Manage your own authentication with DKIM

DomainKeys Identified Mail (DKIM) is a way to authorize Email Service Providers (ESPs) to send email on your or your company's behalf. It allows a sender to take responsibility for their email, and is used to help separate legitimate email from spam and phishing campaigns.

To authenticate using DKIM, you will need:

  • your own domain name
  • access to your domain's DNS records
  • familiarity with modifying DNS records.

Authenticate a client's domain

To manage authentication for a client:

  1. Select the client you want to authenticate.
  2. Click Client Settings.
  3. In the right sidebar, click Authentication Settings.
  4. Click Add a sending domain.
  5. Enter a fully qualified domain name to authenticate. Authenticating just the base domain name will not authenticate subdomains. For example, authenticating will not authenticate
  6. Click Generate DNS records.
  7. The next page will show the "TXT Name" and "TXT Value" details that you will need to add to your domain's DNS records. How to do this varies depending on the service you use to manage your DNS.
  8. After you've added the record to your domain host, in Campaign Monitor click I've added the record, please verify it. It can take time for DNS record changes to update around the internet, so if our servers don't see the changes right away, try again later.
  9. After everything has been set up correctly, the authenticated domain will be listed on the Client Settings > Authentication Settings page, as shown below:

NOTE: Some DNS hosts do not support semicolons ( ; ) or underscores ( _ ), which are required to authenticate with Campaign Monitor. In some cases you can work around semicolons by replacing any occurrences of ; with \;. If this doesn't work, or your host doesn't support underscores, you will need to switch DNS providers to authenticate your email.

The next time you send an email campaign, you will be able to select the authenticated domain for the sender's "From" address:

TIP: You can authenticate multiple domains for each client, and easily add an already authenticated domain to other clients.

Instructions for modifying DNS records

Below are links to instructions from commonly used DNS providers for changing their TXT records. If you have a different host, they may have their own instructions, or one of examples below may be similar.

Commonly used domain hosting software:

Commonly used DNS providers:


Below are some answers to questions we're commonly asked about authentication. If you have a question we haven't addressed please contact us.

My host doesn't allow me to modify my DNS, what should I do?

Some web and DNS hosts won't let you modify your DNS records yourself, however many will add authentication records for you. Contact your host to find out if they offer this service.

My web host doesn't support DKIM, do I have to switch to one that does?

Not necessarily. DNS records are usually hosted by the same company that hosts your site, but it doesn't have to be that way. It's possible to keep your webhost and change who provides your DNS records using services like DNS Made Easy, ZoneEdit and easyDNS.

Will all email sent through the selected domain be authenticated?

After following the instructions above, only emails sent through Campaign Monitor using your chosen domain will be authenticated. Emails sent through other services that use the same domain will not be authenticated. If you opt to send email from an unauthenticated domain in Campaign Monitor, your email will also not be authenticated.

My DNS records are still not verified in my account, what should I do?

DNS record changes can take a while to propagate, sometimes more than 24 hours. If the records still cannot be verified after a few days, it may be because they were not added correctly.

You can use a third party DNS testing tool like EmailStuff to check if DNS record changes have propagated. On the EmailStuff site, click DNS, enter the domain name you are trying to verify into the hostname TXT field and click the TXT button. For example:

If the record has propagated, the "Answer" given will contain the TXT value that Campaign Monitor generated for you earlier, and the "DKIM" tag will be in the "Type" column.

If no record is found, try lowering the "time to live" (TTL) value in your DNS. This is the amount of time DNS servers will cache your record for, and lowering the value will make the record propagate faster. The method to do this will vary depending on the DNS host you use.

If after this the records are still not showing up, contact your DNS host to make sure everything is working as it should be, and if there are no problems found, please contact support and let them know the domain name you're trying to authenticate.