Cracking the Code: Mastering Email Authentication (Part 2/3)
In the first part of this series, we covered how to diagnose email deliverability problems. Now it is time to fix them. This installment focuses on the infrastructure side: dedicated IPs, authentication configuration, and the monitoring practices that keep everything running smoothly.
The Dedicated IP Decision
One of the first infrastructure decisions you will face is whether to use a shared IP or a dedicated IP for sending email. On a shared IP, your reputation is pooled with every other sender on that IP. On a dedicated IP, your reputation is entirely your own.
Shared IPs work well for lower-volume senders. The email service provider manages the reputation, and you benefit from the aggregate good behavior of other senders. The downside is obvious: if another sender on your shared IP behaves badly, your deliverability suffers too.
Dedicated IPs give you complete control over your reputation. But they come with responsibilities. A fresh dedicated IP has no reputation at all — it is a blank slate that mailbox providers treat with suspicion. You need to warm it up gradually.
The general threshold is this: if you are sending more than 50,000 emails per month consistently, a dedicated IP starts making sense. Below that volume, it can be difficult to maintain enough sending activity to build and sustain a strong reputation.
IP Warming: The Critical First Steps
If you move to a dedicated IP, warming it properly is not optional — it is the foundation of everything that follows. Mailbox providers monitor new IPs closely. Sudden high-volume sending from an unknown IP triggers defensive responses.
A proper warming schedule typically runs four to six weeks. Start with your most engaged recipients — the people who consistently open and click your emails. These positive engagement signals are what build your early reputation.
Week one: Send to your top 5-10% most engaged subscribers only. Keep volumes low — a few hundred per day, scaling to a few thousand by the end of the week.
Weeks two and three: Gradually expand your audience. Add the next tier of engaged subscribers. Increase daily volume by 30-50% each day, watching bounce rates and complaint rates closely.
Weeks four through six: Continue expanding until you are sending to your full list. At each stage, monitor your key metrics. If you see bounce rates spike or complaint rates rise, slow down. Pushing through warning signs during warming is how IPs get burned.
Throughout the warming period, split your sending between the new dedicated IP and your existing infrastructure. This way, your main email program continues uninterrupted while the new IP builds reputation.
Configuring Authentication Properly
In part one, we identified SPF, DKIM, and DMARC as the three pillars of email authentication. Now let us walk through proper configuration.
SPF Configuration
Your SPF record lives in your DNS as a TXT record. A well-structured SPF record includes only the sources that actually send email on behalf of your domain.
The most common mistake is accumulating includes over time without cleaning them up. Every time you trial a new email tool, someone adds an include statement. Over time, you end up with a bloated SPF record that approaches or exceeds the 10-lookup limit.
Audit your SPF record quarterly. Remove includes for services you no longer use. If you are approaching the lookup limit, consider using an SPF flattening service that resolves includes into direct IP references — but be aware that flattened records need regular updates as providers change their IP ranges.
DKIM Implementation
DKIM requires generating a public-private key pair. The private key is held by your sending infrastructure and used to sign outgoing messages. The public key is published in your DNS so receiving servers can verify the signature.
Key length matters. Use 2048-bit keys at minimum. Older 1024-bit keys are increasingly considered weak, and some providers will discount their validity.
Key rotation is good practice but often neglected. Rotate your DKIM keys every six to twelve months. This limits the impact if a private key is compromised and demonstrates good security hygiene to receiving servers.
Multiple sending sources each need their own DKIM configuration. If you send email through a marketing platform, a transactional email service, and a CRM, each one should have its own DKIM selector and key pair. This is not just best practice — it gives you granular visibility into which sending source might be causing issues.
DMARC Deployment
DMARC configuration happens in stages. Jumping straight to a reject policy without data is a recipe for breaking legitimate email flows you did not know about.
Stage one — monitoring: Set your DMARC policy to p=none and configure aggregate and forensic reporting. Run this for at least 30 days. The reports will show you every source sending email using your domain, whether they pass SPF and DKIM, and what volume they send.
Stage two — quarantine: Once you are confident that all legitimate sending sources pass authentication, move to p=quarantine with a percentage tag starting at 10%. This tells receivers to send 10% of failing messages to spam. Gradually increase the percentage over several weeks while monitoring reports for any legitimate sources that are failing.
Stage three — reject: When your quarantine percentage reaches 100% with no legitimate failures, move to p=reject. This instructs receivers to block messages that fail authentication entirely.
Reverse DNS Configuration
Reverse DNS (rDNS) maps your sending IP address back to a hostname. This is one of the first checks a receiving mail server performs, and failing it is an immediate red flag.
Your rDNS record should resolve to a hostname that belongs to your domain or your sending organization. Generic hostnames assigned by hosting providers signal that you have not invested in proper email infrastructure.
To configure rDNS, you typically need to work with your hosting provider or the company that owns the IP address. If you are on a dedicated IP through an email service provider, they usually handle this for you — but verify it. Do not assume.
Test rDNS by performing a reverse lookup on your sending IP. The hostname returned should resolve forward to the same IP address. This forward-confirmed reverse DNS (FCrDNS) is what mailbox providers look for.
Monitoring: Your Early Warning System
Authentication configuration is not a set-it-and-forget-it task. DNS records can be accidentally modified, keys can expire, and sending patterns change. You need ongoing monitoring.
DMARC reports are your primary monitoring tool. Set up automated processing of the aggregate reports you receive. These XML files contain detailed information about every message sent using your domain and whether it passed authentication.
Deliverability monitoring tools from your email service provider or third-party services can send test emails to seed accounts across major mailbox providers and report back on inbox placement. This gives you real-time visibility into whether your messages are reaching the inbox, landing in spam, or being blocked.
Blocklist monitoring should be automated. Subscribe to monitoring services that check your sending IPs and domains against major blocklists and alert you immediately if you appear on one.
Authentication status checks should be part of your regular ops review. At minimum, verify your SPF, DKIM, and DMARC records monthly. Any time you add or remove a sending service, re-verify immediately.
Bringing It All Together
The infrastructure work we have covered — dedicated IPs, authentication configuration, rDNS, and monitoring — forms the technical foundation of deliverability. Without it, even the best content and cleanest lists will underperform.
But infrastructure alone is not enough. In the final part of this series, we will cover the ongoing operational practices that maintain and improve deliverability over time: list hygiene, engagement optimization, and the feedback loops that keep you ahead of problems before they impact your bottom line.