Custom Domain Authentication using DKIM, DMARC, and SPF records

Why you should authenticate your domain:

Major Internet Service Providers (aka ISPs), such as Yahoo, Google, and Microsoft scan incoming emails to check for spam or spoofed email addresses. This scan is looking for records on the from address domain that indicate that the displayed sender is, in fact, the same person who controls the domain. These records include a DKIM signature, as well as the SPF record. In addition to DKIM and SPF, you can further control your domain’s security by publishing a DMARC record.

Before you begin

  • Custom authentication is not required but highly recommended. Our system will automatically authenticate email using our generic DKIM authentication. Using Custom Domain Authentication will eliminate the “via” or “on behalf of” that appears when using the generic DKIM authentication.  Additionally, by setting up a DMARC policy, you should expect to see improvement in your sending reputation and inbox delivery.
  • In order to set up custom domain authentication, you will need to change some of the settings with your DNS provider. The DNS records are most commonly found where you have your domain registered or hosted.
  • If you are not sure how to edit your DNS contact support, or your domain hosting provider.

List of Popular Domain Providers

If your service isn’t listed here, log in to your provider’s site and search their help documents, or contact the customer support team.

Amazon Web Services: Configuring DNSResource Record Types

Dreamhost: DNS Overview

GoDaddy: Add a CNAME Record

Google Domains: DNS Basics

Hostgator: Manage DNS records

Hover: Edit DNS Record

Namecheap: SPF & DKIM

Squarespace:  Advanced DNS Settings

For CNAME:
In the Host field, enter fd._domainkey
In the Data field, enter dkim.emaildeliveryhq.com

For DKIM TXT record:
In the Host field, enter _domainkey
In the Data field, enter o=~

For DMARC TXT record:
In the Host field, enter _dmarc
In the Data field, enter v=DMARC1; p=none; rua=mailto:dmarc@your_domain.com

Stablehost: How do I get to cpanel?

1&1: Domain Guidelines

Quick Overview of Process

Authenticating the domain requires that you complete tasks in your email marketing account, as well as in your domain providers DNS zone editor or cPanel. It’s a good idea to have each open in a separate window. The process requires you to copy paste text information. The keyboard shortcuts for copy and paste are listed below:

On Windows: Highlight text and use Ctrl+C to copy, and use Ctrl+V to paste

On Mac: Highlight text and use Cmnd+C to copy, and use Cmnd+V to paste. The command key sometimes has an apple logo on the Mac keyboards.

  1. Verify Domain in email marketing account
  2. Copy the CNAME record from the email marketing account and paste in the zone editor
  3. Return to email marketing account and click authenticate button to finish DKIM setup
  4. Copy the generated DMARC and SPF records from the email marketing account
  5. Paste DMARC and SPF records into DNS zone editor
  6. Test the records in the email marketing account

When you run the test, you should see all the boxes highlighted green. This means the setup was done correctly.

 

Verify your domain



Login to your Email Marketing account and go to the account settings page located under Account > Settings. 

In the bottom right panel titled DKIM Domains, click “Authenticate Domain”.  The app will present a list of FROM domains that you have been using or request you add a FROM email address to validate if you have none.

 

Custom Domain Authentication – DKIM



Custom Domain Authentication requires adding a CNAME to your DNS records.

Creating a CNAME record

When you select one,  the  CNAME record will be shown.

Type: CNAME

Name: fd._domainkey.your_domain.com

Value: dkim.emaildeliveryhq.com


Add this record to your DNS where your domain is registered. If you are not sure how to edit your DNS contact support, or your domain hosting provider.

Once you add the DNS record, you then click the Authenticate button, and the app will confirm that the DNS record is set up correctly and add the domain to the list of authenticated domains.

Changes to DNS records can take up to 24hrs or more. If your domain will not authenticate, wait 1 hour and try again.

Once the domain has been authenticated, the following records will be shown for you to finish setting up your DMARC and SPF records in the Authenticated Domains section. The DKIM CNAME record will also remain visible.

 

Setting up DMARC


DMARC works with DKIM and SPF to add a stronger custom authentication to your emails. DMARC will increase your deliverability than just using Custom DKIM alone. DMARC consists of 5 parts,  Custom Domain Authentication (see above)creating a DKIM TXT record, creating a DMARC TXT recordcreating an SPF TXT record and Test DNS Records. All of DNS records are stored in your domain name server or “DNS” server. If you are not sure how to edit your DNS records contact support, or your domain hosting provider.

Creating a DKIM TXT record

You can find the DKIM records in the Authenticated Domains section. An example is below. You must have the CNAME record published first before adding the TXT record.

Type: TXT

Name: _domainkey.your_domain.com

Value:  o=~

Note, that you will probably want to add the quotes around the value.  Most registrars should understand this.  You would want to make sure they haven’t double-double-quoted the value (e.g. “”o=~””)  If it causes an error, try without the quotes, and we will verify it.

Note that your particular system for DNS records may require trailing . dot after (Your From Domain). If not having the dot doesn’t work, try it with the trailing dot.

Creating a DMARC TXT record

You can find the DMARC records in the Authenticated Domains section. An example is below. You must have the CNAME record published first before the other records appear.

Type: TXT

Name: _dmarc.your_domain.com

Value: v=DMARC1; p=none; rua=mailto:dmarc@your_domain.com

Note that your particular system for DNS records may require the trailing dot after (Your From Domain). If not having the dot doesn’t work, try it with the trailing dot.

Creating an SPF TXT record



You can find the SPF records in the Authenticated Domains section. You must have the CNAME record published first before the other records appear. Add this text record to your DNS – or update your SPF record to include our MTAS 

Type: TXT

Name: @

Value:  v=spf1 mx include:mtas.emaildeliveryhq.com ~all

IMPORTANT: If an existing SPF record is already in your DNS simply append the “include:mtas.emaildeliveryhq.com” before ~all and save the record

Forward the DMARC Reports (Optional)

Create a mail forward for dmarc@your_domain.com

If you need to change this mailbox name, that’s fine, just be sure to switch the “rua” property in (Part 3) above.  If you want to forward it to multiple people, that’s fine too, but we would appreciate getting a copy at the above address so that we can confirm everything is set up and continue to function properly.

 

Test DNS Records


Changes to DNS records can take up to 24hrs or more. If your tests are not working, wait 1 hour and try again.

Once you have added an Authenticated Domain, you’ll see it listed in a new section under Authenticated Domains. Select Test DNS Records for the domain you want to test. The test will indicate if the DKIM, DMARC, and SPF records have been configured correctly.

If all records are setup correctly you’ll see a green checkmark at the top of the results.

For each record, red indicates that there’s an issue with that DNS record. Look at the output of the test for the cause of the error. Green indicates that the record is correct.

If you can’t seem to get this to work, contact support for assistance.

Was this article helpful?

Related Articles