New name, new home, same great product. Read the press release

Two simple steps can optimize your deliverability

Email Authentication refers to techniques that provide the recipient of email messages with certainty that the message actually originated from the stated source of the message. The goal is to limit fraudulent email messages and prevent spoofing.

Many Email Service Providers today use SPF and DKIM signing as a factor in their handling of email messages – messages with SPF and DKIM authentication may see better deliverability and inbox placement.

There are two primary forms of email authentication in use today:

  • Sender Policy Framework (SPF)
  • DomainKeys Identified Mail (DKIM)



SPF allows an organization to authorize other entities (such as Blue State Digital’s BSD Tools application) to use its domain names when sending email. A domain’s SPF policy record is just a specifically formatted DNS TXT record, commonly containing one or more of the following “mechanisms”:

  • v=spf1 – Required first token to indicate that TXT record is SPF record (a domain can have multiple TXT records)
  • ipv4, ipv6 – Used to specify IP addresses and networks that are permitted to send mail for the domain
  • a – If the sending domain has a DNS “A” record that resolves to the sending IP, the IP is permitted
  • mx – If the sending IP is also one of the MX records for the sending domain, the IP is permitted
  • all – Required last token, always modified:
    • -all – Only what’s listed can pass; reject all failures.
    • ?all – Not sure if information that’s not present should pass.
    • +all – Pass everything.

For example, an SPF record covering email send from the BSD Tools would look like: IN TXT "v=spf1”



DKIM provides a way for an entity (again, such as your organization) to take responsibility for a message, independent of the entity that actually sent the message (which may be Blue State Digital if you are using our BSD Tools software).

To enable DKIM for your email messages, please contact our team at We’ll then generate two cryptographic keys. One of the keys is kept private to BSD and available to the sending server for the signing of mail. The other will be shared with you and is to be made public using your DNS host for use by receiving domains in attempts to validate the signature.


Didn't find the answer you were looking for?

Email us at