Domain Authentication Setup Guide

Configure SPF, DKIM, and DMARC to authenticate your sending domain. Proper domain authentication improves deliverability, prevents spoofing, and tells inbox providers your emails are legitimate.

Get Started Free View Pricing

Table of Contents

  1. Why Domain Authentication Matters
  2. SPF -- Sender Policy Framework
  3. DKIM -- DomainKeys Identified Mail
  4. DMARC -- Domain-based Message Authentication
  5. Setting Up in the VerifyEmail.io Dashboard
  6. Troubleshooting Common Issues

1. Why Domain Authentication Matters

Domain authentication tells receiving mail servers that your emails are authorized and have not been tampered with. Without authentication, your emails are more likely to land in spam or be rejected entirely.

Improved Deliverability

Gmail, Outlook, Yahoo, and other major inbox providers use authentication records to decide whether to deliver your email to the inbox or route it to spam. Properly configured SPF, DKIM, and DMARC records can significantly improve your inbox placement rates.

Spoofing Protection

Without authentication, anyone can send email that appears to come from your domain. Phishers and spammers exploit unauthenticated domains to impersonate legitimate businesses. DMARC enforcement prevents unauthorized senders from using your domain name.

Brand Trust

Authenticated emails can display your brand logo in supported email clients through BIMI (Brand Indicators for Message Identification). This visual indicator builds trust with recipients and increases open rates.

Compliance Requirements

Google and Yahoo now require bulk senders (over 5,000 messages per day) to have valid SPF, DKIM, and DMARC records. As of February 2024, emails without proper authentication are more likely to be rejected by these providers.

2. SPF -- Sender Policy Framework

SPF is a DNS TXT record that lists the mail servers authorized to send email on behalf of your domain. When a receiving server gets an email from your domain, it checks the SPF record to verify that the sending server is permitted.

How SPF Works

When you send an email, the receiving mail server looks up the SPF record for your domain. If the IP address of the sending server matches one of the authorized IPs in your SPF record, the SPF check passes. If it does not match, the check fails, and the email may be rejected or marked as spam.

Creating Your SPF Record

Add a TXT record to your domain's DNS with the following format. Replace the include directives with the services you actually use to send email.

DNS TXT Record 
Type:  TXT
Host:  @
Value: v=spf1 include:sendgrid.net include:_spf.google.com ~all

SPF Record Breakdown

Component Meaning
v=spf1 Declares this is an SPF version 1 record. Required at the beginning of every SPF record.
include:sendgrid.net Authorizes SendGrid's mail servers to send on behalf of your domain. Add an include for each third-party service you use.
include:_spf.google.com Authorizes Google Workspace (Gmail) servers. Include this if your team uses Google Workspace for company email.
~all Soft fail for any server not listed. This tells receiving servers to accept but flag unauthenticated email. Use -all (hard fail) for strict enforcement once you are confident your SPF record is complete.

Important: SPF Lookup Limit

SPF records are limited to 10 DNS lookups. Each include directive counts as one lookup, and nested includes count toward the total. If your SPF record exceeds 10 lookups, it will fail validation. Use an SPF flattening service if you need to authorize many senders.

3. DKIM -- DomainKeys Identified Mail

DKIM adds a cryptographic signature to your outgoing emails. The receiving server uses a public key published in your DNS to verify that the email was not altered in transit and was sent by an authorized sender.

How DKIM Works

When your mail server sends an email, it creates a hash of the message headers and body, then encrypts that hash with a private key. The encrypted hash is added as a DKIM-Signature header. The receiving server retrieves your public key from DNS, decrypts the hash, and compares it to its own hash of the received message. If they match, the DKIM check passes.

Adding DKIM DNS Records

When you add your domain in the VerifyEmail.io dashboard, we generate two CNAME records for DKIM. Add these to your DNS provider.

DNS CNAME Records 
Record 1:
Type:  CNAME
Host:  s1._domainkey.yourdomain.com
Value: s1.domainkey.u12345.wl.sendgrid.net

Record 2:
Type:  CNAME
Host:  s2._domainkey.yourdomain.com
Value: s2.domainkey.u12345.wl.sendgrid.net

The exact values will be provided in your VerifyEmail.io dashboard after you add your domain. The u12345 portion is unique to your account.

4. DMARC -- Domain-based Message Authentication

DMARC ties SPF and DKIM together and tells receiving servers what to do when an email fails authentication. It also provides a reporting mechanism so you can monitor who is sending email on behalf of your domain.

DMARC Policies

p=none

Monitor only. No action is taken on failing emails. Use this policy when you first set up DMARC to collect reports and identify all legitimate senders before enforcing a stricter policy.

p=quarantine

Send to spam. Emails that fail DMARC are delivered to the recipient's spam folder instead of the inbox. This is a good intermediate step before full enforcement.

p=reject

Block completely. Emails that fail DMARC are rejected outright and never delivered. This provides the strongest protection against spoofing but requires that all legitimate senders pass SPF or DKIM.

Creating Your DMARC Record

Add a TXT record to your DNS at _dmarc.yourdomain.com. Start with p=none to monitor, then gradually move to p=quarantine and finally p=reject as you confirm all legitimate email sources pass authentication.

DNS TXT Record 
Type:  TXT
Host:  _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-reports@yourdomain.com; pct=100

DMARC Record Breakdown

Tag Meaning
v=DMARC1 Declares this is a DMARC version 1 record. Required.
p=none The policy to apply to failing emails. Options: none, quarantine, or reject.
rua=mailto:... The email address to receive aggregate DMARC reports. These XML reports show which IPs are sending email for your domain and whether they pass or fail authentication.
ruf=mailto:... The email address to receive forensic (failure) reports. These contain details about individual emails that failed DMARC. Not all providers send forensic reports.
pct=100 The percentage of failing emails to apply the policy to. Use a lower value (like 10) during initial rollout to limit the impact of misconfiguration.

5. Setting Up in the VerifyEmail.io Dashboard

Follow these steps to add and verify your sending domain in the VerifyEmail.io dashboard.

1

Navigate to Domain Settings

Log in to your VerifyEmail.io account and navigate to Settings > Sending Domains. Click Add Domain and enter your domain name (for example, yourdomain.com).

2

Copy the DNS Records

After adding your domain, the dashboard displays the DNS records you need to create: two CNAME records for DKIM and a TXT record for SPF. Copy each record's type, host, and value exactly as shown.

3

Add Records to Your DNS Provider

Log in to your DNS provider (such as Cloudflare, GoDaddy, Namecheap, or AWS Route 53) and add the records. DNS changes can take up to 48 hours to propagate, though most providers propagate within 15 minutes to 1 hour.

4

Verify the Domain

Return to the VerifyEmail.io dashboard and click Verify. The system checks your DNS records and confirms whether SPF and DKIM are configured correctly. A green checkmark appears next to each record that passes validation.

5

Set Up DMARC (Recommended)

While not required for domain verification, we strongly recommend adding a DMARC record. Start with p=none to monitor authentication results, then tighten the policy over time. See the DMARC section above for record format details.

6. Troubleshooting Common Issues

If domain verification fails or your authentication checks are not passing, review these common issues and their solutions.

DNS Records Not Found

Cause: DNS propagation has not completed yet, or the records were added to the wrong domain/subdomain.
Fix: Wait up to 48 hours for propagation. Double-check that the host name is correct -- some DNS providers automatically append your domain, so entering s1._domainkey.yourdomain.com may result in s1._domainkey.yourdomain.com.yourdomain.com. Use just s1._domainkey if your provider appends the domain automatically.

SPF Record Too Long

Cause: Your SPF record exceeds the 10 DNS lookup limit or the 255-character TXT record limit.
Fix: Remove any include directives for services you no longer use. Consider using an SPF flattening service that resolves includes to IP addresses. If your TXT record exceeds 255 characters, split it into multiple strings within the same record.

DKIM Signature Mismatch

Cause: The CNAME records point to the wrong values, or your DNS provider is adding a trailing dot or extra characters.
Fix: Copy the CNAME values exactly from the VerifyEmail.io dashboard. Some providers require a trailing dot after the value (e.g., s1.domainkey.u12345.wl.sendgrid.net.) while others do not. Check your provider's documentation.

DMARC Reports Show Failures

Cause: Some legitimate email sources are not included in your SPF record or are not signing with DKIM.
Fix: Review your DMARC aggregate reports to identify which IP addresses are failing. Add the corresponding include directives to your SPF record. Ensure all email-sending services (marketing platforms, CRM, transactional email providers) have DKIM configured.

Multiple SPF Records

Cause: Your domain has more than one SPF TXT record. The SPF specification allows only one record per domain.
Fix: Merge all include directives into a single SPF record. Delete any duplicate SPF TXT records from your DNS.

Cloudflare Proxy Interference

Cause: If you use Cloudflare, the orange cloud (proxy) must be disabled for CNAME records used for DKIM. Proxied CNAME records return Cloudflare IP addresses instead of the correct mail authentication values.
Fix: Set the DKIM CNAME records to DNS-only mode (gray cloud) in Cloudflare.

  • Use an online DNS checker -- Tools like MXToolbox, Google Admin Toolbox, or dig from the command line can help you verify that your DNS records are published correctly and visible globally.
  • Send a test email -- After setting up your records, send a test email to a Gmail address and click "Show original" to see whether SPF, DKIM, and DMARC passed or failed. This is the quickest way to confirm everything is working.
  • Contact support -- If you are still having trouble after following these steps, reach out to support@verifyemail.io and include your domain name and a screenshot of your DNS records. We will help you get everything configured correctly.

Authenticate Your Domain Today

Protect your sender reputation and improve inbox placement. Set up domain authentication in minutes with our guided dashboard.

Sign Up Free View Pricing Plans

Related Guides

Continue improving your email deliverability

Why Are My Emails Going to Spam?

Discover the most common reasons emails land in spam and get an actionable checklist to fix every issue.

Read the guide →

Webhook Integration Guide

Set up real-time email event notifications to automatically process bounces, opens, and clicks.

Read the guide →

Email Bounce Rate Guide

Understand hard vs. soft bounces, industry benchmarks, and how to bring your bounce rate under control.

Read the guide →