure the sender is legitimate. Emails that fail to pass authentication checks may be blocked or put through additional filters, potentially preventing them from reaching the inbox.

Email services like AOL, Gmail or Yahoo (as well as corporate email servers) use one or more of these authentication methods to verify sender identity:

  • DKIM (Domain Keys Identified Mail)
  • SPF (Sender Policy Framework)

There's no agreed best method for authentication and, because of the pros and cons for each, you can't rely on all recipient mail servers using the same one. That's why it's best to employ all of them, and we make that easy to do by authenticating every client in your account by default.

Why it's important to send authenticated emails

Email providers now rely heavily on authentication to fight spam and prevent phishing and other means of fraud.


Authentication is essential for securing your brand and preventing spoofed messages from damaging your online reputation.

Imagine a phishing email being sent from your company because someone had forged your information. Angry recipients and spam complaints resulting from it become your mess to clean up, in order to repair your reputation.


Many email providers use authentication, among other things, to track sender reputation. Without it, the chances of your emails being filtered are much higher.

Email authentication options

There are two options to choose from when setting up email authentication for a client in your account. These options are explained below.

Authenticate all emails for me

This is the default setting for every client in your account, and is the simplest option because you don't need to do anything.

On this setting the authentication methods, DKIM and SPF, are set up for you meaning you authorize our servers to send email on your behalf. The emails still look like they're coming from you because you set your own From address, as shown here:

Note: Certain email clients, such as Outlook and Gmail, will add extra sender details to the "From" field, as shown in the example below:

When this happens, the domain names added will be white label, for example: cmailx.com or x.com where the x is a numeral. If you are rebranding Campaign Monitor, rest assured, the sender domains will never be anything like campaignmonitor.com that points back to us.

I'll manage my own authentication (recommended)

If you have access to the DNS records for your domain, and a bit of technical knowledge, you can set up your own authentication records.

This is the best option for building and maintaining a good sender reputation. By handling authentication through your domain you are providing a digital signature, authorizing that each email is from you.

This option is for advanced users because it can be a bit tricky to get working, given the variety of DNS management systems out there. Learn more about this in our guide to setting up email authentication.