Authentication is a way to prove an email isn't forged. Mandrill automatically authenticates all emails sent through our servers, but by adding DNS records to your domain, Mandrill can send on your behalf and digitally 'sign' your emails.

If you've ever received an email claiming to be from your bank, PayPal, or a company you do business with, but it's really from someone else, then you've seen first-hand how easy it is to forge email. Authentication helps legitimate senders prove that their email isn't forged, and can help receiving servers like ISPs and corporate email servers control inbound spam.

There are many authentication methods, but there isn't a single one that's the best. SPF and SenderID allow a domain owner to add a file or record on the server that the recipient server cross-checks. These are easy to implement, but some suggest they aren't as secure. DKIM and DomainKeys embed information within the email, making it harder to forge (but they can also be harder to implement for senders and receivers).

Since there are pros and cons to the various methods, Mandrill automatically adds authentication for all of the methods mentioned above. By default, email is authenticated for the mandrillapp.com domain, but all Mandrill accounts support adding SPF and DKIM for your domain so you can authenticate as your domain instead.

Authentication and Sending Reputation

When you add authentication information to your domain, an added benefit is that many ISPs use authentication to track sending reputation. With authentication handled by your domain, reputation with the receiving ISPs is influenced by your domain and the emails sent on behalf of your domain. This means you maintain control over the emails that affect deliverability for your domain. A positive reputation for your domain builds trust and improves deliverability, affecting whether your emails are caught by spam filters and how quickly the receiving servers will accept mail from your domain.

Source: mandrill.zendesk.com