SPF, DKIM, and DMARC Authentication


When you send emails, mailbox providers (such as Gmail, Outlook, AOL, and Yahoo) need to identify whether the message is a legitimate email sent from the domain name's owner or email address or a forged email sent by a spammer or phisher. This includes emails sent from ActiveCampaign.

Before getting to the heart of the authentication methods, make sure you are using a valid (existing and established) sending domain that you own: your domain should be older than 30 days, and point to a valid website, not a blank page.

It's also essential that this domain has an MX record: this record specifies the mail server responsible for accepting email messages on behalf of a domain name. 

Is your sending domain valid and with an MX record? Time to authenticate it!

There are three established methods used to verify a sender's identity. These are SPF, DKIM, and DMARC. We recommend setting up these email authentication methods for several reasons. The most common reasons are:  

  • Reinforce your branding
    You can reinforce your branding by removing the "via..." header from Gmail. A positive side effect of setting up DKIM authentication is that this header disappears.
  • Build a reputation as an email sender on your domain name
    Sending emails without authentication is like turning in homework without your name. You may have aced the assignment, but you can't take credit for it without your name on it. DKIM authentication, in particular, helps build your reputation as an email sender.
  • Enforce stricter security on your domain name
    Authentication standards such as DMARC help protect your domain name from potentially fraudulent use.

Email authentication does not solve all deliverability problems, such as whether or not the recipient wants the email. However, authentication does solve the problem of determining who the email is coming from.

A sender who follows best practices, such as sending high-quality, personalized emails to an opt-in list and performing regular list hygiene, will typically see higher deliverability when using email authentication. Their domain will build a reputation as a good sender with recipients who want to engage with their emails.

A sender who does not follow best practices, such as using a rented or purchased list, not having clear messaging during the opt-in process about what kind of emails will be sent and at what frequency, or who never performs any list hygiene will typically see lower deliverability with email authentication. Their domain may build a reputation as a sender of unwanted emails.

Authentication allows good senders to solidify their reputation further and protect their domain from bad senders who may try to hijack their domain.

​​As explained below, ActiveCampaign already authenticates all its traffic with SPF and DKIM. However, it's still possible for you to authenticate your sending domain with these standards.

Please note that while you are not required to do so, we strongly encourage you to set up authentication on your sending domain.


SPF (Sender Policy Framework) records are TXT records on your domain that authorize specific servers to send mail using your domain name. ActiveCampaign automatically configures SPF for all customers. This means you don't need to create an SPF record or modify an existing one to work with ActiveCampaign. This applies even if you are using a Custom Domain.

If you would still like to add ActiveCampaign to your existing SPF record (even though it is unnecessary), you can add "include:emsd1.com" to your current SPF record. For example, if you send emails from both G Suite and ActiveCampaign, your SPF record might look like this:

v=spf1 include:emsd1.com include:_spf.google.com ~all

You can only create one SPF record for your domain name. If you have an existing SPF record, you will need to modify your current record instead of creating a new SPF record.

To learn more, check out this detailed SPF guide from our Postmark team.


DKIM (Domain Keys Identified Mail) is a signature any sender can apply to their email messages. This signature makes clear that the message's purported sender is actually the message's sender. You can use any domain as the signature. For example, a company called "Dog Bandanas" will sign their messages with the "dogbandanas.com" domain to confirm that the message was sent by "Dog Bandanas."

This is accomplished by inserting a hidden, cryptographic signature into your email header (ActiveCampaign will do this) and then placing a public key on your website that verifies the authenticity of this signature.

All mail sent from ActiveCampaign will use ActiveCampaign's DKIM signature by default. ActiveCampaign's DKIM signature has an excellent reputation and is sufficient for most senders. However, it is easy to set up DKIM for your domain if you want to.

To learn more about DKIM, you can check out this detailed DKIM guide from our Postmark team.

  We have updated our DKIM process from TXT records to CNAME records. If you set up your DKIM before February 23, 2023, your TXT records will still work and remain valid. However, we recommend setting up your DKIM with the following CNAME records instructions since it is more secure.

To setup DKIM:

  1. Log in to your ActiveCampaign account as the Primary Admin user.
  2. Click Settings, located on the left menu.
  3. Click the Advanced tab.
  4. Click the "I will manage my own email authentication" option.
  5. We will generate two CNAME records. Please set up both CNAME records in the DNS provider for your domain (i.e. Godaddy).

      The domains you enter will not save on this page. Once you choose “I will manage my own email authentication,” all verified domains will sign with DKIM. Click “Check DNS” to ensure that all your domains have the proper DNS.

    Your DNS host is typically the company with which you registered your domain or who hosts your website, for example, Godaddy. You can also use this tool to confirm who your DNS provider is. Most DNS hosts will require the following items to set up your CNAME records:
    • Type
      Choose CNAME.
    • Name or Host
      Copy and paste the CNAME “Name” from ActiveCampaign for each CNAME record, like acdkim1._domainkey (most common), or the full CNAME “Name” like acdkim1._domainkey.mydomain.com (less common). Which one you should use depends on whether your DNS provider automatically adds the domain name to the DNS records you create. If you are unsure which to use, look at the format of other DNS records in your settings (do they include the domain name in the Name or Host field?) or ask your DNS provider.
    • Value or Record
      Copy and paste the CNAME “Value” shown inside ActiveCampaign for each CNAME.
    • TTL
      TTL means "Time Till Live." Use the recommended or default setting of your DNS host. If there isn't a default setting, we recommend 300 (5 minutes).

      This process will vary slightly based on your web host. To find specific instructions for your host, use your preferred search engine to look up "Add CNAME record at _____," replacing the blank line with your DNS provider. For convenience, we've included some common DNS providers below:
  6. Once you have set up both CNAME records in your DNS provider, return to ActiveCampaign and go to Settings > Advanced. Then, click “Check DNS” to verify that you have set up your DNS records correctly. Learn how to troubleshoot DKIM error messages.

    Additionally, you can test a live email with mail-tester.com to ensure that DKIM is working.

  7. After setting up your DNS records correctly for all your From address domains, click “Save Settings” at the top of the page.

    Note that sending emails from several domains requires setting up each domain with the proper DNS records for DKIM.

Watch a video

Here is a quick video walkthrough of setting up DKIM:



DMARC (Domain-based Message Authentication, Reporting & Conformance) is a standard that builds on top of SPF and DKIM. It allows the domain owner to create a policy that tells mailbox providers (such as Google or Microsoft) what to do if the email fails SPF and DKIM checks. 

DMARC supports three main policy configurations:

  • "None"
    Indicates that emails should be treated normally if DMARC fails. It is equivalent to not having a DMARC record, although you can still take advantage of DMARC's reporting features.
  • "Quarantine"
    Indicates that emails should be delivered to the spam folder if the DMARC check fails.
  • "Reject"
    Indicates that emails should be bounced (not delivered to the recipient) if the DMARC check fails.

Using a DMARC policy of "Quarantine" or "Reject" will require that you have a proper DKIM record setup for your sending domain, or else all your mail from ActiveCampaign will fail the DMARC test. This will filter it to the spam folder ("Quarantine") or block it entirely ("Reject"). Make sure you set up DKIM for all your sending domains before setting up a strict DMARC record.

DMARC is not a tool to enhance deliverability, and you are not required to set up DMARC to send emails from ActiveCampaign. However, you should use DMARC if:

  • Someone is spoofing your domain, sending fraudulent mail, and tarnishing your reputation. DMARC would let you identify this malicious activity and shut it down
  • Your organization has an email security policy that requires DMARC authentication, such as a governmental entity or financial organization
  • You want to display a BIMI logo for your emails

To get started with DMARC, we recommend you begin with a policy of "None" so that you don't impact your deliverability in case of a misconfiguration. You can then monitor your DMARC reports to see what the impact would be if you use a stricter policy.

We have a recommended initial DMARC policy below. You can set it up by creating a TXT record with a Host or Name of _dmarc at your DNS provider and entering the value below for the Value or Record. Please be sure to replace the email address below with your email address:

v=DMARC1; p=none; pct=100; rua=mailto:youremail@example.com

If you don't replace the email address in the example above with your email address, you will not receive DMARC reports. However, depending on the volume of emails you send, the mailbox for the email address specified could be overwhelmed and filled to quota. Plus, since DMARC reports are sent in an XML format, they're tough to read. That's why we highly recommend working with a DMARC Monitoring solution that can be configured to ingest these emails/reports and provide more legible and actionable results. Check out DMARC Digests, which is now part of the ActiveCampaign product family.


Please also note that the amount of time to investigate and take proper actions could take from a short time to a very long time before being able to configure DMARC in Enforcement mode.

If you want to implement more robust security on your domain, you can set up a stricter DMARC record using a policy of "Quarantine" or "Reject." To set up a strict DMARC record, we advise you to visit dmarc.org for recommendations on configuring the record properly.

Additional authentication methods


BIMI (Brand Indicators for Message Identification) is a new standard that builds on top of DMARC. It allows domain owners who have implemented DMARC in Enforcement mode to purchase a Verified Mark Certificate (VMC) to display a BIMI logo for their brand in email messages. This gives recipients an easy way to identify trusted messages visually.

As BIMI is such a new standard, it does not yet have widespread adoption by domain owners or mailbox providers, and you do not need to set up BIMI. However, if you are interested in learning more, you can review the following sites:


SenderID is an authentication standard that was created by Microsoft and intended as a replacement for SPF. However,  Sender ID has since been deprecated and is no longer used; therefore, you do not need to configure it.

If you have any Sender-ID records currently set in DNS (TXT record starting with spf2.0), you should remove them.

SPF (record starting with v=spf1) is still the industry's authentication standard widely supported and recommended.

Additional Reading

In this article, we didn't attempt to explain the technical process of how SPF, DKIM, and DMARC work. Each of these authentication protocols has a public website where the technical specification is explained in depth:

Was this article helpful?
78 out of 94 found this helpful

Have more questions? Submit a request

Start free trial