Series Edition: Section 2 - Authentication Protocols “Your Emails' Identity Crisis”

Your Emails Need an ID Card

SPF, DKIM, DMARC Explained (Without the Jargon)

Here’s an example: You write the ideal email. It has everything. You have a good copy and good design. You send it to 50,000 recipients. Gmail blocks your email.

Why?

Because you didn’t verify your identity.

This is called authentication, and you must do it.

The Trust Problem

These days, ISPs (Internet Service Providers: Gmail, Yahoo, Outlook, et al.) do not trust anything by default. The first thing they want to ask about an incoming email is whether it is legitimate and whether it really came from whoever the sender claims to be.

And why do they do that? Because spammers are sneaky. They use fake domain names, masquerade as your bank, clone organizations, and send you emails which are supposedly sent "from: [email protected]," whereas they were sent from some shady server located in Russia.

To establish authenticity, ISPs designed a special mechanism that we refer to as an email's ID card and authentication protocols!

But here's how things are different: In February 2024, just two years ago, Gmail and Yahoo implemented this rule. If you're not authenticated, and you're trying to send 5,000 emails per day, they will not be accepted or moved to the junk folder without any consideration for the content. You'll be rejected. And today, in 2026, there are even more severe measures in place. There are no temporary warnings from ISPs anymore. Your emails get immediately rejected.

So if you haven't set this up yet, you have a serious problem right now.

The Three Protocols

There are three authentication systems. They work together like a security team. SPF is your basic ID check. DKIM is your certified signature. DMARC is the enforcement layer.

SPF: The Clipboard

SPF stands for Sender Policy Framework. Here's the simple version: SPF is a whitelist.

You make a list of the servers that are allowed to send emails using your domain name. The email will be passed by Gmail if the email comes from any of those servers. Otherwise, the email will fail.

Imagine a bouncer with a list at the entrance of a nightclub. "Names on the list, come in. Not on the list? Then you can stay outside!"

Now here’s the downside: SPF checks the source only. However, a smart attacker can spoof an email if they know the right server. Yet it is crucial. Every domain need SPF.

DKIM: The Wax Seal

DKIM, which stands for DomainKeys Identified Mail, is tougher to spoof than SPF. This involves digitally signing your message, like stamping a wax seal on an envelope.

Here's how it works: Whenever you send an email, DKIM digitally signs it (this is done automatically by your email provider). Once the recipient gets your email, they authenticate this digital signature and ensure two things: (1) that it is genuinely from you, and (2) that it hasn’t been tampered with since sending.

ISPs consider DKIM very important when evaluating emails. If your email has been DKIM-signed, the ISPs give it priority. On the other hand, if it is unsigned, they are suspicious of it.

Good news: Your email provider takes care of DKIM signing automatically.

DMARC: The Boss

DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It's the boss of the group. It combines SPF and DKIM and tells ISPs what to do when something goes wrong.

DMARC has two functions:

1. Enforcement: You inform ISPs about what should happen if an email fails SPF and/or DKIM. Should they reject the email? Quarantine it? Or should they simply monitor it?

2. Visibility: Reports come in that will let you know exactly what's going on in your authentication process.

Here's where you have some serious control and insight.

How They Work Together

SPF checks: Is this coming from an authorized server?

DKIM checks: Is this properly signed digitally?

DMARC policy: If either fails, this is your response.

All three work together to create a castle. Basically, you're saying, "Email security is important to me. IISPs can rely on my emails."

If one of them is missing, there is a vulnerability. The ISPs will take advantage of this by using more filtering.

And it must be monitored. You don’t set it up once and leave it alone.

Why ISPs Got Strict

ISPs are overwhelmed with spam. In fact, approximately 46% of email traffic consists of spam. Thus, ISPs are ruthless when it comes to filtering. And one of the first criteria is authentication.

If your email lacks SPF, DKIM, and DMARC authentication protocols, ISPs will instantly assume that you're a spammer. No "maybe" or "possibly." Assume. Because legitimate businesses always authenticate their messages. Professionals don't send unauthenticated emails. Spammers do.

When Google and Yahoo required authentication two years ago, they weren't being jerks. They were saying, "Look, we are overwhelmed with spam. If you want us to consider looking at your message, show us it isn't a scam."

Why ISPs Became a Bouncer

Approximately 46% of all email that is being sent at this very moment is spam. Yeah, about 46%. That's crazy!

Gmail receives 15 billion unsolicited emails EVERYDAY. Yes, you heard right. 15 BILLION!

That is why they decided to tell everyone that “Nobody can be trusted anymore. Everyone must show ID.”

Having SPF, DKIM and DMARC will mean that you are telling Gmail, “I’m here legally and I take security seriously.” Gmail listens to that.

Not having these three means that Gmail treats you as spam. Since only legitimate businesses authenticate emails.

The Death Spiral (This Is What Actually Happens)

1. You fail authentication -> ISPs won’t recognize you

2. ISPs won’t recognize you -> your emails go through filtering

3. Emails are filtered -> people ignore them -> ISPs see low user activity

4. ISPs see low user activity -> they’ll be stricter with filtering next time

5. You’re on the spam permanently -> nothing goes through anymore

And the worst part about it is that the recovery process is long. We’re talking about weeks or even months. You’re going to be struggling against Gmail and Yahoo to get off the spam blocklist. Your reputation is ruined. And even when you do fix the authentication, Gmail’s not going to trust you anytime soon.

But there’s no need for it at all. This is entirely preventable.

Real Talk

If you’re not positive that SPF, DKIM, and DMARC are configured, chances are good they’re not.

Check it right now. Seriously.

Look up “SPF DKIM DMARC checker,” type in your domain, and you’re done in five minutes. If there’s a problem, send an email to your email service provider ASAP. They’ll get it sorted out.

Not done setting them up. Better get started right now. Don’t wait. Do it today. Gmail and Yahoo aren’t playing games.

What You Need to Remember

Authentication is mandatory. This is true for Gmail and Yahoo, which will enforce it by 2026.

No authentication means automatic fraud. ISPs make no exceptions.

There are serious consequences for making mistakes. Loss of income. Reputational damage. Contractor expenses. Support costs. Loss of elections.

It takes time and money to rebuild your reputation. Preventative measures are less expensive than remedial ones.

You need SPF, DKIM, and DMARC, all three.

Next Section

Authentication is the first hurdle that ISPs put up for your emails. They need to confirm that your emails are authentic before looking at anything else.

But there's a second barrier: sender reputation.

Even when emails are perfectly authenticated, ISPs will still question if they should trust the sender by asking: “Are we sure about this sender?” The answer lies in various metrics such as how many users open your email, how often are you reported as spam, your history of sending, and whether you send to invalid email addresses.

By Julia, Deliverability Expert

“I don't want no scrub, a scrub is an email that can't get no love from me.”

Here at Campaign Nucleus, we want to make it as easy as possible for our users to produce the most successful email content possible. With that our team has done some research and put together some information we’ve found helpful in creating our own emails.

Let’s start simple – what are the things that every recipient is going to notice about your email?

1. Your sender
2. Your subject line
3. Your content

Now let’s talk about how we can utilize all 3 of these factors to create the MOST TOP NOTCH EMAIL possible!!

Sender:

When you see an email in your inbox, what is the first thing you see? Likely, the sender’s name. Are you more likely to open an email that appears to be sent from a specific person or one that declares a corporation. Likely, a specific name.

Well, your audience feels the same. This means you can improve your user engagement simply by using a more personalized sender, such as a team member, to make your communications seem more “human”and less “AI generated.”

For example, an email being sent from Julia from Nucleus may perform a bit better than one being sent from the Biden Administration (although that may have more than one reason for performing poorly…).\

With that, consistency is also always key – it’s a good habit to keep one sender and domain affiliated with each type of content being sent.

Subject Line:

Following the sender, you likely immediately notice the subject line affiliated with the email.

When it comes to subject line, there are a couple things to keep in mind:

• Topic – always make sure your subject line sticks to the point. No one wants to open an email that has nothing to do with the subject line… it appears deceiving

• Length – your subject line length can actually drive your engagement. Short subject lines (below 50 characters) & longer subject lines (above 70 characters) actually have been found to receive more engagement than average-length subject lines.
  

Content:

The last thing the recipient will see but generally the most important portion of the email for them to see.

There are lots of considerations to be made when designing our content & every audience type responds differently to different copy types.

We encourage individuality in your sends but here are a few things to keep in mind:

• Be concise – the average human has a reading attention span that ranges from 10-15 seconds… that isn’t very long.

• Consider your call to action – it’s good practice to include multiple links within the email & our system makes it easy to determine where your audience is engaging the most within your email.
  

• Always check variables – we want to make sure we do not address our recipients as “Hello %recipient.first%.”

• Make your email readable – this includes but is not limited to:
  • Having a nice layout – easy to read & pictures should never outweigh text
  • Using color and branding wisely
  • Ensuring pictures are high enough quality that they engage your audience (although too much data can slow your email load time & that isn’t great either)

For more information be sure to contact our team for training or insight and visit your Nucleus Resource Library!

OR

Taking your unsubscribe to the next level

By Julia, Deliverability Expert

At Campaign Nucleus, we make it a point to never force industry-recommendations on to you while creating and sending your emails. We previously discussed the legal importance of including an unsubscribe link in every email we send. Since then, we have improved our system and now offer an optional one-click unsubscribe feature that you may choose to implement.

I’m sure you are wondering: What is the difference between this feature and the unsubscribe link we already use?

Well… currently, when a recipient clicks the unsubscribe link, they are redirected to a page where they may enter their email and they will be immediately unsubscribed. In the case of a one-click unsubscribe, a user may click the link and will be immediately unsubscribed without being redirected to another page to do so.

While this is not an industry standard or policy, it is highly recommended. This is dominantly because it is a simpler route of unsubscribing which ensures people who intended to be unsubscribed do so properly. In some cases of a double-opted unsubscribe link, some users may accidentally remain subscribed, and this can lead to an increase in user complaints which can affect your domain and IP reputation.

For instructions on how to enable this feature in your tenant, please visit your Nucleus Resource Library!

OR

INBOX PLACEMENT VS. DELIVERABILITY

By Julia, Deliverability Expert

I’m sure you’ve wondered, at one point or another, what we are really monitoring during our domain warming phases.

Well, I’ll tell you…

The two main things we are watching while determining how quickly or slowly we can increase our sending volume is:

1. Deliverability
2. Inbox Placement

I am sure you’ve heard both of these terms used by our email team; let’s discuss what they are, why they are important, & how we can be tracking them.

The WHAT

Deliverability implies to the rate at which your sends are getting through to the server

Inbox placement refers to where your email lands – whether it lands in spam, your promotional inbox (‘other,’ ‘promotions,’ etc.), or your primary inbox.

The WHY

Deliverability is a key player in your email ‘delivering;’ it simply means the rate at which a server is allowing your messages through to the recipient. This does not ensure where the email will land within the inbox, just that the server did not fully block the message.

Inbox placement is, arguably, even more important because it determines where the email lands within the inbox. Since many of us are not regularly looking through our junk mailboxes, I think we can all agree the email will reach the most recipients when it is visible in the general inbox.

The HOW

When it comes to tracking your success with deliverability, we are looking at our deliverability rate. The closer the deliverability rate is to 100%, the better!

In terms of our inbox placement, we will be monitoring our open rate. While it can be impossible to precisely measure our inbox placement, a higher open rate means that more people are likely seeing the email, meaning it is more likely to be landing in our recipients’ general inbox

The graphic above shows us a couple of different servers & their deliverability and open rate. It is a great example of how our deliverability & inbox placement can reflect on each server differently.