Email Authentication: SPF and DKIM

Users sending with MailPoet's Sending Service usually don't need to set up their own SPF or DKIM, as messages will automatically have MailPoet Sending Service's SPF set up and will be signed with MailPoet Sending Service's DKIM.

You may need to set up DKIM for your domain if you are already using DMARC or are experiencing email spoofing issues.

If you have a DMARC policy set up for your sender domain with "p=quarantine" or "p=reject" policy and you are using our MailPoet Sending Service, you need to add DKIM to your sender domain.
Reference: How To Fix Email Violates Sender Domain's DMARC Policy Error

Email authentication is just a fancy word for  stuff that helps you avoid ending up in the spam folder

By implementing some of these technologies, you can: 

  • improve your open rate; 
  • increase engagement with your readers; 
  • and improve your sender reputation. 

Two specific things that affect your spam score: SPF and DKIM. In simple terms, both SPF and DKIM work by verifying that a sender is authorized to send emails on their website's behalf. In other words, they make sure that you aren't pretending to be someone else.

Both SPF and DKIM authentication are set up by adding TXT entries to your server's DNS records. This is done through your host's control panel (usually cPanel, Plesk or WHM).

What is SPF? (Sender Policy Framework)

SPF is used by your subscribers' email servers (Gmail, Hotmail, Outlook, self-hosted email, etc.) to verify if the FROM email address you used on your newsletter is authorized by your website. 

This is why you can't send newsletters with a FROM address using a domain you don't own. Read our guide on the FROM address.

For example, when your recipients receive an email from or, their servers will check if you are authorized to use a Gmail email address on a newsletter sent from your website. Since Gmail's servers don't have SPF records for your domain, this means your newsletter was not authorized by Gmail. As a result, your emails will not get delivered, fall in the spambox or display a spoofing warning. 

If you want to use a third-party service to send your MailPoet newsletters (like SendGrid or ElasticEmail), you'll need to add their SPF or DKIM records on your website's DNS.

Read how to add or edit your SPF record to help you set up an SPF record in your host's DNS records. 

What is DKIM? (DomainKeys Identified Mail)

DKIM is another TXT record added to your host's DNS records. Your MailPoet install will cryptographically sign your newsletters with a key generated specifically for your domain. When your subscribers receive your newsletter, their email servers will grab the key on your domain's DNS records. Then, it will use this key to perform a cryptographic authentication to make sure your newsletter was not modified during the sending process.

If you are using MailPoet Sending Service to send emails, your emails are already signed with DKIM. You may also set up DKIM for your sender domain, further proving that emails MailPoet sends on your behalf were indeed sent by you.

MailPoet users that send their newsletters using a third-party service, like SendGrid or Elastic Email, already have their messages signed by these services with their own DKIM keys. See SendGrid's document on DKIM and Elastic Email's guide.

If you are sending emails with your own website and want to set up DKIM, please contact your host company support. They will be able to set up your DKIM.

Note: it's impossible to modify the DKIM record on 1and1 hosting, unfortunately.

What is DMARC?

DMARC is an instruction that an email service (e.g. MailPoet) gives to email service providers (e.g. Gmail or Yahoo) of what to do if they receive spoofed emails like phishing attacks.

This removes a lot of the guesswork for spam filters of the biggest email service providers, like Gmail and Yahoo. 

DMARC is not a prerequisite to good deliverability, although it can be considered one of the many deciding factors. The majority of the world’s senders have yet to implement DMARC.

Emails sent using MailPoet Sending Service can be made compliant with your DMARC policy by setting up DKIM for your sender domain.  

Read More:

How to check your SPF and DKIM keys

You can simply use this tool to check your SPF and DKIM keys.

Add the website domain where you're sending your emails from and enter  default as your DKIM selector.

You can run a spam score test if you want more information about it.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.