Articles in this section
Auto forward your emails to Vtiger Automate Outgoing Emails in Email Settings Managing User Profiles Automation - Approvals Automation - Assignment Rules Set up Multi-path Workflows Creating a Scheduled Workflow Automation - Workflow Scheduler Workflows in Vtiger CRM Webforms in Vtiger CRM Set up a Workflow Action to Create Event Set up a Workflow Action to Create Records Set up a Workflow Action to Create Task Set up a Workflow Action to Invoke Custom Function Set up a Workflow Action to Create an SMS Task Set up a Workflow Action to Send Mails Workflow Action to Update Fields Automation - Webhook Workflow Automation - Expressions Workflow Configuration - Business Hours Configuration - Company Details Configuration - Consents Configuration - Customer Portal Maps in Vtiger CRM Configuration - Usage Details Configuring Encrypted Data Fields in Vtiger CRM Configure Picklist Dependencies Considerations for Deactivating Vtiger Users Control Fields and Record Displays using Configuration Editor Create Reminders for Records and Inbox Create a field of a Grid type Dealing with Currencies and Taxes Enable Desktop Notifications on Chrome Web Browsers Vtiger CRM Add-ons IMAP Configuration - 2-way sync between Vtiger and IMAP providers Setting up Autopay & Payment Gateways Inventory - Tax Management Inventory - Terms and Conditions Login to Vtiger on SSO SAML using ADFS Mailroom Functionality for Different Scenarios Manage Multiple Currencies Marketing and Sales - Deal to Project Mapping Lead Conversion Data Mapping Marketing and Sales - Profile Scoring Module Management - Labels Editor Module Management - Module Numbering Configure My Preferences Feature My Preferences - Calendar Settings Tags in Vtiger My Preferences - Notification Preferences SAML Support in Vtiger CRM Vtiger Mailroom Settings - Configure Module Settings Settings - Create Dynamic Fields and Layouts Module Management - Creating a Relationship Between Modules Settings - Customize Records and Fields for your Business Settings - How to set email autoresponder to Webform submission? Settings - Left Menu Settings - Manage Global Picklists in Vtiger Settings - Set up your Support Team Settings - Start Up Page Settings - Working with Picklist Values Module Management - Module Builder Support - SLA Policies Troubleshooting Login Issues Add-Edit Unsubscribe Links in your Email Template User Management - Authentication User Management - Encrypted Field Access Logs User Management - Groups User Management - Login History User Management - Profiles User Management - Roles User Management - Settings Log User Management - Sharing Rules User Management - Users User Management - Vtiger Support Access Vtiger Buzz - Chrome Extension for Notifications Vtiger Implementation wizard Vtiger Language Support Configuring Websense Trackers Websense - Widgets Auto forward Emails from Microsoft Office 365 Automation - SMS Reply Actions Duplicate Record Prevention in Vtiger CRM Module Management - Module Layouts & Fields Module Management - Modules Generate and Manage Third-party App Passwords in Yahoo Configuring App Passwords for Gmail Outgoing Server and Yahoo Mail Configuration - Storage Guard Customizing your Self-Service Portal Theme Using CSS Styles Adding Hidden Fields to a Webform Configuring Dependent Fields and Blocks for Modules Adding Custom Module Login Page Customization Settings - Personalize Module Layouts Formula Fields Creating Custom Filters Adding a local DNS Entry

Authenticate Emails with SPF, DKIM, and SenderID

Learn how to authenticate your emails with SPF, DKIM, and SenderID.
B
Bindu Rekha Babu
26 Sep, 2025 - Updated  10 days ago

Introduction

Email is one of the easiest and most effective ways to reach your customers. But at the same time, it’s also a common target for problems like spam, fake senders, and phishing attacks. To protect against these risks, email providers and internet standards groups created special security checks called email authentication protocols.

These checks help confirm whether an email really comes from the domain (or website address) it claims to be sent from.

The three most common authentication methods are:

  • SPF (Sender Policy Framework): Confirms which servers are allowed to send emails for your domain.
  • DKIM (DomainKeys Identified Mail): Ensures that your email content hasn’t been changed along the way.
  • Sender ID: Verifies the sender’s address to prevent domain spoofing.

When these methods are set up, they make it much harder for fake emails to get through, keep your domain reputation safe, and improve the chances that your messages land in your customer’s inbox instead of the spam folder. 

Now we’ll take a closer look at how each one works.

Sender Policy Framework (SPF)

What is SPF?

SPF is an email authentication protocol that allows a domain owner to specify which mail servers are authorized to send emails on behalf of their domain.

How does it work?

The domain owner publishes an SPF record in their DNS, listing authorized servers or IP addresses.

  • When an email is received, the recipient server checks the sending server’s IP against the SPF record.
  • If it matches, the email passes SPF authentication; otherwise, it fails.

To learn more about creating a SPF record, click here.

To learn more about creating a CNAME record, click here.

Example: Grasspods, a company using Vtiger, adds vtiger.com as an authorized sender in its DNS records. When John (a Grasspods user) sends an email, Gmail checks the DNS for grasspods.com and sees that Vtiger is authorized. Gmail then marks the email as Passed SPF.

 
 

Why it matters:

  • Reduces the risk of phishing attacks using your domain.
  • Improves deliverability by signaling to ISPs that your emails are legitimate.
  • Prevents legitimate messages from being blacklisted as spam.

How much does the SPF authentication cost?

There is no charge. The changes to the DNS settings, typically performed by your hosting company or network administrator, only require a few minutes.
 

SPF record example: v=spf1 include:vtigermails.com -al

Adding Vtiger to the SPF Record for Your Domain

To authorize Vtiger to send emails on behalf of your domain, you’ll need to update your domain’s DNS settings and add an SPF record. The steps vary depending on your domain hosting provider.

 

DomainKeys Identified Mail (DKIM)

What is DKIM?

DomainKeys Identified Mail (DKIM) is an email authentication method designed to prove that an email really came from the claimed sender and that it hasn’t been changed along the way. It works by attaching a digital signature to each email. This signature is unique to the sending domain and allows the receiving server to verify the message’s authenticity.

Think of it as a tamper-proof seal for emails. If the seal is intact, the receiver knows the message is genuine and unchanged. If the seal is broken, the system flags it as suspicious.

How does DKIM work?

The DKIM process can be broken down into three key steps:

Step 1: Selecting which parts of the email to sign

  • The sending domain decides which elements of the email should be protected.
  • These elements could include parts of the header (like the From field, Subject, or Date) or even the body of the email.

Whatever is selected must remain unchanged during transit—if any of the signed elements are altered, DKIM validation will fail.
 

Step 2: Creating a digital signature

  • Once the parts are chosen, the sending system creates a cryptographic hash (a unique fingerprint) of that information.
  • This hash is then encrypted using a private key that belongs to the domain.
  • Only the domain owner has access to this private key, which ensures that no outsider can forge a valid signature.
  • The encrypted hash (the DKIM signature) is added to the email header before the message is sent.


Step 3: Validation by the recipient server

  • When the recipient’s mail server receives the email, it notices the DKIM signature in the header.
  • It then performs a DNS lookup to retrieve the public key published by the sending domain.
  • Using this public key, it decrypts the DKIM signature back into the original hash.
  • The server then generates its own hash of the signed elements and compares it with the decrypted hash.
    • If they match: the message is confirmed to be authentic and unaltered.
    • If they don’t match: it means the message was tampered with, or the signature was invalid.

To learn more about DKIM, click here.
 

Example

Imagine Yahoo forwards an email to Grasspods. If Yahoo modifies the body of the email, for example, by adding a line such as forwarded by Yahoo Mail then the body no longer matches the original hash. If the body was part of the signed elements, the DKIM check will fail.

However, if only the From field (in the header) was included in the DKIM signature, the validation would still pass because the modified body was not part of the signed content.

This flexibility allows domain owners to choose what is most important to protect, while still allowing for legitimate forwarding or minor changes in transit.


Why does DKIM matter?

  • Protects integrity: Ensures that emails haven’t been tampered with during transit.
  • Builds trust: Adds credibility to your domain and helps prevent bad actors from spoofing it.
  • Improves deliverability: Mailbox providers (like Gmail, Yahoo, and Outlook) are more likely to place DKIM-signed emails in the inbox instead of the spam folder.
  • Works well with other protocols: DKIM is often used together with SPF and DMARC to create a strong, layered defense against email fraud.
 

Limitations of DKIM

  • Implementation can be complex, requiring key generation, DNS setup, and email server configuration.
  • Adoption is slower compared to SPF due to the technical setup.
  • DKIM results are not visible to end-users and rely on email providers for validation.
  • Does not fully prevent spoofing on its own and works best with SPF and DMARC.

Sender ID

What is Sender ID?

Sender ID, developed by Microsoft, is another email authentication method focused on preventing domain spoofing by verifying the sender’s IP address against the sending domain’s DNS records.

How it works:

  • The recipient server extracts the domain from the Sender field (or the From field if Sender is missing).
  • It checks the domain’s DNS records to see if the sending IP address is authorized.
  • If the IP is valid, the email passes authentication; otherwise, it may be rejected or flagged as spam.

Example:

HELO vtigermails.com

MAIL FROM: [email protected]

RCPT TO: [email protected]

DATA

Subject: Special offer

From: John

QUIT@grasspods.com> 

In this case, there is no Sender field, so Sender ID uses the From domain: grasspods.com. Sender ID then checks for a spf2.0/pra record in DNS. If it doesn’t exist, it falls back to the SPF record.

DNS Records: grasspods.com    v=spf2.0/pra include:vtigermails.com ~all

vtigermails.com  v=spf1 ip4:1.2.3.0/24 ~all

  • The include:vtigermails.com means Sender ID should also check records for vtigermails.com.
  • Since no spf2.0 record exists for vtigermails.com, the system falls back to its SPF (spf1) record.
  • The sending IP 1.2.3.4 falls within the allowed range 1.2.3.0/24.
  • Result: The email passes the Sender ID check. 

Sender ID uses the From domain for validation, and if a Sender ID record is missing, it falls back to SPF. 

Why it matters:

  • Especially useful for organizations using Microsoft Exchange.
  • Adds another layer of trust and prevents spoofed emails.
 

Reference​

Home Privacy Policy Terms of Service Security Center Policy & Legal Center Contact Us
© Copyright 2025 Vtiger. All rights reserved.
Powered by Vtiger
Facebook Twitter Linkedin Youtube