Email Authentication – Safe Sending
Email authentication proves to recipient servers that your emails are genuinely sent by you — not by someone impersonating your domain. Without authentication, your emails are far more likely to land in spam folders or be rejected entirely. This article explains each authentication protocol, what Apsis handles for you, and what you need to set up on your end.
In this article
What is email authentication?
Email authentication is a set of protocols that verify the identity of the sender. When a recipient's email server receives your message, it checks whether the email is genuinely from the domain it claims to be from. Emails that pass these checks are far more likely to reach the inbox.
The common standards are SPF, DKIM, and DMARC. When you onboard with Apsis (part of the Efficy group), we ensure your emails are authenticated with SPF and help you set up DKIM — so your emails are delivered with the Apsis seal of approval.
SPF (Sender Policy Framework)
SPF prevents forged emails from being sent from an illegitimate source impersonating your domain. It tells recipient servers which mail servers are authorised to send email on behalf of a domain.
Detail | How it works in Apsis One |
What SPF protects | Elevates your reputation, combats email spoofing, and improves deliverability. |
Technical sender domain | When you send emails with Apsis One, the technical sender is the |
Your action required | None. SPF is pre-configured in the Apsis One DNS. You do not need to set up SPF on your own DNS. The technical sender domain is separate from your "from" domain (which is authorised with DKIM). |
💡 SPF vs DKIM — which matters more?
SPF covers the technical sender domain (Apsis's domain). DKIM covers your "from" domain — the domain your recipients see and recognise. In modern email delivery, an SPF failure is relatively minor, while a DKIM failure is much more serious and will likely result in spam classification. DKIM is the critical one for your deliverability.
DKIM (Domain Keys Identified Mail)
DKIM authenticates your "from" domain — the domain your recipients actually see in their inbox (e.g. yourcompany.com). It uses an encryption key and digital signature to prove that you authorised the email and that it hasn't been tampered with in transit. This is the most important authentication protocol for your deliverability.
Why is DKIM important?
DKIM significantly decreases the risk of emails landing in spam folders or being caught by spam filters. Without DKIM, a large portion of your emails will very likely be classified as spam when sent to recipients using Gmail, Yahoo, or Outlook/O365. A DKIM failure is far more serious than an SPF failure — it directly affects how recipient servers judge your legitimacy.
⚠️ DKIM and DMARC are now required
Since mid-2025, major email providers (Google, Yahoo, Microsoft) actively enforce both DKIM and DMARC as requirements for bulk senders. Emails without valid DKIM and at least a basic DMARC record are increasingly being blocked or sent to spam. If you haven't set up DKIM yet, contact your Account Manager or Customer Service immediately.
How to set up DKIM
DKIM setup is a collaboration between you and the Apsis Delivery team. During onboarding, your Apsis Consultant will guide you through the process. Here's what happens:
What Apsis needs from you
The domain you want to send emails from (your "from" domain, e.g.
yourcompany.com).A Selector — a keyword of your choice that identifies this specific DKIM key.
The setup process
You provide your domain and selector to Apsis.
The Apsis Delivery team creates a DKIM key pair and provides you with the public key.
You (or your IT team) publish the DKIM key in your DNS as a TXT record.
You let Apsis know the key is published.
Apsis activates DKIM signing on the mail transfer agent (MTA).
💡 Important notes
With the standard 2048-bit DKIM keys used by Apsis, the key will always need to be split into two strings in the DNS TXT record (this is a general DNS limitation on string length, not specific to any provider). Some DNS providers handle the splitting automatically; others require you to do it manually. Your Apsis Consultant will help you through this. If you send from multiple domains, you need a separate DKIM key for each domain.
* DNS (Domain Name System) is the system that maps domain names (like yourcompany.com) to IP addresses. Your DKIM key is published as a TXT record in your domain's DNS, which is managed by your hosting provider or IT team.
Understanding DKIM key pairs and DNS publishing
If the DKIM setup process feels abstract, this section explains what's actually happening behind the scenes.
What is a key pair?
DKIM uses asymmetric encryption — a pair of two mathematically linked keys:
Key | Who holds it | What it does |
Private key | Apsis (on the mail server) | Used to sign every email you send. The private key creates a unique digital signature that's added to the email's header. This key is never shared — only Apsis has it. |
Public key | Published in your DNS | Used by receiving servers to verify the signature. When Gmail or Outlook receives your email, it looks up your public key in your DNS and checks whether the signature matches. If it does, the email is confirmed as authentic. |
Think of it like a wax seal on a letter: the private key is your personal seal stamp (only you have it), and the public key is the reference pattern that anyone can check against to confirm the seal is genuine.
How to publish the DKIM key in your DNS
After the Apsis Delivery team generates the key pair, they'll provide you with the public key — a long string of characters that needs to be added to your domain's
DNS as a TXT record.
Here's what that looks like in practice:
What you'll receive from Apsis
Item | Example |
Record type | TXT |
Host / Name |
|
Value |
|
Where to add it
Log in to your DNS hosting provider (this is wherever your domain's DNS is managed — common providers include GoDaddy, Cloudflare, AWS Route 53, One.com, Loopia, or your company's own DNS server).
Navigate to the DNS management or DNS records section for your domain.
Add a new TXT record with the Host and Value provided by Apsis.
Save the record. DNS changes can take anywhere from a few minutes to 48 hours to propagate globally (most propagate within 1–2 hours).
Let Apsis know the record is published — the Delivery team will then activate DKIM signing.
⚠️ DKIM keys always need splitting in DNS
All DNS providers have a 255-character limit per string in TXT record values — this is a general DNS limitation. With the standard 2048-bit keys used by Apsis, the key will always exceed this limit and need to be split into two quoted strings within the same TXT record. Some DNS providers handle the splitting automatically when you paste the full key; others require you to split it manually. The key itself is not shortened — it's just wrapped differently. Your Apsis Consultant or your DNS provider's documentation can help.
💡 Multiple domains = multiple DKIM keys
If you send emails from more than one domain (e.g. yourcompany.com and yourbrand.se), each domain needs its own DKIM key pair. Repeat the setup process for each domain.
How to verify DKIM is working
After DKIM is activated, you should verify it's working correctly. The simplest way is to send a test email and inspect the email headers in the recipient's email client.
Method 1: Check in Gmail
Send a test email from Apsis One to a Gmail address.
Open the email in Gmail.
Click the three dots (⋮) in the top-right corner of the email → select "Show original".
In the original message view, look for the authentication results at the top. You should see:
SPF: PASS
DKIM: PASS
DMARC: PASS — if your domain has a DMARC record configured. Note: Gmail shows DMARC: FAIL both when the check fails and when the domain has no DMARC record at all.
If DKIM shows PASS, your setup is correct. If it shows FAIL or is missing entirely, the key may not be published correctly in your DNS — contact Apsis to troubleshoot.
Method 2: Check in Outlook (desktop or web)
Send a test email from Apsis One to an Outlook address.
Open the email in Outlook.
Outlook on the web (outlook.com / OWA): Click the three dots (⋯) → select "View message source" or "View message details".
Outlook desktop: Open the email → click File → Properties. The authentication results appear in the "Internet headers" field at the bottom.
Search for
dkim=passin the headers. You may also seeAuthentication-Resultswith individual SPF, DKIM, and DMARC verdicts.
Method 3: Use an online DKIM checker
You can also verify your DKIM DNS record without sending a test email. Several free online tools let you look up DKIM records directly:
Go to a DKIM lookup tool (e.g.
mxtoolbox.com/dkimordmarcanalyzer.com/dkim/dkim-check).Enter your domain (e.g.
yourcompany.com) and your selector (the keyword you chose during setup).The tool looks up the TXT record in your DNS and confirms whether the DKIM key is published and valid.
What to check if DKIM fails
Symptom | Likely cause | What to do |
DKIM shows FAIL | The public key in your DNS doesn't match the private key on the Apsis mail server, or the TXT record has a typo. | Check the TXT record value in your DNS matches exactly what Apsis provided. Even a single extra space or missing character will cause a failure. Contact Apsis if unsure. |
DKIM is missing (not listed in headers) | DKIM signing hasn't been activated yet on the Apsis side, or the TXT record isn't published / hasn't propagated. | Confirm with Apsis that signing is activated. Check your DNS to verify the TXT record is published. DNS propagation can take up to 48 hours. |
DKIM passes but emails still go to spam | DKIM is one factor among many. Other causes include poor sender reputation, high spam complaint rate, content issues, or missing DMARC policy. | Review the other sections of this article and the Keep Deliverability High article. |
Online lookup tool can't find the record | The TXT record may not be published yet, or the selector or domain entered is incorrect. | Double-check the selector and domain. Wait for DNS propagation if recently added. Verify the record in your DNS provider's control panel. |
💡 Make DKIM verification part of your onboarding checklist
After your Apsis Consultant confirms DKIM is activated, always send a test email and verify the headers before going live with your first campaign. A few minutes of checking now prevents deliverability problems later.
DMARC (Domain-based Message Authentication, Reporting & Conformance)
DMARC is an email authentication policy that sits on top of SPF and DKIM. It lets a domain owner tell receiving servers what to do with emails that fail authentication — and get reports back about who is sending email using their domain.
What DMARC does
DMARC adds two capabilities that SPF and DKIM alone don't provide:
Capability | What it means |
Policy enforcement | You define how receiving servers should handle emails that fail SPF or DKIM checks — should they let them through, quarantine them, or reject them outright? |
Reporting | You receive aggregate reports from receiving servers showing who is sending email using your domain, which emails passed or failed, and why. This helps you detect unauthorised use of your domain (spoofing) and monitor your authentication health. |
The three DMARC policy levels
DMARC is configured as a TXT record in your domain's DNS. The policy is set using the p= tag:
Policy | What receiving servers do with failing emails | When to use |
| Monitor only. Failing emails are delivered normally. You receive reports but no emails are blocked. | Start here. Use this to collect data and identify all legitimate sending sources before tightening the policy. |
| Suspicious. Failing emails are placed in the recipient's spam or junk folder. | Move here once you're confident all legitimate sources (including Apsis One) pass SPF and DKIM. |
| Block. Failing emails are rejected entirely — they never reach the recipient at all. | The strongest protection against spoofing. Only use once you've verified all legitimate sending sources are fully authenticated. |
Why companies implement DMARC
DMARC adoption is growing rapidly, especially among larger organisations, financial institutions, government agencies, and any company that has experienced — or wants to prevent — email spoofing. Common reasons include:
Prevent phishing and spoofing — stop attackers from sending fake emails that appear to come from your domain (e.g. fake invoices, CEO fraud, phishing links).
Protect brand reputation — if someone spoofs your domain and recipients report it as spam, your domain reputation suffers, even though you didn't send the email.
Regulatory compliance — some industries and jurisdictions require DMARC as part of their cybersecurity or data protection frameworks.
Visibility — DMARC reports give you a complete picture of every system sending email using your domain, including services you may have forgotten about.
ISP requirements — since February 2024, Google and Yahoo require at least a
p=noneDMARC record for domains sending more than 5,000 emails per day.
DMARC and Apsis One — the critical dependency on DKIM
This is where it gets important: if your organisation implements or tightens a DMARC policy without having DKIM set up for Apsis One, your email deliverability will break.
Here's why. When you send an email through Apsis One, the technical sender domain is apsisone.com (covered by Apsis's SPF), but the "from" domain is your domain (e.g. yourcompany.com). DMARC checks whether the email is authenticated for the "from" domain. SPF alone won't pass DMARC alignment here because the SPF domain (apsisone.com) doesn't match the "from" domain (yourcompany.com). The only way Apsis One emails pass DMARC for your domain is through DKIM — because DKIM is signed with your domain's key.
So if DMARC is set to p=quarantine or p=reject and DKIM is not set up:
With
p=quarantine: your Apsis One emails will be sent to the recipient's spam folder.With
p=reject: your Apsis One emails will be rejected entirely — they simply won't arrive.
The receiving server sees an email claiming to be from your domain, checks DMARC, finds no valid DKIM signature, and treats the email as potentially fraudulent. Your legitimate marketing emails are flagged as "not authorised by the domain owner."
⚠️ Always set up DKIM before tightening DMARC
If your IT team is planning to implement or change your DMARC policy, contact Apsis first to ensure DKIM is set up and verified for every domain you send from. Moving to p=quarantine or p=reject without DKIM in place will cause your Apsis One emails to fail authentication and be blocked or spam-foldered. This is one of the most common — and most avoidable — deliverability disasters.
⚠️ Don't forget your own mail server
A common and dangerous scenario: your IT team sets up DMARC with p=quarantine or p=reject to ensure bulk email from Apsis One is delivered properly — and everything works perfectly for marketing emails. But if your own mail server (the one your employees use for everyday business email) doesn't have DKIM or SPF alignment configured for the same domain, those internal and business emails will also fail DMARC — and be spam-classified or rejected. Before tightening your DMARC policy, verify that all systems sending email from your domain (Apsis One, your own mail server, CRM systems, ticketing tools, etc.) have proper authentication in place.
💡 Recommended approach
Start with p=none to collect reports without affecting delivery. Review the reports to identify all services sending email using your domain (Apsis One, your own mail server, other marketing tools, ticketing systems, etc.). Set up DKIM for each service. Only then move to p=quarantine and eventually p=reject. Your Apsis Consultant can help you plan this transition.
DMARC is configured on your domain's DNS by you or your IT team. If you're unsure about your current DMARC policy or need help coordinating with your IT team, reach out to your Apsis Consultant or Customer Service.
IP management
Every email is sent from an IP address. The reputation of that IP address affects whether your email is accepted by the recipient's server.
Detail | How it works in Apsis One |
IP ownership | All IP addresses used for sending are owned and managed by Apsis. |
Monitoring | The Delivery team monitors IP reputation regularly, performs warm-ups, and checks server blacklists. |
Your action required | None. All aspects of IP management are handled by Apsis. You don't need to worry about your IP address having a bad reputation. |
💡 Private technical sender domain
All emails from Apsis One accounts are sent using a private technical sender domain — a unique, customer-specific subdomain (e.g. [your-account-id].apsisone.com). This ensures that one account's sending behaviour cannot damage another account's deliverability. When recipients mark your emails as spam, only your technical sender domain is affected — not other Apsis One customers.
Transport Layer Security (TLS)
TLS encrypts data while it's sent over the internet, preventing hackers from intercepting the content in transit. It's a cryptographic protocol that provides end-to-end security between applications — especially important for private and sensitive information.
Apsis requires at least TLS encryption 1.2.
TLS behaviour in Apsis One
Sending method | TLS behaviour |
Email tool | TLS encryption is the default. If the recipient's email server doesn't support TLS, the email is delivered unencrypted. You can request forced TLS (see below). |
Marketing Automation | Forced TLS is the default, since Marketing Automation emails are considered personal emails. |
Forced TLS encryption
With forced TLS, emails are only sent through channels that require TLS encryption. If the recipient's mail server does not support encryption, the connection is dropped and the email is discarded — which means you may experience slightly higher bounce rates.
To enable forced TLS encryption for all types of sending (including Email tool), contact the Support Team. When enabled, it covers all Sections in your account.
💡 When is forced TLS required?
Currently, Denmark is the primary jurisdiction that requires forced TLS for email marketing. If you send to Danish recipients or operate under Danish data protection regulations, consider enabling forced TLS. For other markets, the default TLS behaviour (encrypt when possible, fall back to unencrypted if not) is sufficient for the vast majority of use cases.
⚠️ Content encryption
TLS encrypts data in transit only — it does not encrypt the email content itself. If you need to encrypt the actual content of your emails (e.g. for sensitive data), solutions like PGP, S/MIME, or Microsoft 365 Message Encryption are recommended.
💡 GDPR consideration
In some jurisdictions, GDPR regulations call for a higher level of security when sending emails. Make sure to investigate the regulations for your local jurisdiction and consult your data protection officer if needed.
What's next?
Keep Deliverability High — Consent management, content guidelines, warm-up process.
About Microsoft's EOP — How Exchange Online Protection affects deliverability.
Apple Mail Privacy Protection (MPP) — How Apple's privacy features affect open tracking.
Custom domain — Setup and onboarding — Brand your link URLs and system pages.