Salesforce

Authenticate your sending domains

Printable View
« Go Back

Information

 
Body

Domain authentication is more strictly enforced by Google and Yahoo. Anyone sending through this platform should ensure the following:

  1. You are sending from a domain that belongs to you or your organization. If you do not have a domain you can use, we recommend purchasing one as soon as possible.
  2. You authenticate your domain using DKIM, SPF, and DMARC, the three methods discussed in this document.
  3. You are following best practices with obtaining permission and respecting unsubscribes.

Your domain name is an important part of your business or organization's online identity, and sending email from your own domain is key to maintaining a relationship with your subscribers. To authenticate your sending domain means that receiving mail servers can verify that your email content hasn't been tampered with before it reaches the recipient. Even more importantly, it shows that the mail was authorized by somebody with ownership over the domain. It's a vital part of increasing trust with your subscribers, and assists in your deliverability.

For a deeper explanation of the technologies in the email authentication landscape, read our email authentication documentation.

Handy to know

Before you continue, if you haven't already, read our article on using your own domain with Campaign Monitor. It will help you make more informed choices around deliverability, setting up subdomains, and dealing with DNS.

Setting up email authentication is highly technical. If terms like TXT records, TTL settings, and public-private keys aren't familiar to you, ask someone in your IT department for help, or find a technical friend.

What's involved

Setting up a sending domain requires you to make changes in Campaign Monitor, your web host, and your DNS host.

You will need to:

  • Select an appropriate domain or subdomain to send email from, for example, mail.example.com.
  • Set up Campaign Monitor to use that domain, and generate a public/private key pair for DKIM.
  • Add up to three TXT records in the DNS host for your domain.
  • Verify that everything is set up properly from Campaign Monitor.

Required: Set up a sending domain

The following instructions will help you set up a new sending domain of your choice for Campaign Monitor. If the same domain is used with other email service providers, email sent through those providers will not be authenticated by this process.

  1. Set up the domain you want to send from in your domain provider.
  2. In Campaign Monitor, click your profile image at the top right, then click Account settings.
  3. Click Sending domains.
  4. Click Set up a sending domain within the Sending domains section (or if you have already have authenticated domains set up, Add domain).
  5. In the Domain field, enter a fully qualified domain name, for example, mail.example.com. Authenticating a second level domain (for example, example.com) will not authenticate its subdomains. Once you have entered your domain, Continue.
    You can only authenticate domains that you or your organization own. We check to see if you are trying to authenticate an unregistered domain or generic email domain (e.g. gmail.com, hotmail.com, aol.com, etc.). You will see a warning and will be unable to authenticate your domain if you attempt to add a generic or unregistered domain.
  6. You will now need to access your DNS host in order to add the provided TXT record to your domain. However, we give you 3 options to complete this part of the process:
    1. Copy-paste the TXT record into your DNS 
    2. Share the details with someone else who has access to the DNS host 
    3. Use existing details (for example, if your domain is already authenticated in another account).

Add the record yourself

DNS hosts have varied and often custom configurations, which means we're unable to provide exact instructions on how to do this. However, instructions for how to add TXT records on popular DNS hosts are below.

  1. Create a new DNS record, and set the type to TXT.
  2. Copy the Name/host field to paste into the corresponding field in your DNS. For the TXT name/host, what you enter depends on your DNS host. Some require you to enter the full cm._domainkey.mail.example.com, others only need the cm._domainkey part. 
  3. Copy and paste the TXT record in the Value box into the appropriate field in your DNS.
  4. Copy and paste the TTL into your DNS. We have set the default at the minimum value of 300, which corresponds to the time it will take to validate the domain (300 seconds or 5 minutes), though your system or IP may require a higher value (for example the minimum for GoDaddy is 600).
  5. Once you have added the record into your DNS, go back into Campaign Monitor and click I’ve added the records (or Re-check record from the Sending domains section if you have exited the setup process).

You will see a confirmation message once the domain has been successfully authenticated. The next time you create an email campaign, you will be able to select your authenticated domain when defining the sender.

Some DNS hosts do not support semicolons ( ; ) or underscores ( _ ), which are required to authenticate with Campaign Monitor. In some cases you can work around semicolons by replacing any occurrences of ; with \;. If this doesn't work, or your host doesn't support underscores, you will need to switch DNS providers to authenticate your email.

Share the instructions with someone else

If you don’t have access to your domain’s DNS host, you will see an option to Share instructions. Simply hover over the message box, copy the message and send it to the person or team who can make the necessary changes. If you are unsure who this is, consult your IT team or domain registrar. 

Use existing details

For security, we recommend you generate new DKIM private and public keys using Campaign Monitor instead of using an existing record. However, if you already have a TXT record set up for the domain you are authenticating (including public and private keys), an existing DKIM record can be used. To use an existing DKIM record:

  1. Choose the Use existing details option
  2. Specify the Selector
  3. Add in the Public key
  4. Add in the Private key

Required: add a DMARC record

Once you have verified your DKIM setup, the next step is to ensure that your sending domain also has a valid DMARC record.

The domain you're setting up may already have a record beginning with _dmarc. If so, and DMARC is automatically showing as verified, you should probably skip this step. Any valid existing DMARC configuration is acceptable, and making changes to an existing record could have dangerous consequences to your organization's email ecosystem.

If you do not have a DMARC record, the one we are suggesting is the minimal valid record. It is safe to add without having any adverse impact on any of your organization's mail, and will be useful for establishing the legitimacy of the email you're sending.

  1. Login to your DNS host.
  2. Create a new DNS record, and set the type to TXT.
  3. Type _dmarc into the name field. Some require you to enter the full _dmarc.mail.example.com, others only need the _dmarc part.
  4. Copy this code exactly into the value field: v=DMARC1; p=none;
  5. Set a TTL value of at least 300 seconds (some hosts may require a higher value like 30 minutes).
  6. Save the new DMARC record.
  7. Once you have added the record into your DNS, go back into Campaign Monitor and click Re-check record from the Sending domains section.

Recommended: add an SPF record

The final step in the authentication process is to add an SPF record for your sending domain. This is optional, but still a recommended action to provide receiving servers further evidence of the legitimacy of the mail you're sending through our servers.

The process depends on whether you already have an SPF record in place. To determine that, you can use the EmailStuff SPF checker or just look for a record on your sending domain that contains "v=spf1".

These steps assume you are already logged into your DNS host.

If you have an SPF record already:

  1. Add include:_spf.createsend.com immediately after the "v=spf1" in the existing record. Make sure you include a space.
  2. Save the record and recheck (you may need to wait until the time indicated by the TTL passes).

If you do not have an SPF record:

  1. Create a new DNS record, and set the type to TXT.
  2. Type @ into the name field, or leave it blank, depending on the requirements of your DNS provider. If you are setting up a subdomain such as mail.example.com, type mail into the name field.
  3. Copy this code exactly into the value field: v=spf1 include:_spf.createsend.com ~all
  4. Set a TTL value of at least 300 seconds (some hosts may require a higher value like 30 minutes).
  5. Save the new SPF record.
  6. Once you have added the record into your DNS, go back into Campaign Monitor and click Re-check record from the Sending domains section.

How to add TXT records on popular DNS hosts

Below are links to instructions from commonly used DNS providers for changing their TXT records. If you have a different host, they may have their own instructions, or one of the examples below may be similar.

Many hosts also use the following software for DNS management:

Troubleshooting

Because of the wide variety in DNS hosts and the technical nature of adding DNS records, you might run into some trouble while setting up DKIM authentication. We've covered the most common issues in a dedicated troubleshooting article.

TitleAuthenticate your sending domains
URL Namemanage-your-own-authentication
Powered by