Email Authentication Guide

Ever get an email that claims it’s from your bank, or eBay, or PayPal? One that actually looked pretty real, but it turned out to be a forgery? That’s the problem with email: it was originally created to be an extremely easy way to communicate, but it also happens to be extremely easy to forge.

Authentication is a way to prove an email is not forged.

Authentication has been around for years, but large ISPs and corporate email servers (“receivers”) are now using it to control inbound spam. That means large, legitimate email marketers need to make sure their email campaigns are authenticated, in order to prevent deliverability problems to those ISPs.

Types of Email Authentication

There are several different authentication methods available, each with its own advantages and disadvantages. Some methods (SPF, SenderID) simply require a file on your server that can be cross-referenced by a receiver. These are easy to implement, but have drawn scrutiny from some regarding the level of security they provide. Another type of authentication, DKIM, actually embeds code in the email itself. This makes it more difficult to forge emails, but can also be tougher for both the sender and receiver to implement. Because of the various pros and cons, different receivers choose to check for different types of authentication. Until there’s some standard, senders may want to just employ all authentication types. MailChimp’s authentication covers all the bases.

Who’s Checking For Which Authentication?

Here’s a breakdown of which ISPs and receivers are using which types of authentication. If large portions of your list go to these ISPs, you should consider authenticating your email-marketing campaigns.

AOL[4], [5]
Bell Canada[5]
AT&T/Bellsouth[2], [5]
Comcast[2], [5][2]
Gmail[1], [8]
United Online/Juno/NetZero[2]
Rogers Cable[2]
Yahoo! Mail[6]

Sources: [1] Google Gmail; [2] ESPC Email Authentication Resource; [3] Earthlink Drops SPF in favor of DKIM, Domain Keys; [4] ReturnPath: AOL Implements DKIM; [5] AOTA's Business and Industry Resource Directory (410KB PDF); [6] Yahoo! Mail Help Article; [7] Hotmail moves to SPF authentication; [8] Understand SPF records;

Note: We make no distinction between inbound vs. outbound authentication. If an ISP uses a certain authentication method for its outbound mail, email marketers should assume they're testing it for use on inbound email one day. For detailed breakdowns of inbound vs. outbound, see: AOTA's Business and Industry Resource Directory (410KB PDF).

Email Authentication Support in MailChimp

Email authentication can help your email marketing campaigns look more reputable, which helps your deliverability to the inbox. So at MailChimp, we support multiple authentication methods to cover all bases:

MailChimp Supports:

Authentication Should Be Simple

Email authentication is useless if it's too hard to implement. Many email service providers require server setup in order to authenticate your email campaigns. Accessing your server to modify DNS and TXT records and modifying your MTA is just not practical (especially for small businesses). At MailChimp, our authentication is free and automatically added to your campaigns by default.

Online Trust Alliance logo