Ever since the release of RFC 4408, the first revision of the SPF specification, there’s been a misconception in email that “authentication will get you to the inbox.” While it’s not a universally held belief, it’s widespread enough that we feel it’s worth discussing the topic.
Whether an email is successfully delivered — and the folder that it’s ultimately delivered to — depends on a number of factors, but the primary driver is the reputation associated with the sender of the message. A sender’s reputation, in turn, is determined by its willingness to follow best practices and by its impact (positive or negative) on the systems to which it sends mail. Each mail system employs its own formula to assign a reputation, so what works for one receiver may not work exactly the same with another.
A sender that ensures that its email is authenticated, using SPF, DKIM, and DMARC, is certainly following a best practice for sending email, but that practice by itself is not enough to ensure a good reputation. Successful authentication of email means that the receiving system can trust that responsibility and accountability for the message in question can be credited to the identifier(s) associated with that authentication, which could be the sending IP address, the sending network, and/or any domain associated with the message.
In turn, the receiving system can reliably update accumulated reputation information for those authenticated identifiers based on its other measures for mail coming into its system, such as whether or not the recipients engage with the message and how they do so (e.g., opening it, clicking on links in it, reporting it as spam, etc.).
Without a comprehensive authentication plan in place for its email, a sender cannot build up a reputation based solely on mail that it and it alone has sent. In the worst case scenario, where a sender has no authentication for any of its email, all mail claiming to be from the sender’s domain will factor into its reputation, whether it was legitimate email, or fraudulent email sent by a bad actor.
A sender that authenticates some of its mail is in a better place, because only authenticated mail should factor into its reputation. Any spoofed messages won’t authenticate, may not get delivered, and shouldn’t count against the domain’s reputation. But that reputation might still suffer because a good sender will only get “partial credit” for the mail it sends. Only by authenticating all of its mail can the sender ensure that it earns the reputation it correctly deserves.
The key word in the sentence ending that last paragraph is “correctly.” A sender that authenticates all its mail but sends in such a way that makes it obvious that it’s not following other best practices will correctly earn a bad reputation, and its mail will end up in the junk folder or rejected outright, even with authentication in place and a DMARC policy of p=reject.
In fact, while spam-sending domains often do have DMARC policies of p=reject (in the mistaken belief that this will help their deliverability), this is ultimately of no benefit for them. Those DMARC policies only serve to definitively identify them, and once the mail receivers assign them a bad sending reputation, their deliverability will drop precipitously.
Authentication only affirms the identity of the party responsible for sending the mail. By itself, it does nothing to demonstrate that the authenticated mail is wanted by the recipients and deserving of placement in the inbox. To have the best chance of landing in the inbox, you must have authentication in concert with following all other best practices.