DKIM and DMARC authentication is required for reliable email delivery. Following authentication requirement changes introduced by Gmail and Yahoo, all senders using Dewy should set up DKIM and DMARC for their sending domains.

When you send email, mailbox providers like Gmail, Outlook, AOL, and Yahoo evaluate whether each message is legitimate or sent by a spammer or phisher. This applies to email sent through Dewy as well, which is why authentication matters.

Before you begin, use an established sending domain that you own. Your domain should be older than 30 days and point to a valid website rather than a blank page. If you're using a brand-new domain, warm it up before sending volume through it.

The three authentication methods

There are three standard methods used to verify a sender's identity: SPF, DKIM, and DMARC. Gmail and Yahoo now require DKIM and DMARC to achieve inbox delivery, and most other mailbox providers already expect senders to authenticate their traffic.

‍

DNS records to add

To authenticate your sending domain, add the following records at your DNS provider. Replace any placeholder host values your DNS provider prepends to the Name field if it auto-appends your root domain.

‍

After adding these records, allow time for DNS propagation (often within an hour, but it can take up to 48 hours) before verifying in Dewy.

How to add DNS records to your domain

Once you have the DNS records, navigate to your domain host and add the records to your sending domain.

• GoDaddy
• Squarespace/Google Domains

‍

Why authentication matters

Setting up DKIM and DMARC delivers several benefits:

• ‍Reinforce your branding. DKIM authentication removes the "via..." header that Gmail otherwise displays next to your sending name, so your brand shows cleanly.‍
• Build sending reputation on your own domain. Sending unauthenticated email is like turning in homework without your name on it—you can't take credit for it. DKIM in particular ties your sending reputation to your domain.‍
• Enforce stricter domain security. Standards like DMARC help protect your domain from fraudulent or spoofed use.

Authentication doesn't solve every deliverability problem—it won't make a recipient want an email they didn't ask for—but it does solve the problem of proving who an email comes from. Senders who follow best practices (high-quality, personalized email to opt-in lists with regular list hygiene) typically see stronger deliverability once authenticated, while senders who don't will see their domain build a poor reputation.

SPF (Sender Policy Framework)

SPF records are TXT records on your domain that authorize specific servers to send mail using your domain name. When you set up a sending domain in Dewy, the process includes pointing a Mailserver Domain to us via the CNAME record shown above (em-4124115 → cmd.emsend1.com). This lets Dewy serve the required SPF record on your behalf, so SPF is fully covered once the Mailserver Domain record is in place.

This means you don't need to create or modify a separate SPF record to work with Dewy. Note that a domain can have only one SPF record—if you already have an existing SPF record for other services, modify that record rather than creating a second one.

DKIM (DomainKeys Identified Mail)

DKIM is a cryptographic signature applied to your outgoing messages that proves the message genuinely came from you and not a bad actor. Dewy inserts a hidden signature into your email header, and the public keys placed on your DNS (the two DKIM CNAME records above) verify that signature's authenticity.

DKIM helps prevent spoofing and phishing of your domain, and it allows mailbox providers like Gmail, Microsoft, and Yahoo to track your sending domain's reputation. If your domain reputation is stronger than the reputation of the sending IPs, providers may default to your domain reputation, which can improve performance.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC builds on top of SPF and DKIM. It lets the domain owner set a policy telling mailbox providers what to do when a message fails SPF and DKIM checks. The record above uses a basic policy (v=DMARC1;p=none;) that satisfies Gmail and Yahoo's requirement for a DMARC record without affecting how your messages are handled. Think of it as a compliant placeholder you can tighten later.

DMARC supports three main policy values:

• p=none — Messages are treated normally if DMARC fails. Equivalent to having no enforcement, though you still get DMARC's reporting features. (This is the policy in the table above.)
• p=quarantine — Messages that fail the DMARC check are delivered to the spam folder.
• p=reject — Messages that fail the DMARC check are bounced and not delivered.

A quarantine or reject policy requires correct DKIM setup for your sending domain—otherwise all your mail will fail DMARC and be filtered to spam or blocked entirely. Make sure DKIM is fully configured (the two DKIM records above) before moving to a stricter policy.

Benefits of DMARC include preventing domain spoofing, enabling BIMI, and meeting the basic delivery requirements of providers like Gmail and Yahoo.

After setting up authentication

Your domain should also have an MX (mail exchanger) record, which specifies the server responsible for accepting incoming email for the domain. This is typically handled by an email provider like Google Workspace or Microsoft 365. If you're already receiving mail at your domain, this is already in place.

A note on SenderID

SenderID was a Microsoft authentication standard intended as an SPF replacement, but it has been deprecated and is no longer used—you don't need to configure it. If you have any SenderID records in your DNS (TXT records starting with spf2.0), remove them. SPF (records starting with v=spf1) remains the widely supported industry standard.