Email Marketing & Email Marketing Automation

How to Validate Your Email Authentication Is Set Up Correctly for DKIM, DMARC, SPF & BIMI

If you’re sending any significant volumes of marketing emails, chances are your email is not making its way to the inbox if you’ve not configured your email authentication. We work with many companies assisting them with their email migration, IP warming, and deliverability issues. Most companies don’t even realize they have a problem; they think subscribers simply aren’t engaging with their emails.


At issue is the growing issue of malicious and fraudulent emails, especially phishing emails. Phishing is a cyber-attack where individuals or organizations try to trick people into revealing sensitive information, such as passwords or credit card details, by disguising themselves as trustworthy entities. This is primarily done via email. The attacker will send an email that appears to be from a legitimate source, then bring you to a landing page that you believe is a login or other authentication page where the victim inadvertently enters their personal information.

The Invisible Problems of Deliverability

There are three invisible problems with email deliverability that businesses are unaware of:

  1. Permission – Email service providers (ESPs) manage the opt-in permissions… but the internet service provider (ISP) manages the gateway for the destination email address. It’s an inherently flawed system that has skyrocketed fraudulent schemes like phishing. You can do everything right as a business to acquire permission and email addresses, and the ISP has no idea and may block you anyway. The ISPs assume you’re a spammer or sending malicious emails… unless you prove otherwise.
  2. Inbox Placement – ESPs consistently promote high deliverability rates that are nonsense. An email routed directly to the junk folder and never seen by your email subscriber is technically delivered. To truly monitor your inbox placement, you must use a seed list and look at each ISP to identify whether your email landed in the inbox or the junk folder. My company can provider this testing for you as well.
  3. Reputation – ISPs and third-party services also maintain reputation scores for the sending IP address for your email. There are blacklists that ISPs may use to block all of your emails altogether, or you may have a poor reputation that would get you routed to the junk folder. You can use many services to monitor your IP reputation, but I’d be a bit pessimistic since many don’t have insight into each ISP’s algorithm.

Email Authentication

The best practice for mitigating any inbox placement issues is to ensure you have set up email authentication records that ISPs can use to look up and validate that the emails you are sending are truly sent by you and not by someone pretending to be your company. This is done through a few standards:

  • Sender Policy Framework (SPF) – the oldest standard around, this is where you register a TXT record on your domain registration (DNS) that states what domains or IP addresses you are sending emails from for your company. For example, I send emails for Martech Zone from Google Workspace.
v=spf1 ~all
  • Domain-based Message Authentication, Reporting and Conformance (DMARC) – this newer standard has an encrypted key that can validate both my domain and the sender. Each key is produced by my sender, ensuring that emails sent by a spammer can’t get spoofed. If you are using Google Workspace, here’s how to set up DMARC.
  • DomainKeys Identified Mail (DKIM) – Working alongside the DMARC record, this record informs ISPs how to treat my DMARC and SPF rules and where to send any deliverability reports. I want ISPs to reject any messages that don’t pass DKIM or SPF, and I want them to send reports to that email address.
v=DMARC1; p=reject;; aspf=s; fo=s;
  • Brand Indicators for Message Identification (BIMI) – the newest addition, BIMI provides a means for ISPs and their email applications to display the brand’s logo within the email client. There’s both an open standard and an encrypted standard for Gmail, where you also need an encrypted verified mark certificate (VMC). The certificates are expensive, so I’m not doing that yet. VMCs are being issued by two accepted Mark Verifying Authorities: Entrust and DigiCert. More information can be found at the BIMI group.
v=BIMI1; l=;a=self;

NOTE: If you need assistance in configuring and testing your email authentication, don’t hesitate to reach out to my firm Highbridge. We have a team of email marketing and deliverability experts that can assist.

How To Validate Your Email Authentication

All the source, relay, and validation information associated with every email are found within the message headers. Interpreting these is pretty easy if you’re a deliverability expert, but if you’re a novice, they’re incredibly difficult. Here’s what the message header looks like for our newsletter; I’ve grayed out some of the autoresponse emails and campaign information:

Message Header - DKIM and SPF

If you read through, you can see my DKIM rules, whether DMARC passes (it doesn’t), and SPF passes… but that’s a lot of work. There’s a much better workaround, though, to use DKIMValidator. DKIMValidator provides you with an email address that you can add to your newsletter list or send via your office email… and they translate the header information into a nice report:

First, it validates my DMARC encryption and DKIM signature to see whether or not it passes (it doesn’t).

DKIM Information:
DKIM Signature

Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;;
	s=cpmail; t=1643110423;

Signature Information:
v= Version:         1
a= Algorithm:       rsa-sha256
c= Method:          relaxed/relaxed
d= Domain:
s= Selector:        cpmail
q= Protocol:        
bh=                 PTOH6xOB3+wFZnnY1pLaJgtpK9n/IkEAtaO/Xc4ruZs=
h= Signed Headers:  Date:To:From:Reply-to:Subject:List-Unsubscribe
b= Data:            HKytLVgsIfXxSHVIVurLQ9taKgs6hAf/s4+H3AjqE/SJpo+tamzS9AQVv3YOq1Nt/
Public Key DNS Lookup

Building DNS Query for
Retrieved this publickey from DNS: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+D53OskK3EM/9R9TrX0l67Us4wBiErHungTAEu7DEQCz7YlWSDA+zrMGumErsBac70ObfdsCaMspmSco82MZmoXEf9kPmlNiqw99Q6tknblJnY3mpUBxFkEX6l0O8/+1qZSM2d/VJ8nQvCDUNEs/hJEGyta/ps5655ElohkbiawIDAQAB
Validating Signature

result = fail
Details: body has been altered

Then, it looks up my SPF record to see if it passes (it does):

SPF Information:
Using this information that I obtained from the headers

Helo Address =
From Address =
From IP      =
SPF Record Lookup

Looking up TXT SPF record for
Found the following namesevers for
Retrieved this SPF Record: zone updated 20210630 (TTL = 600)
using authoritative server ( directly for SPF Check
Result: pass (Mechanism '' matched)

Result code: pass
Local Explanation: Sender is authorized to use '' in 'mfrom' identity (mechanism '' matched)
spf_header = Received-SPF: pass ( Sender is authorized to use '' in 'mfrom' identity (mechanism '' matched)) receiver=ip-172-31-60-105.ec2.internal; identity=mailfrom; envelope-from="";; client-ip=

And lastly, it provides me insight on the message itself and whether the content may flag some SPAM detection tools, checks to see if I’m on blacklists, and tells me whether or not it’s recommended to be sent to the junk folder:

SpamAssassin Score: -4.787
Message is NOT marked as spam
Points breakdown: 
-5.0 RCVD_IN_DNSWL_HI       RBL: Sender listed at,
                            high trust
                            [ listed in]
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
                            identical to background
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily
 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted
                            Colors in HTML
 0.1 DKIM_INVALID           DKIM or DK signature exists, but is not valid

Be sure to test every ESP or third-party messaging service that your company is sending email from to ensure your Email Authentication is properly set up!

SPF and DKIM Validator BIMI Inspector

Douglas Karr

Douglas Karr is the founder of the Martech Zone and a recognized expert on digital transformation. Douglas has helped start several successful MarTech startups, has assisted in the due diligence of over $5 bil in Martech acquisitions and investments, and continues to launch his own platforms and services. He's a co-founder of Highbridge, a digital transformation consulting firm. Douglas is also a published author of a Dummie's guide and a business leadership book.

Related Articles


Adblock Detected

Martech Zone is able to provide you this content at no cost because we monetize our site through ad revenue, affiliate links, and sponsorships. We would appreciate if you would remove your ad blocker as you view our site.