What Is Email Authentication?
Email authentication is a set of DNS-based methods that receiving mail servers use to verify that an email truly came from the domain shown in the “From” field, and that it wasn’t tampered with in transit. The core protocol for sending email, SMTP, has no built-in authentication, which is why SPF, DKIM, and DMARC were developed to fill that gap. You need all three records configured to achieve a fully functioning authentication system.Email Setup
Connect Gmail or Microsoft 365 to Clodura AI and configure your sending preferences.
Email Warmup
Gradually build your sender reputation with automated warmup campaigns.
Spam Score
Check your email content for spam triggers before you hit send.
Inbox Placement
Test where your emails land across Google and Microsoft inboxes.
The Three Authentication Protocols
SPF — Sender Policy Framework
SPF answers one question: is this IP address authorized to send email for this domain? You publish a TXT record in your DNS that lists every mail server allowed to send on your behalf. When Bob receives an email from you, his mail server looks up your SPF record and checks whether the sending IP is listed. If it matches, the email passes SPF. What to include in your SPF record: Add every service that sends email using its own SMTP servers on your domain’s behalf — for example, Google Workspace, Microsoft 365, or a marketing tool like Mailgun.Do not add Clodura AI to your SPF record. Clodura AI uses your SMTP credentials to send, so it sends as you, not via its own mail infrastructure. Adding it is unnecessary and could introduce confusion.
| Provider | SPF Record |
|---|---|
| Google Workspace | v=spf1 include:_spf.google.com ~all |
| Microsoft 365 | v=spf1 include:spf.protection.outlook.com -all |
| GoDaddy Email | v=spf1 include:secureserver.net -all |
| SendGrid | v=spf1 a include:sendgrid.net -all |
| Amazon SES | v=spf1 include:amazonses.com ~all |
| Zoho Mail | v=spf1 mx include:zoho.com ~all |
| Mailgun | v=spf1 include:mailgun.org ~all |
| Mailjet | v=spf1 include:spf.mailjet.com ~all |
| MailerLite | v=spf1 include:_spf.mlsend.com ~all |
| Rackspace | v=spf1 include:emailsrvr.com ~all |
| Fastmail | v=spf1 include:spf.messagingengine.com ?all |
DKIM — DomainKeys Identified Mail
DKIM proves that an email’s content was not altered in transit. It works by signing each outgoing message with a cryptographic private key that only you hold. Your DNS record publishes the corresponding public key, and the recipient’s mail server uses that public key to verify the signature. If the signature checks out, the message was genuinely sent by you and arrived unchanged. The two-key concept:- Private key — held securely by your email provider; used to encrypt a signature in every outgoing message header.
- Public key — published as a TXT record in your DNS; lets any receiving server decrypt and verify that signature.
How to set up DKIM for Gmail / Google Workspace
How to set up DKIM for Gmail / Google Workspace
Open the Google Admin console
Sign in to admin.google.com with your Google Workspace admin account.
Navigate to Gmail authentication settings
Go to Apps → Google Workspace → Gmail → Authenticate Email.
Generate a new DKIM record
Select your domain from the drop-down list and click Generate New Record. Copy the hostname (e.g.,
google._domainkey) and the TXT record value.Add the TXT record to your DNS
Log in to your DNS provider (Cloudflare, GoDaddy, Namecheap, etc.), find your domain, and add a new TXT record using the hostname and value you copied.
DMARC — Domain-based Message Authentication, Reporting & Conformance
DMARC builds on top of SPF and DKIM by giving you a policy that tells recipient mail servers what to do with messages that fail your SPF or DKIM checks. It also enables reporting, so you can receive data about how your domain’s email is being handled across the internet. A DMARC record is published as a single TXT entry in DNS, at the hostname_dmarc.yourdomain.com.
Example DMARC record:
- SPF pass + alignment — the domain in the envelope “From” matches the domain in the email header “From.”
- DKIM pass + alignment — the domain in the DKIM signature matches the domain in the email header “From.”
DMARC Policy Options
| Policy | Tag | What Happens |
|---|---|---|
| None | p=none | All messages are delivered, even if they fail SPF/DKIM. Reports are still sent. Good for monitoring without enforcement. |
| Quarantine | p=quarantine | Messages that fail are sent to the recipient’s spam or junk folder. |
| Reject | p=reject | Messages that fail are rejected outright and never delivered. Highest security level. |
| Tag | Required | Description |
|---|---|---|
v | Yes | Version — always DMARC1. Do not change this. |
p | Yes | Policy — none, quarantine, or reject. |
rua | Recommended | Email address to receive aggregate reports. Must belong to the same domain. |
ruf | Optional | Email address for forensic (per-failure) reports. |
fo | Optional | Reporting conditions: 0 = report if both SPF and DKIM fail; 1 = report if either fails. |
DNS Setup Walkthroughs
- Cloudflare
- GoDaddy
Adding SPF or DMARC in Cloudflare
Log in to Cloudflare
Navigate to cloudflare.com and sign in.
Email Deliverability Best Practices
Proper authentication is the baseline. The following practices build on top of it to maximize inbox placement and protect your sender reputation over time.Authenticate your domain
Configure SPF, DKIM, and DMARC records before sending any outreach. After connecting your email in Clodura AI, the Domain Health panel in Settings → Email Setup shows green checkmarks when all three are correctly detected.
Keep a clean email list
Remove bounced, invalid, and long-unengaged addresses regularly. Clodura’s built-in email verification engine tags contacts as Verified or Not Found — send only to Verified contacts for the best deliverability results.
Warm up new domains and IPs
New sending domains have no reputation history. Start with 20–30 emails per day to your most engaged contacts, then increase volume by 10–30% every few days. Use Clodura’s Email Warmup feature to automate this process.
Write relevant, human content
Craft subject lines that honestly reflect the email’s content. Personalize messages using the recipient’s name, role, industry, or company. Keep calls to action clear and single. Avoid excessive punctuation, ALL CAPS, and dollar-sign-heavy language.
Monitor sender reputation
Google requires spam complaint rates below 0.3%. Connect your domain to Google Postmaster Tools for free reputation monitoring. Also check Microsoft SNDS, Sender Score by Validity, and MXToolbox Blacklist Check regularly.
Stay legally compliant
Align your outreach with applicable regulations:
- GDPR (EU): Obtain explicit consent, provide a data access/erasure mechanism, and document your consent records.
- CAN-SPAM (US): Use accurate header information, non-deceptive subject lines, a valid physical address, and a working unsubscribe mechanism.
- CCPA (California): Publish a privacy policy, honor opt-out requests, and ensure third-party processors also comply.
Maintain a consistent sending schedule
Sudden spikes in volume from a domain with no history look suspicious to spam filters. Send at regular intervals and ramp gradually. Use Clodura’s sequence scheduling to maintain predictable cadences.
Check spam score and test inbox placement
Before any major send, run a Spam Score check (10 credits) to catch risky content and flagged phrases. Run an Inbox Placement test (50 credits) to see where your emails actually land across Google Workspace and Microsoft 365 inboxes.
Verifying Your Setup in Clodura AI
After connecting your email account under Settings → Email Setup, Clodura automatically checks your domain’s DNS configuration and displays three health indicators:| Indicator | What It Checks | What to Do If Red |
|---|---|---|
| SPF | SPF TXT record present and valid | Add or correct your SPF record in DNS |
| DKIM | DKIM public key TXT record found | Generate and publish your DKIM record via your email provider |
| DMARC | DMARC TXT record at _dmarc | Add a DMARC record to your DNS with at minimum p=none |
DNS changes propagate across the internet within 30 minutes to 48 hours. After making changes, wait before re-running the health check.