About authentication methods

Administrators: Start here to learn the basics about email authentication

Gmail users: If you’re getting spam or phishing messages in Gmail, go here instead. If you’re having trouble sending or receiving emails in Gmail, go here instead.

On this page

Why should I set up authentication?

You can protect your organization's outgoing email by setting up authentication, which can:

  • Stop legitimate messages being marked as spam
  • Stop spammers from impersonating your organization by spoofing or phishing 

Why email authentication?

How email authentication benefits your organization & your users.

To view available captions or change the caption language, click and thenSubtitles at the bottom of the video window, then select a language.

What type of authentication should I set up?

All email senders must set up either SPF and/or DKIM:

  • SPF—Sender Policy Framework (SPF) helps to prevent senders from impersonating you, blocking spammers and other attackers from sending email that appears to be from your organization.
  • DKIM—DomainKeys Identified Mail (DKIM) prevents your message contents from being changed during transit.

Google's recommendations:

  • Set up both SPF and DKIM. Simplified DKIM says you wrote the email. SPF says your server sent the email. So DKIM+SPF sends a stronger signal that the email came from you since you wrote it and sent it.
  • Set up DMARC (Domain-based Message Authentication, Reporting, and Conformance), which lets you choose what happens to messages that don't pass SPF or DKIM.
  • You can set up BIMI (Brand Indicators for Message Identification) to lend authenticity to your email by adding your verified brand logo.
  • Another way to prevent phishing in Gmail is to turn on pre-delivery message scanning.

When sending to Gmail accounts, you should meet the authentication requirements at Email sender guidelines.

How does authentication work?

Consider this real-world example. The COVID pandemic saw a large increase in malicious email attacks targeting healthcare organizations. These attacks resulted in impersonated email, with attackers requesting donations under the guise of the organization. Email addresses and passwords held by the healthcare organization were leaked online, as people were tricked into providing personal information.

Within a week of implementing DMARC, messages that appeared to to be sent from the healthcare organization were reduced by 70%. Within several weeks, all email impersonation completely stopped.

Next steps


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu