Domain possession: Who is really sending your emails?

Your easy to understand guide to email domain authentication security

Sending emails is simple, right?

Well, it’s gotten a little more complicated – and we’ve been “in the weeds”!

We previously configured client websites and newsletter platforms easily. We set it up for them, and the system would send emails “from” their official business address.

This made setup super easy and gave every client a professional, consistent look.

But there was a dark side to this ease: Email spoofing.

Anyone could technically send emails “from” any address. Malicious actors used this freedom. They cloaked themselves in other people’s domains.

Imagine the chaos!

Now, that convenience is over.

Email giants have introduced a zero-tolerance policy for unverified senders.

They are now forcing every business to prove domain ownership. This includes mass newsletters. It also covers single contact form notifications.

No proof, no delivery.

Simple as that.

Why is it happening? The two security shifts

The technical reason behind this crackdown involves two parallel shifts in email security, both designed to combat spoofing and improve overall trust in the inbox:
The rise of DKIM, SPF, and DMARC (for bulk email): these are the three acronyms that form the backbone of modern domain authentication.

DKIM (DomainKeys Identified Mail): This adds a digital signature to your outgoing emails. The receiving server checks this signature against a public key published on your domain’s DNS records. If the keys do not match, the email is rejected.
SPF (Sender Policy Framework): This is a simple text record on your domain that lists every server authorized to send email on your behalf (e.g., Mailchimp’s server, Brevo’s server). If an email comes from a server not on the list, it is marked as suspicious.
DMARC (Domain-based Message Authentication, Reporting & Conformance): This is the policy that tells receiving servers what to do if an email fails the DKIM or SPF checks—quarantine it, reject it, or deliver it.

SMTP authentication retirement (for website forms): In a separate but equally critical move, companies like Microsoft (and other major mailbox providers) are deprecating “basic authentication” for SMTP (Simple Mail Transfer Protocol).

Many older website contact forms rely on this outdated, password-based method to send notification emails.

Microsoft has flagged this as a major security risk and is phasing it out entirely by around April 2026. If your forms use a Microsoft 365, Outlook, or Hotmail email address to send notifications via the old SMTP method, they will simply stop working.

What is affected? Two major pain points

Domain authentication affects two distinct areas of your digital marketing, both of which are crucial for lead generation:

1. Your email newsletters and marketing campaigns

If you send bulk emails through platforms like Mailchimp, Brevo, Campaign Monitor, Wix Email, or Constant Contact, this is where DKIM, SPF, and DMARC apply. If you have not authenticated your domain, your content—no matter how valuable—will likely be filtered into the spam folder, dramatically lowering your open rates and damaging your sender reputation.

Furthermore, the days of using a generic ‘from’ email address are over. Your sending address must now use your actual domain (e.g., keren@yourcompany.com), not a generic email like yourcompany@gmail.com or tld-messages@brevo.com. This is vital for brand consistency. At TLD, we believe consistency in every detail, from your logo to your ‘from’ address, is how we reveal your unique greatness. A generic email address undermines your entire brand authority before the recipient even opens the message.

2. Your website contact forms and automated notifications

This is where the SMTP change hits hardest. When a customer fills out your “Contact Us” form, your website generates an email and uses a method called SMTP to send that notification to your inbox. If you use a Microsoft 365 or Outlook address as the sender and your website relies on the old basic authentication method, the system will stop delivering that email. The form appears to submit successfully on the front end, but the lead notification vanishes, leaving you blind to new business. Using a dedicated transactional email service (like Brevo, SendGrid, or a similar platform) becomes mandatory here.

How to fix it in email newsletters (the three steps)

Fixing your newsletter delivery requires a technical process at the domain level, but it requires your email platform’s cooperation.)It consists of three simple, sequential steps:

Your domain details: You must own your domain name and have the login details for your domain provider (e.g., GoDaddy, Ionos, 123 Reg, or Google Domains). If you do not know who holds the key, check your invoices, because you usually pay for domains every one to two years.
Access your domain’s control panel: We (or your IT specialist) need to log in to your domain provider’s website. This section is typically called the ‘DNS manager’ or ‘domain control panel’—it is where the technical settings for your website address live.
Add authentication records: We take the special text strings (the DKIM, SPF, and DMARC records) provided by your email marketing platform (Mailchimp, Brevo, Campaign Monitor, etc.) and strategically place them into a specific record box on that domain control panel. These unique records act as your email’s digital passport, verifying its legitimacy to the world’s mail servers and dramatically improving your newsletters’ chances of being seen.

How to fix it for your forms on your website

The fix for form submissions is different because the problem is related to the method of sending, not just the identity of the sender (though identity is still key).

Stop using basic authentication. If your form notifications fail, your website must stop sending through a basic authenticated Microsoft or Outlook account.
Implement an SMTP relay service. The simplest solution routes your form emails through a dedicated SMTP relay service (like Brevo). These services handle transactional emails for your website. They use modern, secure authentication methods. Mail providers trust these methods. It involves our coders adding a special SMTP code to your website to connect securely to the relay service.
Ensure domain alignment: Whether you use an SMTP service or a plugin with modern OAUTH 2.0, you must properly authenticate and align the ‘from’ address on your form notification email with the service you use.

Mindset shift: annoying but necessary for security

We understand that this entire topic—DNS records, DKIM, SMTP—is frustrating. You want to focus on your creative work, your services, and serving your customers, not technical complexities. I do not like this addition to the setup process either! But, I see it is necessary.

The security changes being implemented across the industry are not arbitrary; they are essential protections against fraud and phishing. They are forcing us to be more secure and more professional in how we communicate. By handling this domain authentication with grace, you are not just ticking a technical box—you are building a foundational layer of trust and professionalism that ensures your business communication works reliably.

At TLD, we get deep in the technical weeds so you do not have to. We are already highly experienced in navigating this complex new landscape and getting DKIM, SPF, and SMTP issues resolved quickly for our clients, whether they use Mailchimp, Brevo, or any other tool.

Don’t let technical shifts sabotage your lead generation. Get your emails authenticated and your brand delivered.