Email authentication includes a number of strategies to identify the sender of an email. You (the email sender) can use email authentication to clearly tell receiving email servers that your emails really come from your company. These identification methods tell receiving email servers that your emails are really from you.

There are multiple email authentication mechanisms currently in use. Each mechanism was developed by a different company or anti-spam organization. Mapp supports all of the important email authentication mechanisms that are currently available. We strongly recommend that you implement all of these mechanisms, rather than just one.


We recommend that you use the Message Check feature to perform identity checks before sendout. Message Check makes sure that your email authentication mechanisms are in place and working correctly.

Note that email authentication only confirms your identity as a sender. Email authentication does not affect the contents of your email or check that your email is safe and free from viruses.


Email security is a partnership between your organization and Mapp. Each of the email authentication mechanisms discussed here requires some action on your part, such as the publication of information in the Domain Name Service (DNS) of the domain that you use to send email.

These mechanisms are usually set up when we initially set up your Mapp Engage system and define your sendout domain or domains. If you want to start sending from a different domain, it is necessary to ensure that email authentication is in place for your new domain, as well. Contact your customer representative for assistance.

How Email Authentication Works​

All email authentication mechanisms work in a similar way.

  1. You create and send an email in Mapp Engage. The email is transmitted to Mapp's mail servers for sendout.

  2. During sendout, Mapp Engage adds identity information to the header of your email. This information is not visible to end recipients (your contacts) who read the email. However, this information is visible to the receiving email server.

  3. The email is delivered to the receiving email servers of your contacts (such as Google, Yahoo, or Hotmail). The receiving email server processes your incoming email message.

  4. The receiving email server accesses your DNS record to obtain the necessary authentication records.

  5. The receiving email server compares this information to the information that Mapp Engage added to your email header. If the information matches, the receiving email server knows that you really sent the email.

  6. Once the email identity is clear, the receiving email server delivers the email to the inbox of your contacts.

Email Authentication and Deliverability​

Email authentication is only one part of a comprehensive strategy to ensure email security and improve email deliverability. The relationship between email authentication and deliverability is complex.

Email authentication confirms your identity as a sender. Just because your identity as a sender is confirmed, does not mean that you are sending a permission-based email with double-opt-in. Likewise, email authentication does not guarantee that you will not receive spam complaints from your contacts.

For you as an email sender, the advantage of email authentication is that you create a verifiable identity as a sender. For email that is successfully authenticated, receiving email servers now have a verifiable sender identity for which they can build a reputation. Sender reputation is based on things like spam complaint data or the existence of bad addresses. Even with email authentication in place, it is up to you to create a great sender reputation. Sender reputation, which is based on actual contact reactions to your email over time, is a crucial factor in email deliverability.

Email Authentication Mechanisms in Mapp Engage​

We support the following email validation mechanisms:

  • ​Sender Policy Framework (SPF)​

  • DomainKeys Identified Mail (DKIM) ​

  • DMARC​

Sender Policy Framework (SPF)​

SPF protects the envelope sender address, also called the "return path," which is used for the delivery of email messages.

SPF consists of a list of all the mail servers that are allowed to send an email on behalf of a particular domain. The list is published as an SPF record in the Domain Name System (DNS) of the sender's domain. The receiving mail servers access the SPF record to check whether the incoming email is sent from a mail server that is authorised by the domain's administrators. If the email comes from an unknown mail server, then the email is recognized as a fake. The receiving mail server rejects the email.

For more information, see ​SPF Record​.

We recommend that you use the Message Check feature to perform an SPF check before sendout.

DomainKeys Identified Mail (DKIM) ​

DKIM uses public-key cryptography to allow the sender to electronically sign legitimate emails. With DKIM, the receiving mail server can verify that a message actually comes from the domain that it claims to come from. DKIM also tells the receiver that the contents of the message were not altered since the time that the signature was placed.

DKIM adds a digital signature to the header of each email. This signature is encrypted. The encrypted signature is stored in the Domain Name System (DNS) of the sendout system. The receiving mail server performs a DKIM check to verify that the message is signed and associated with the correct domain.

The DKIM signature is registered, on request, when a Mapp Engage system is set up. This DKIM signature may differ from the actual domain of your Mapp Engage system.

Your contacts do not see the DKIM signature in their inboxes.

For more information, see DKIM Signature​.

We recommend that you use the Message Check feature to perform a DKIM check before sendout.


DMARC standardizes how email receivers perform email authentication using the existing SPF and DKIM mechanisms. When a sender publishes a DMARC policy, the sender clearly indicates to the mailbox provider whether the sender's emails are protected by SPF and/or DKIM. The sender also specifically tells the mailbox provider what to do if an incoming email fails the SPF and DKIM authentication tests - i.e. block the message or divert it to the spam folder. Furthermore, the mailbox provider can report back to the email sender about whether incoming emails pass or fail the evaluation process.

For more information, see DMARC​.