How to Set Up Email Authentication on Email Streams Using DMARC Data?

DMARC Email Authentication

This article shows how to set up email authentication on your email streams using DMARC data, with actionable steps.

What is an email stream?

An email stream is the route a group of emails take from the source to the receiver, on behalf of a domain. The 3 elements of an email stream are: the source host, the receiving host, and the domain.

For example, if you own a domain, and you authorize SendGrid to send transactional emails to assorted mailbox providers like Gmail, Yahoo, etc., you have an email stream that looks like below:

Source Domain Receiver
SendGrid Gmail, Yahoo, etc.

The goal of email authentication is to authenticate all your legitimate email streams within your organization. In other words, to authorize hosts from all legitimate sources to send emails on behalf of your domain, while preventing anyone else from doing so.

The end result is emails sent from legitimate sources are properly authenticated and have a better chance of reaching the inboxes; on the other hand, spoofed emails are either quarantined or rejected once you've implemented an enforcement policy (p=quaratine or p=reject).

How to authenticate all legitimate email sources

The DMARC data presented in the DMARCLY dashboard provides complete visibility into unaligned (unauthenticated) email sources and aligned (authenticated) emails sources. Let's see how we can use the unaligned email sources data to authenticate all your legitimate email streams.

Log in to the DMARCLY dashboard. Go to: Aggregate Reports=>Unaligned Source. Here it shows a table that lists all the unauthenticated email streams within your organization.

Unaligned Email Streams

For example, the first row in the table shows a group of 101 emails sent from Mailchimp hosts on behalf of, the second row is 68 emails sent from Google hosts, etc.

Since these emails originated from unauthorized sources (hosts), they failed DMARC authentication. What you need here is go through the rows in the table, and for each one of them, check if the source is a legitimate email sender for your organization and act accordingly:

Again, take the first row as an example, you need to check with your dev team/IT department/system administrator to see if your organization uses Mailchimp to send emails on behalf of If so, set up SPF and DKIM for Mailchimp. Otherwise, move on to the Google row below.

Repeat this process until you've checked all the rows in the table, so that all legitimate email streams are authenticated.

In addition, keep an eye on the incoming email streams to ensure that future legitimate email streams are authenticated too.

Removing unused email sources

It's not very often that you retire an email delivery service from your organization. But when you do, make sure to revoke your authorization. To do so, remove both your SPF and DKIM DNS records set up for that service on your domain. This way, no email from any host of that service will pass DMARC authentication.

Check the unaligned sources table to make sure emails (if any) from such retired services do fail DMARC authentication afterwords.

But I am still seeing unauthenticated emails from an authorized service?

Once you've authorized a service to send on your behalf, all legitimate emails will pass DMARC authentication. However, you might still find unauthenticated emails from that service in the unaligned sources table. Why?

This happens when someone using that service tried to send these emails on your behalf. However, since these emails didn't have DMARCLY identifier alignment, they failed DMARC authentication.

For example, this email stream doesn't have DMARC identifier alignment since neither SPF domain ( nor DKIM domain ( matches


In other words, these are spoofed emails sent by an unauthorized user from an authorized service.

Previous Post Next Post

 Protect Business Email & Improve Email Deliverability

Get a 14 day trial. No credit card required.

Create Account