Authentication is the method to verify that the email messages you are sending are from your business and are trusted. Authentication allows other participants like ISPs, message transfer agents (MTA), mail delivery agents (MDA), and mail user agents (MUA) to verify that an email attributed to you as a sender has been sent by you before they transfer or deliver it. There are three main types of email authentication protocols as listed below.

• SPF

• DKIM

• DMARC

The SPF is a TXT type record you get from your ESP and put in your DNS that specifies what servers may send emails on behalf of your domain.

For a detailed article about the SPF authentication implementation of SPF, see our Ongage Blog Post: Email Authentication Protocols: What are They and Why Are They Important?

Ongage recommends using different sending domains for different ESPs, for a variety of reasons, one of them being that the reputation of 1 ESP account will affect the reputation of the other ESP account.

Having said that, it is possible to merge 2 SPF records into one. So if you take the SPF record rule from one ESP and another SPF rule from another ESP, the two rules can be merged into 1 SPF record, so that you can use the same sending domain for both ESPs from Ongage, but as noted above this is not recommended.

To the ESPs that are asking for MX records, you can use info@subdomain.domain.com in the from address so that the reply comes to the actual inbox. The reason for setting this up is you do not face any dns overlap issues. Another reason is setting up an inbox to receive the reply address.

DKIM (DomainKeys Identified Mail) is an email authentication method that adds a digital signature to outgoing messages, allowing the receiver to verify that the email was actually sent by the domain owner. This process ensures the content hasn't been tampered with during transit, which helps prevent phishing and improves your email deliverability.

For detailed steps about the Domain Keys Identified Mail, visit our Ongage Blog Post: Email Authentication Protocols: What are They and Why Are They Important?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a protocol that uses SPF and DKIM to tell receiving servers how to handle emails that fail authentication, such as by rejecting them or sending them to spam. It also provides domain owners with detailed reports on who is sending mail on their behalf, offering essential visibility into potential spoofing attempts.

For more about DMARC and how to implement, visit our Ongage Blog Post: Email Authentication Protocols: What are They and Why Are They Important?

In 2025, DMARC has become more important than ever. With stricter email authentication requirements from major providers like Google and Microsoft, having DMARC in place is now a must for bulk senders to protect against phishing and spoofing. And it’s not just for bulk senders anymore — it’s become a key factor in keeping your emails deliverable.

Rather than jumping straight to p=reject, we strongly recommend a phased approach:

1. Step 1: (current): p=none — You're here. This is monitoring-only.

2. Step 2: Move to p=quarantine; pct=25 — This tells ISPs to quarantine only 25% of messages that fail DMARC. Monitor your DMARC reports (the rua address in your record) for 1–2 weeks. If you see zero legitimate failures, increase the percentage.

3. Step 3: Move to p=quarantine; pct=100 — Full quarantine enforcement. Monitor for another 1–2 weeks.

4. Step 4: Move to p=reject — Full rejection of unauthenticated messages.

This gradual rollout ensures that if there's a misconfiguration (a forgotten third-party sender, a legacy system sending on your domain, etc.), you catch it before it causes delivery failures.

Make sure your DMARC record includes an rua tag pointing to a mailbox or service where you can receive aggregate reports. Example: rua=mailto:dmarc-reports@your-domain.com. These XML reports will show you exactly which sources are sending as your domain and whether they pass or fail. Free tools like DMARC Analyzer, Postmark's DMARC tool, or EasyDMARC can parse these reports into readable dashboards.

Once you're at p=quarantine or p=reject, you'll also unlock eligibility for BIMI (Brand Indicators for Message Identification), which lets you display your brand logo next to your emails in supported inboxes like Gmail. This is a great trust signal and brand visibility boost.

Brand Indicators for Message Information (BIMI) protocol allows companies to display their brand’s logo next to the email subject line, telling email recipients that the message is coming from a verified source.

It is a type of DNS record that is used to display the company’s logo inside your email message. It helps email recipients to identify you as a trusted sender. To enable the BIMI record, ensure your DMARC authentication is set up on the domain.

To get started with BIMI you need:

• To be DMARC verified.

• An SVG file of your logo (square shaped).

• A DMARC policy (p=) of “quarantine” or “reject” for Verizon Media (AOL and Yahoo!). Else your logo will not be displayed.

• To have a Verified Mark Certificate (VMC).

Note: To get Verified Mark Certificate (VMC) you can contact one of the following participating certificate authorities.
Digicert: support@digicert.com
Entrust Datacard: sales@entrustdatacard.com

To create a BIMI record for your domain follow the steps listed below.

1. You need the logo file in the SVG format. To know in detail the steps to convert your logo in SVG format, you can refer to the documentation here.

2. Go to the DNS hosting provider and create a new record.

3. To add the host value, you need to enter the value. Consider for example default._bimi.example.com. The hosting provider will then append the domain/subdomain for the value that you have provided.

4. After adding the value, you need to select the type of DNS record from the dropdown list. A BIMI record is a type of TXT DNS record. So make sure you select the “TXT” option from the dropdown list.

5. You need to add the value information. The two required tag value pairs that are necessary to be present on every BIMI record: v and L.

   1. The only tag-value pair for v (version) is v = BIMI1.

   2. Confirm the L (location) tag is present and followed by a full URL of your logo using HTTPS (where L is lowercase L).

6. Click on the “Save Record Set” button so you can generate your new BIMI record.

7. You need to also test your BIMI record to check the record you just created follows proper syntax. You can visit here to run a BIMI record check.

As Ongage is a front-end platform connecting to back-end email delivery vendors, who do the actual sending of the emails. DKIM and SPF are not set up in Ongage. Rather you need to go to your Email delivery vendor (e.g., Dyn, SparkPost, Mailgun, Amazon SES, etc.) and get the keys from them to put in your DNS. Typically those vendors have either clear instructions on how to do that, or can help you set up those.

Once the set up is done, they will add a DKIM and SPF header to all your email messages, when sent from Ongage via one of those email delivery vendors. Please speak to your back-end email delivery vendor (aka ESP/SMTP vendor) on how to get those setup. ESP will provide you with TXT and/or MX records to be set up ready to configure for your sending domain.

In general, the setup process of these protocols (SPF, DKIM, and DMARC) differ in all ESPs, ideally they will provide a DNS record respectively for each protocol to configure for your sending domain for all three protocols.

To have a detailed view of the TXT type DNS records you can visit our blog post about Email Authentication Protocols: What are They and Why are They Important?

Following are links to a variety of leading DNS services

• Bluehost: General DNS Setup

• CloudFlare: General DNS help

• DynDNS: General DNS setup

• HostGator: General DNS setup

• Hover: General DNS setup

• Network Solutions: General DNS setup

• Rackspace Cloud DNS: General DNS setup

Following is a great tool to check your DNS record propagation status once the record is configured for respective domains.  

https://www.whatsmydns.net/

• Amazon SES: DKIM, SPF

• GoDaddy: SPF 

• Dreamhost: SPF

• Namecheap: SPF, DKIM

• United Domains: DKIM and SPF (in German)

1. Email Authentication Protocols: What Are They and Why Are They Important? (Ongage Blog: September 2020)

2. 3 DNS Records Every Marketer Must Know (March 2017)

3. Why DMARC Matters for Email Marketing (April 2017)

4. What marketers need to know about DMARC (July 2016)

5. Article Explaining DMARC Overview