Email authentication: SPF and DKIM

This article refers to MailPoet 2

If you're looking for MailPoet 3 articles, please go to MailPoet 3 Knowledge Base

Email authentication plays an essential role in the deliverability of your email newsletters. It directly affects your open rate by helping your newsletters reach your subscribers' inboxes, avoiding the dreaded Spam folder.

According to Wikipedia:

Email authentication is a collection of techniques aimed at equipping messages of the email transport system with verifiable information.

If you run a test with, you'll notice that two of these techniques are the most important ones to your Spam Score: SPF and DKIM.

In simple terms, both of these email authentication techniques are used to verify that a FROM address used on an email is authorized by that website's domain.

Both SPF and DKIM authentication can be set up by adding TXT entries to your server's DNS records. This is done through your host's control panel (usually cPanel, Plesk or WHM).

SPF (Sender Policy Framework)

SPF is used by your subscribers' email servers (Gmail, Hotmail, Outlook, self-hosted email, etc.) to verify if the FROM email address you used on your newsletter is authorized by your website. If you want to use a third-party service to send your MailPoet newsletters (like SendGrid or ElasticEmail), you'll need to add their SPF or DKIM records on your website's DNS.

This is one of the reasons why you can't send a newsletter from your website using a Gmail account as a FROM address (, for example). When your subscribers' email servers receive that newsletter, they will check if you are authorized to use a Gmail email address on a newsletter sent from your website. Since Gmail's servers don't have SPF records for your domain, this means your newsletter was not authorized. As a result, it will mostly end up in your subscribers' Spam folders.

Read these guides from Mail Tester to help you setup an SPF record in your host's DNS records. 

A more technical explanation of this method can be found here: Sender Policy Framework at Wikipedia.

DKIM (DomainKeys Identified Mail)

DKIM is basically another TXT record added to your host's DNS records. Your MailPoet install will cryptographically sign your newsletters with a key generated specially for your website. When your subscribers receive your newsletter, their email servers will grab the key on your website's DNS records. Then, it will use this key to perform a cryptographic authentication to make sure your newsletter was not modified during the sending process.

Who can use it?
  1. This feature is available to Premium users only.
  2. MailPoet users that send their newsletters using a third-party service, like SendGrid or Elastic Email, should not activate this option, as these providers already sign your messages with their own DKIM keys. See SendGrid's doc and Elastic Email's instructions.
How to set it up (if you are sending with your own website: PHP Mail, Sendmail or WP-Mail options):

1) Activate the DKIM option in MailPoet's Settings page > Advanced tab > Geeky Options

2) Go to your host's control panel (cPanel or Plesk), locate the DNS administration icon and add a new TXT record with the Key and Value provided by your MailPoet install (image above).

If you need further help with doing this, please contact your host company support and ask them. They should help you setup your DKIM.

Note: it's impossible to change this on 1and1 hosting, unfortunately.

Want to check your DKIM record? Just use this handy tool from mail-rester: SPF and DKIM check

A more technical explanation of this method: DomainKeys Identified Mail on Wikipedia