About email authentication

Email authentication verifies that an email is actually from you or your business. Think of it like a digital signature: it protects your brand, identity and reputation. It's one of the most important steps you can take to improve your deliverability.

The following topic explains why it's important to authenticate, and how it changes the way email servers and email clients treat your email. For step-by-step instructions on setting up authentication, read Manage your own authentication with DKIM.

On this page:

Why authentication matters

The way email was originally designed makes sender details easy to forge, or "spoof." Spammers and phishers take advantage of this by posing as banks, auction sites, energy companies or otherwise to steal money or spread malicious software. In addition to harming the recipients of these scam emails, the companies and brands that have been impersonated are also harmed.

Email services such as Gmail, Outlook.com and Yahoo use email authentication to help determine if something is spam, or is worth blocking completely to protect their users. As such, any unauthenticated email, no matter how legitimate the content, runs the risk of ending up in someone's spam folder.

Important: To send transactional email, you must manage your own authentication.

Manage your own authentication

Managing your own email authentication is highly recommended. The default level of authentication added to each email sent through Campaign Monitor proves that the email came from our servers, however, to prove that the email comes from your or your company's domain, you need to authorize Campaign Monitor to send on your behalf. This is the case with all Email Service Providers (ESPs).

You can do this by modifying the DNS records attached to a domain name you own, so that any email sent through Campaign Monitor is verified as coming from your own domain. Authenticating this way improves deliverability, as you are properly stating your identity to recipient mail servers.

Manage your own authentication with DKIM

How email clients treat emails that aren't domain authenticated

Managing your own authentication changes how your emails are displayed in email clients. If you haven't authorized an ESP to send email on your behalf, many major email clients flag the email as coming from a different server, which can potentially cause the email to be blocked, or lead recipients to believe they're receiving spam.

For example, in Outlook 2016 if you haven't authorized your ESP to send email on your behalf, your email will display in the recipient's inbox as being "sent by" someone else. In the image below, while the From address shows correctly as "sally@designco.com," the email is flagged as coming from a Campaign Monitor mail server ("cmail2.com"):

In this case, the email has also been sent to the junk folder as a result of the sending domain not being authenticated. This won't happen every time — unauthenticated mail can still make it to the inbox, and there are many other reasons why an email can be filtered as spam.

Once you have authenticated your own domain, the "sent by" phrase and sending server are not present:

Gmail uses the word "via" to indicate an email hasn't had its sending domain authenticated:

After authenticating the sending domain, "via" and the sending server are removed:

Similarly, Outlook.com uses the phrase "on behalf of:"

This is removed for domain authenticated email: