Custom Domain Authentication using DKIM, DMARC, and SPF records

Why you should authenticate your domain:

Major Internet Service Providers (aka ISPs), such as Yahoo, Google, and Microsoft scan incoming emails to check for spam or spoofed email addresses. This scan is looking for records on the from address domain that indicate that the displayed sender is, in fact, the same person who controls the domain. These records include a DKIM signature, as well as the SPF record. In addition to DKIM and SPF, you can further control your domain’s security by publishing a DMARC record.

Before you begin

  • Custom authentication is not required but highly recommended. Our system will automatically authenticate email using our generic DKIM authentication. Using Custom Domain Authentication will eliminate the “via” or “on behalf of” that appears when using the generic DKIM authentication.  Additionally, by setting up a DMARC policy, you should expect to see improvement in your sending reputation and inbox delivery.
  • In order to set up custom domain authentication, you will need to change some of the settings with your DNS provider. The DNS records are most commonly found where you have your domain registered or hosted.
  • If you are not sure how to edit your DNS contact support, or your domain hosting provider

Quick Overview of Process

  1. Verify Domain in email marketing account
  2. Creating a CNAME record from the email marketing account and add it to your DNS records at your domain hosting provider
  3. Return to email marketing account and click authenticate button to finish DKIM setup
  4. Copy the generated DMARC and SPF records from the email marketing account
  5. Paste DMARC and SPF records into DNS zone editor
  6. Test the records in the email marketing account, when you run the test, you should see all the boxes highlighted green. This means the setup was done correctly.

Verify your domain


 
Login to your Email Marketing account and go to the account settings page located under Account > Settings. 

In the panel titled “Authenticated Domains”. Select Add Domain.

 

Custom Domain Authentication – DKIM



Custom Domain Authentication requires adding a CNAME to your DNS records at your domain provider.

Creating a CNAME record

When you select one,  the  CNAME record will be shown.

Type: CNAME

Name: fd._domainkey.your_domain.com

Value: dkim.hbclientnews.com

Add this record to your DNS where your domain is registered. If you are not sure how to edit your DNS contact support, or your domain hosting provider.

Once you add the DNS record, you then click the Authenticate button, and the app will confirm that the DNS record is set up correctly and add the domain to the list of authenticated domains.

Changes to DNS records can take up to 24hrs or more. If your domain will not authenticate, wait 1 hour and try again.

Once the domain has been authenticated, the following records will be shown for you to finish setting up your DMARC and SPF records in the Authenticated Domains section. The DKIM CNAME record will also remain visible.

A list of popular domain providers:

If your service isn’t listed here, log in to your provider’s site and search their help documents, or contact the customer support team.

GoDaddy: Add a CNAME Record

For CNAME:
In the Name field, enter fd._domainkey
In the Value field, enter dkim.hbclientnews.com

For DKIM TXT record:
In the Name field, enter _domainkey
In the Value field, enter o=~

For DMARC TXT record:
In the Name field, enter _dmarc
In the Value field, enter v=DMARC1; p=none; rua=mailto:dmarc@your_domain.com

For SPF TXT record:
If there is already a SPF record present, add this to the Value field include:mtas.hbclientnews.com

If there is NOT already a SPF record present:
In the Name field, enter @
In the Value field, enter v=spf1 mx include:mtas.hbclientnews.com ~all

Amazon Web Services: Configuring DNSResource Record Types

Dreamhost: DNS Overview

Google Domains: DNS Basics

Hostgator: Manage DNS records

Hover: Edit DNS Record

Namecheap: SPF & DKIM

Squarespace:  Advanced DNS Settings

For CNAME:
In the Host field, enter fd._domainkey
In the Data field, enter dkim.hbclientnews.com

For DKIM TXT record:
In the Host field, enter _domainkey
In the Data field, enter o=~

For DMARC TXT record:
In the Host field, enter _dmarc
In the Data field, enter v=DMARC1; p=none; rua=mailto:dmarc@your_domain.com

Stablehost: How do I get to cpanel?

1&1: Domain Guidelines

 

Setting up DMARC


 
DMARC works with DKIM and SPF to add a stronger custom authentication to your emails. DMARC will increase your deliverability than just using Custom DKIM alone. DMARC consists of 5 parts,  Custom Domain Authentication (see above)creating a DKIM TXT record, creating a DMARC TXT recordcreating an SPF TXT record and Test DNS Records. All of DNS records are stored in your domain name server or “DNS” server. If you are not sure how to edit your DNS records contact support, or your domain hosting provider.

Creating a DKIM TXT record

You can find the DKIM records in the Authenticated Domains section. An example is below. You must have the CNAME record published first before adding the TXT record.

Type: TXT

Name: _domainkey.your_domain.com

Value:  o=~

Note, that you will probably want to add the quotes around the value.  Most registrars should understand this.  You would want to make sure they haven’t double-double-quoted the value (e.g. “”o=~””)  If it causes an error, try without the quotes, and we will verify it.

Note that your particular system for DNS records may require trailing . dot after (Your From Domain). If not having the dot doesn’t work, try it with the trailing dot.

Creating a DMARC TXT record

You can find the DMARC records in the Authenticated Domains section. An example is below. You must have the CNAME record published first before the other records appear.

Type: TXT

Name: _dmarc.your_domain.com

Value: v=DMARC1; p=none; rua=mailto:dmarc@your_domain.com

Note that your particular system for DNS records may require the trailing dot after (Your From Domain). If not having the dot doesn’t work, try it with the trailing dot.

Creating an SPF TXT record



You can find the SPF records in the Authenticated Domains section. You must have the CNAME record published first before the other records appear. Add this text record to your DNS – or update your SPF record to include our MTAS 

Type: TXT

Name: @

Value:  v=spf1 mx include:mtas.hbclientnews.com ~all

IMPORTANT: If an existing SPF record is already in your DNS simply append the “include:mtas.hbclientnews.com” before ~all and save the record

Forward the DMARC Reports (Optional)

Create a mail forward for dmarc@your_domain.com

If you need to change this mailbox name, that’s fine, just be sure to switch the “rua” property in (Part 3) above.  If you want to forward it to multiple people, that’s fine too, but we would appreciate getting a copy at the above address so that we can confirm everything is set up and continue to function properly.

 

Test DNS Records


Changes to DNS records can take up to 24hrs or more. If your tests are not working, wait 1 hour and try again.

Once you have added an Authenticated Domain, you’ll see it listed in a new section under Authenticated Domains. Select Test DNS Records for the domain you want to test. The test will indicate if the DKIM, DMARC, and SPF records have been configured correctly.

If all records are setup correctly you’ll see a green checkmark at the top of the results.

For each record, red indicates that there’s an issue with that DNS record. Look at the output of the test for the cause of the error. Green indicates that the record is correct.

If you can’t seem to get this to work, contact support for assistance.

Was this article helpful?

Related Articles