# Email Authentication

Email authentication tells inbox providers that they can trust an email message. Authentication prevents malicious actors from spoofing legitimate traffic which reduces forgeries, spam, and phishing attempts. By establishing and maintaining proper authentication records, inbox providers lean toward trusting email originating from your domain.

Email authentication builds on three standards that use the [domain name system (DNS)][dns]:

* [*DomainKeys Identified Mail* (DKIM)][dkim]
* [*Sender Policy Framework* (SPF)][spf]
* [*Domain-based Message Authentication, Reporting & Conformance* (DMARC)][dmarc]

## SPF

SPF lets domains specify which servers they authorized to send email on their behalf. Receiving hosts can confirm this authorization. The sending email server adds a [`TXT` record][TXT] to their DNS. This record contains a list of the [IP addresses][IP] of email servers authorized to send email messages for that domain. The receiving server can compare the email sender's actual IP address to the list in the SPF record.

## DKIM

DKIM stores a public cryptographic key in a DNS `TXT` record. The sending email server in the same domain adds a cryptographic signature to your emails' headers. This signature contains a digital fingerprint encrypted with the public key and the instructions for generating that same digital fingerprint. If the fingerprints match, the receiving email server can consider the email message authentic.

## DMARC

DMARC requires both SPF and DKIM. DMARC checks that the sending domain matches the domain in the sending email address. It also instructs the receiving email server what to do with email messages that fail the SPF check, DKIM check, or both checks.

[spf]: /docs/glossary/spf

[dkim]: /docs/glossary/dkim

[dmarc]: /docs/glossary/dmarc

[dns]: /docs/glossary/dns

[IP]: /docs/glossary/ip-address

[TXT]: https://en.wikipedia.org/wiki/TXT_record