Skip to content
  • There are no suggestions because the search field is empty.

Domain Authentication for Email Deliverability

Set up SPF, DKIM, and DMARC records so your emails reach the inbox instead of the spam folder.

Summary

Major email providers — Gmail, Yahoo, and Microsoft (Outlook, Hotmail, Live) — require senders to authenticate their domains. This article explains what SPF, DKIM, and DMARC do, why they matter for your deliverability, and where to find setup instructions for your email provider.


Table of Contents

  1. Why Domain Authentication Matters
  2. Authentication Requirements at a Glance
  3. What Each Record Does
  4. Setting Up Authentication by Provider
  5. Best Practices
  6. Troubleshooting Common Issues
  7. FAQs

Why Domain Authentication Matters

Gmail, Yahoo, and Microsoft (Outlook.com, Hotmail, Live) all enforce authentication requirements for senders. Without proper authentication:

  • Your emails may land in spam folders or bounce entirely — non-compliant messages can be rejected outright.
  • Your domain is vulnerable to spoofing — bad actors sending email that appears to come from you.
  • Your sender reputation suffers, lowering open rates across all your campaigns.
  • You may fall out of compliance with current sender requirements, especially if you send at high volume.

⚠️ Authentication is recommended for every sender, not just high-volume senders. Providers require SPF and/or DKIM as a baseline for all email, with stricter requirements (SPF and DKIM, plus DMARC and one-click unsubscribe) for senders exceeding 5,000 messages per day. 

back to the top


Authentication Requirements at a Glance

Record What It Proves Who Needs It
SPF Which servers are allowed to send email for your domain All senders
DKIM The message genuinely came from your domain and wasn't altered All senders
DMARC Tells receiving servers what to do when SPF/DKIM checks fail Required for bulk senders (5,000+ messages/day); recommended for everyone

These requirements apply across Gmail, Yahoo, and Microsoft inboxes (Outlook.com, Hotmail, Live). 

back to the top


What Each Record Does

SPF (Sender Policy Framework)
An SPF record lists the servers authorized to send email on your domain's behalf. Receiving servers check incoming mail against this list — mail from an unauthorized server is flagged or rejected.

DKIM (DomainKeys Identified Mail)
DKIM adds a digital signature to your outgoing email that verifies your domain as the true sender and confirms the message wasn't tampered with in transit. It's the strongest single signal of sender legitimacy.

DMARC (Domain-based Message Authentication, Reporting & Conformance)
DMARC ties SPF and DKIM together. It tells receiving servers how to handle messages that fail authentication (allow, quarantine, or reject) and sends you reports on who is sending email using your domain.

back to the top


Setting Up Authentication by Provider

Authentication records are added in your domain's DNS settings, and the exact steps depend on your email provider and domain registrar.

⚠️The links below go to third-party documentation. These vendors update their interfaces and guides regularly, so always follow the vendor's current instructions.

Google Workspace (Gmail)

If your business email runs on Google Workspace, follow Google's official guides:

Mandrill or SendGrid

If you send email through Mandrill or SendGrid:

  • Mandrill sending domain authentication guide: https://mailchimp.com/developer/transactional/docs/authentication-delivery/
  • SendGrid domain authentication documentation: https://www.twilio.com/docs/sendgrid/ui/account-and-settings/how-to-set-up-domain-authentication 

If you send mass email through Sierra's SendGrid integration, see the SendGrid Mass Email Setup Guide for the full setup process. 

Office 365 / Outlook

If you use Office 365 for your business email:

  • Microsoft manages your SPF record automatically, unless your domain is registered with a third party like GoDaddy.
  • If your domain is with GoDaddy, generate a DKIM record manually here.

⚠️Using Office 365 as your email provider is separate from sending to Outlook, Hotmail, and Live recipients. Microsoft enforces authentication requirements for mail arriving at those inboxes regardless of which provider you send from. Authenticating your domain protects your deliverability to Microsoft recipients even if you send through Google Workspace or SendGrid.

If you're unsure about your current setup, submit a Support ticket and our team can help verify your records.

back to the top


Best Practices

  • Authenticate before you need to. Set up SPF, DKIM, and DMARC even if you send low volume as it protects your domain and improves inbox placement from day one.
  • Verify your records after setup. DNS changes can take up to 48 hours to propagate. Use your email provider's verification tool to confirm records are live.
  • Pair authentication with good sending habits. Authentication gets you to the inbox; content and list hygiene keep you there. See How Can I Improve My Email Deliverability and Avoid Spam Filters in Sierra? for warm-up, list management, and content best practices.

back to the top


Troubleshooting Common Issues

  • Emails are bouncing or being rejected.
    Confirm your SPF, DKIM, and DMARC records are published correctly in your domain's DNS. A missing or malformed record is the most common cause — Gmail, Yahoo, and Microsoft can all reject unauthenticated mail outright.
  • Emails deliver but land in spam.
    Verify authentication is passing (your email provider's dashboard or message headers will show pass/fail), then review sending frequency and list engagement.
  • Records were added but verification still fails.
    DNS changes can take up to 48 hours to propagate. If verification still fails after that window, check for typos in the record values or duplicate records.
  • Emails reach Gmail inboxes but not Outlook or Hotmail (or vice versa).
    Each provider evaluates authentication and sender reputation independently. Confirm your records pass for all sending services, and check your reputation in the provider's monitoring tool.

back to the top


FAQs

  • Is domain authentication required if I send fewer than 5,000 emails a day?
    Yes, providers require baseline authentication for all senders. The stricter full set of requirements (SPF, DKIM, and DMARC together, plus one-click unsubscribe) applies to senders exceeding 5,000 messages per day, but authenticating fully is strongly recommended for everyone. 
  • Do these requirements apply to Outlook and Hotmail addresses too?
    Yes. Microsoft enforces authentication requirements for high-volume senders to Outlook.com, Hotmail, and Live addresses, mirroring Gmail and Yahoo. Non-compliant mail can be rejected entirely.
  • What if I send through a third-party provider like SendGrid?
    You still need to authenticate your domain with that provider. Follow the provider's domain authentication process so your emails are signed with your domain, not theirs.
  • How do I check whether my domain is already authenticated?
    Your email provider's admin console typically shows authentication status, or you can view the headers of a sent message to see SPF/DKIM/DMARC pass/fail results.

back to the top