Back to Top

Help & Support

Get instant answers 24/7


Approved Sender Authentication

When you approve an email address or domain in SpamHero using the default settings, the approved sender is only applied when the origin of the message can be authenticated.

This is done in the following ways:

  • DKIM passes, with alignment

    The message contains a valid DKIM header that was signed by the same domain as the sender's "from" domain.

  • SPF passes, with alignment

    The message passes SPF, which authenticates the "return path" (or the "HELO" host when the "return path" is missing). To pass "with alignment", the SPF-authenticated host must match the sender's "from" domain.

  • The message originates from an IP address defined in the sender domain's SPF record.

    While SPF is generally used only to authenticate the "return path" of a message, in this context, a message will also be considered authenticated if the sending IP address of the message is in the From sender's domain SPF record. Contrary to popular belief, handling it this way is beyond the scope of the SPF protocol, but enough domains owners have used SPF in this way that it has become a viable way to authenticate a message. This method of authentication does carry some risk if the sender includes shared IPs in their SPF record.


What about DMARC?

DMARC is not an email authentication technology, but rather a policy defined by the sender that tells the receiving server how to handle sender authentication failures.


What if the DKIM signer or SPF-authenticated host isn't aligned with the sender's "from" address?

In this scenario, there is no way to verify that the message is authentic (someone could be impersonating the sender). However, you can add "approved sources" for an approved sender.

If a message has a DKIM signer domain or SPF-authenticated host (return path or HELO domain) that matches one of your "approved sources", it will be treated as if it was "aligned" with the sender's from address (so the message will skip normal filtering).

You can also approve an IP address as an "approved source", which means that any messages from the approved sender using the designated IP address will skip normal filtering (even when DKIM and SPF fail).

To add an "approved source" to an "approved sender", go to Settings > Approved Senders, click on the row for the approved sender and add the source in the textbox labeled "Approved Sources".

Note: "approved sources" are shared for all approved sender addresses that end in the same domain.

Last updated January 6, 2023