DMA: Data and Marketing Association
Consumer Help

EEC’s Email Authentication Guidance

The following information is being provided to you by the DMA & Email Experience Council (eec). We hope you find this information useful. Please review your email program with your legal counsel to ensure that your program is meeting appropriate legal requirements. The information provided is for your background and overall guidance and should not be considered as legal advice for your specific needs.

What is email authentication?

Email Authentication simplifies and automates the process of identifying senders, and improves the likelihood that legitimate email will get through to the intended recipient. It is one way to make the electronic marketplace more secure and improve consumer confidence in email.

Using a traditional mailing analogy, email authentication can assure the recipient that your return address, letterhead, and personal signature are “authentic” (not faked). For a graphic that further illustrates the analogy, refer to page 19 of DMA/Bigfoot Interactive (now Epsilon Interactive) whitepaper on Authentication, Accreditation & Reputation.

Authentication helps prove that a sender is who they claim to be and that they have the right to send email from your IP address. This is the first step to ensuring the sender and offer are legitimate and not a spammer in disguise giving the industry a bad name.

There are currently two major types of interoperable email authentication systems:

  1. IP-based Solutions like Sender Policy Framework (SPF) and Sender ID (SID)
  2. Cryptographic Solutions like DomainKeys Identified Mail (DKIM)

The goal of each is the same: create a public record against which the legitimacy of senders can be verified. Both technologies work to validate that the sender is authorized to send mail from a particular IP address. Authentication makes it difficult to forge IP addresses or the cryptographic signatures utilized by email authentication systems.

A fundamental difference between IP-based and cryptographic authentication solutions: cryptographic technology protects the integrity of email content; IP-based technology verifies that the sender is authorized by the domain owner.

Click here to go in-depth on The Various Types of Authentication.

What types of email should be authenticated?

DMA’s authentication guideline requires that marketers authenticate all outbound email they send or service bureaus send on their behalf.

From a practical business standpoint, even if a marketer is not a DMA or eec member, they should authenticate their email to ensure reliable delivery and uninterrupted workflow.

Here is a list of some email categories that need to be authenticated:

  • List Rental Email
  • Marketing & Promotional Email
  • Customer Service Email
  • Non-Bulk Corporate Communications Email
  • Email From Mobile Devices
  • Sales Email
  • Receipts of Shipping Confirmation Email
  • Monthly Statements Via Email
  • Newsletters Via Email

What are domains?

A domain name identifies one or more IP addresses. A domain name appears as part of a website’s URL (Uniform Resource Locator, e.g. www.company.com). Domain names use alphabetical addresses that are easier for humans to remember than numeric IP addresses.

    Registered domain name: company.com
    Domain name: www.company.com
    URL: http://www.company.com/index.html
    IP address:

The Domain Name System (DNS) is where companies publish which IP addresses are allowed to send email on their behalf. DNS is flexible and allows multiple IP addresses to be assigned to a single domain name or multiple domain names to a single IP address. ICANN (Internet Corporation for Assigned Names and Numbers) and IANA (Internet Assigned Names and Numbers) are in charge of managing DNS.

What are IP addresses?

IP addresses, or Internet Protocol addresses, are unique identifiers that are assigned to every computer, server, or other device connected to the internet. One way to think of IP addresses is as telephone numbers: computers use them to locate and “talk” to each other on the internet. A typical IP address is expressed in dot notation, e.g. Each number in the address has a value of 1 to 255.

As stated previously, it is generally easier for humans to remember and use alphabetical URLs than numeric IP addresses. When a URL is typed into a browser, the computer converts the URL into an IP address, language that computers understand.

    IP address:
    Domain name: www.company.com

IP addresses are managed and created by the IANA. Not every computer that connects to the internet has its own static IP number (i.e. an IP address that never changes). For example, corporate networks and online services usually share IP addresses among a large number of users, and temporarily assign an IP address to a requesting computer. A temporary IP address is referred to as a dynamic address. Internet service providers and network administrators can find out if a computer uses static or dynamic IP addressing.

Why the DMA requires that member companies use email authentication:

In October 2005, the DMA Board of Directors mandated that member companies using email for communication and transactions begin using email identification and authentication protocols. DMA did this because it is a good business practice and because members should be held to the highest standards to gain and maintain consumer trust.

It is up to each company to decide what kind of authentication protocol it wants to use. DMA guidelines do not require the use of any specific protocol, as there are several interoperable, inexpensive, and easy to implement solutions available.

For more information check out the advantages of email authentication


Your goal should be to authenticate 100% of your email. The table below outlines some of the categories of email you may be sending, along with the information you need to know. If you do not send a listed category of email, write n/a or leave it blank. It is designed to help member companies understand the requirements needed for authenticating corporate emails. By completing this form, you will have all you need to get the job done! Do it yourself–or give this form to your IT staff and ask them to complete this easy process.

If you are unsure whether a particular domain is authenticated and want to test its status, visit The Email Service Provider Coalition (ESPC). This website features a handy tool that will help you test your emails and ensure that all of your domain names are properly authenticated.

Should you need assistance in gathering the information below or have questions about the authentication process, we recommend that you contact your Email Service Provider or technology vendor for assistance. Some of our members may also be helpful in this area, please visit the eec online member directory if you require outside assistance.

email authentication checklist

I have collected the necessary information. Now how do I authenticate my emails?

The following are instructions for implementing three types of email authentication systems (SPF, DKIM and DMARC).

1. Sender Policy Framework (SPF)

  • Audit and make a list of all IP addresses that send email on your behalf.
  • Talk to your IT staff and any Email Service Providers you work with.
  • Create your SPF record.
  • Publish your SPF record in DNS.
  • Verify that your SPF record is published and working:
    • Use the tool at: www.dnsstuff.com.
    • Copy all the information after the “@” sign in the “From” line of the domain you wish to verify (e.g., @yourcompany.com).
    • Paste this information into the look-up field “Lookup”).
    • Select the “TXT” option from the drop down box directly next to where you just pasted your domain information.
    • Select “Lookup.”
    • Under the “Answer” box you should see “v=spf…” This verifies that your record is SPF compliant.

2. DomainKeys Identified Mail (DKIM)

DKIM is offered to all users free of charge. DKIM is available at http://domainkeys.sourceforge.net/. DKIM requires more computing resources than IP based technologies.

If you need technical assistance in implementing an authentication system, please contact your ESP, technology vendor, internal IT team, or one of our member companies..

How to confirm if emails are authenticated

Click here for a free tool to test your domain names to make sure that they are properly authenticated.

3. Domain-based Message Authentication, Reporting & Conformance (DMARC)

DMARC enhances how email receivers interpret the results from email authentication by building on the existing and well-known SPF and DKIM mechanisms.

Email senders remain largely unaware of potential problems with their authentication practices. The existing solutions do not provide scalable solutions to supply feedback to the domain owners and a source for this feedback to be sent to. This is especially important for those attempting to launch new SPF and/or DKIM deployment records. This can cause the projects to proceed very slowly because of the lack of feedback and it means there are limited solutions to monitor progress and debug problems.

DMARC is working to address these issues, by helping email senders and receivers work together to produce better and more secure emails, adding additional protections for both users and brands from fraud, scams, and malware.

Many of the largest ISPs have already started implementing DMARC including: AOL, Gmail, Hotmail, and Yahoo!.

How DMARC Works:

A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message. DMARC removes guesswork from the receiver’s handling of these failed messages, limiting or eliminating the user’s exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.

EEC/DMA Member Questions?

Members may email DMA at ethics@thedma.org or EEC at eec@thedma.org.
A special thanks to DMA’s Email Experience Council (eec) and its Advocacy Subcommittee for contributing to this Guide: eec Advocacy Subcommittee Chair Matthew Vernhout, Chief Privacy Officer, Inbox Marketer; and eec Advocacy Subcommittee Members, Michelle Wimmer, Client Services and Media at IMM and Greg Kraios, Founder of 250ok.