Email Authentication¶
Proper email authentication is essential for high deliverability with FrontEngine. This guide covers configuring SPF, DKIM, and DMARC for your sending domains.
Why Authentication Matters¶
Email authentication proves to receiving mail servers that your messages are legitimate and have not been forged. Without it:
- Messages may land in spam folders
- Large providers (Gmail, Outlook, Yahoo) may reject your email outright
- Your domain is vulnerable to spoofing and phishing attacks
Required for Sending
FrontEngine requires domain verification with at least SPF and DKIM before allowing email to be sent from your domain. DMARC is strongly recommended.
Domain Verification¶
Before configuring authentication records, verify domain ownership:
- Go to Services > Transactional Email > Sending Domains
- Click Add Domain and enter your domain
- Add the provided TXT verification record to your DNS
- Click Verify once the record has propagated
SPF Configuration¶
SPF tells receiving servers that FrontEngine is authorized to send email for your domain.
Add or update the TXT record for your domain:
If you already have an SPF record (e.g., for your email hosting), merge the include statement:
; WRONG: Two separate SPF records (only one is allowed per domain)
example.com. IN TXT "v=spf1 include:_spf.intesys.io ~all"
example.com. IN TXT "v=spf1 include:_spf.frontengine.intesys.io ~all"
; CORRECT: Single merged SPF record
example.com. IN TXT "v=spf1 include:_spf.intesys.io include:_spf.frontengine.intesys.io ~all"
One SPF Record Per Domain
DNS allows only one SPF TXT record per domain. Multiple SPF records cause authentication failures. Always merge includes into a single record.
DKIM Configuration¶
DKIM adds a cryptographic signature to every outgoing message. FrontEngine generates a unique key pair for each sending domain.
After adding your domain, the portal provides a CNAME record:
This approach lets InteSys manage key rotation automatically without requiring DNS changes on your end.
Verifying DKIM¶
After adding the record, verify it resolves correctly:
dig +short fe._domainkey.example.com CNAME
# Expected: fe._domainkey.frontengine.intesys.io.
dig +short fe._domainkey.frontengine.intesys.io TXT
# Expected: "v=DKIM1; k=rsa; p=MIGfMA0..."
DMARC Configuration¶
DMARC builds on SPF and DKIM to provide policy enforcement and reporting.
Recommended Rollout¶
Phase 1 — Monitor (weeks 1-2):
_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=none; rua=mailto:[email protected]"
Review aggregate reports to confirm all legitimate email sources pass SPF and DKIM.
Phase 2 — Quarantine (weeks 3-4):
_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]"
Gradually increase pct from 25 to 100 as confidence grows.
Phase 3 — Reject (ongoing):
_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:[email protected]"
DMARC Report Analysis
DMARC aggregate reports are XML files that can be difficult to read. Use a free service like dmarcian, Postmark DMARC, or DMARC Analyzer to parse and visualize them.
DMARC Alignment¶
For DMARC to pass, either SPF or DKIM must align with the "From" header domain:
| Check | Alignment | Meaning |
|---|---|---|
| SPF | Mail-From domain matches From header domain | The envelope sender matches the visible sender |
| DKIM | d= tag in signature matches From header domain | The signing domain matches the visible sender |
FrontEngine ensures DKIM alignment by signing with your domain. SPF alignment requires that the return-path domain matches your sending domain, which FrontEngine configures automatically.
Verification Tools¶
Use the InteSys Email Auth Validator to check your SPF, DKIM, and DMARC configuration. The tool is available at intesys.io/tools.
Complete DNS Example¶
; SPF (merged with email hosting)
example.com. 3600 IN TXT "v=spf1 include:_spf.intesys.io include:_spf.frontengine.intesys.io -all"
; DKIM for FrontEngine
fe._domainkey.example.com. 3600 IN CNAME fe._domainkey.frontengine.intesys.io.
; DMARC
_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:[email protected]"