What are the 3 key email authentication checks that your messages must pass in order to maintain good deliverability?
- TXT, CNAME, and NS
- SPF, DKIM, and DMARC
- SPF, DKIM, and BIMI
Explanation: To ensure your emails land in the inbox rather than the spam folder, you must pass the “big three” authentication checks. Think of these as a multi-factor digital passport that proves your identity to inbox providers like Gmail and Yahoo. SPF (Sender Policy Framework): This acts as a “VIP Guest List.” It is a DNS record that lists exactly which servers (like Klaviyo’s) are authorized to send emails on behalf of your domain. When an email arrives, the inbox provider checks this list to see if the sender is “invited.” DKIM (DomainKeys Identified Mail): This acts as a “Digital Seal.” It adds a cryptographic signature to your email headers. If anyone tries to tamper with your email while it’s in transit, the seal breaks. The recipient’s server uses a public key in your DNS to verify that the seal is intact and the email is authentic. DMARC (Domain-based Message Authentication, Reporting, and Conformance): This acts as the “Security Guard’s Instructions.” It tells inbox providers what to do if an email fails SPF or DKIM. You can instruct them to do nothing (p=none), put the email in spam (p=quarantine), or block it entirely (p=reject).