Concept
Understanding email headers and authentication

When you send an email through Pendula, technical details work behind the scenes to ensure successful delivery and protect your sender health. This article explains what recipients see and how authentication keeps your sending secure.

Sender profile setup includes guided steps for each technical requirement. To keep things running smoothly:

• Verify your domain – without domain verification, a sender profile cannot be used to emails
• Use sender profiles consistently – using the same profile for the same purpose helps recipients recognise your emails and maintains a healthy sender reputation. 
• Monitor your health status – authentication failures can affect your sender reputation over time

Email features visible to recipients

What recipients see

When someone receives your email, they see specific information that identifies you as the sender:

Sender details – comprised of:

• Sender name – The display name recipients see first. The name should inform the recipient who and where the email is from.
• Sender address – The email address the message is sent from, made up of a user name and your verified domain.

Reply-to address – Where responses are directed when recipients hit reply. This can be different from the sender address.

Recipient (To) – The primary recipient's email address

CC address – A carbon copy to additional recipients, visible to everyone on the thread. Often used for compliance purposes.

BCC address – A blind carbon copy to hidden recipients not visible to others. Often used for archiving purposes.

Subject line – The topic or purpose of the email.

Date and time – When the email was sent

Additional security details

These technical details are visible to recipients but are essential for secure delivery:

Mail-from address – The technical sending address used for bounces and authentication.If you're using a custom Mail-from address, note that if MX verification fails, the default sending domain will be used as the fallback.

DKIM signature – Cryptographic signature confirming the email hasn't been altered in transit.

Message ID – A unique identifier for tracking and troubleshooting

TLS encryption – Standard security encryption protecting the email while in transit.

How email authentication works

Email providers use three methods to verify that your emails are legitimate. Together, they protect your reputation, improve deliverability and prevent others from impersonating your domain.

SPF (Sender policy framework)

SPF confirms that the server sending your email is authorised to do so on behalf of your domain. When it passes, it means the email came from an approved source listed in your domain's DNS settings.

‘PASS’ Example: spf=pass (mailaddress.com: domain of bounce@offers.mybrand.com designates 123.45.67.890 as permitted sender)

DKIM (DomainKeys identified mail)

DKIM adds a digital signature to your emails that proves the content hasn't been tampered with between sending and delivery. When it passes, the signature matches your domain's public key.

‘Pass’ Example: dkim=pass header.i=@offers.mybrand.com header.s=mybrand

DMARC

DMARC tells receiving mail servers what to do if an email fails SPF or DKIM checks — for example, whether to reject it or send it to spam. When it passes, it confirms the sending domain matches the authenticated domain.

“PASS” Example: dmarc=pass (p=NONE sp=NONE dis=NONE)

See Setting up Custom Domains for secure email delivery using Pendula

Viewing email headers (for troubleshooting)

Viewing email headers is helpful in troubleshooting a delivery issue or investigating a suspicious email. Recipients can view full email headers through their email client's "View source" or "Show original" option. This reveals authentication results, server routing, and timestamp details.