When you send emails, mailbox providers (such as Gmail, Outlook, AOL and Yahoo) need to identify whether the message is a legitimate email sent from the owner of the domain name or email address, or a forged email sent by a spammer or phisher. This includes emails sent from ActiveCampaign.
Before getting to the heart of the authentication methods, make sure you are using a valid (existing and established) sending domain that you own: your domain should be older than 30 days, with a valid “A record”.
It’s also very important that this domain has an MX record: this record specifies the mail server responsible for accepting email messages on behalf of a domain name.
Is your sending domain valid and with an MX record? Time to authenticate it!
There are three established methods used to verify a sender's identity. These are SPF, DKIM, and DMARC. We recommend setting up these email authentication methods for several reasons. The most common reasons are:
- Remove the “via...” header from Gmail
Doing so will reinforce branding (see image below). A positive side effect of setting up DKIM authentication is that this header disappears.
- Build reputation as an email sender on your own domain name
Sending email without authentication is like turning in homework without your name on it. You may have aced the assignment, but you can't take credit for it without your name on it. DKIM authentication in particular helps build your reputation as an email sender.
- Enforce stricter security on your domain name
Authentication standards such as DMARC help protect your domain name from potentially fraudulent use.
Email authentication is not a silver bullet to solve deliverability problems. Authentication solves the problem of determining who the email is coming from, not whether the email is wanted by the recipient.
A sender who follows best practices, such as sending high quality, personalized emails to an opt-in list and performs regular list hygiene will typically see higher deliverability when using email authentication. Their domain will build a reputation as a good sender with recipients who want to engage with their emails.
A sender who does not follow best practices, such as using a rented or purchased list, not having clear messaging during the opt-in process about what kind of emails will be sent and at what frequency, or who never performs any list hygiene will typically see lower deliverability with email authentication. Their domain may build a reputation as a sender of unwanted emails.
Authentication allows good senders to further solidify their reputation and protect their domain from bad senders who may try to hijack their domain.
As explained more in details below, ActiveCampaign already authenticates all its traffic with SPF and DKIM.
However, in addition, it’s still possible for you to authenticate your sending domain with these standards.
Please note that while you are not required to do so, we strongly encourage you to set up authentication on your sending domain.
SPF (Sender Policy Framework) records are TXT records on your domain that authorize certain servers to send mail using your domain name. ActiveCampaign automatically configures SPF for all customers. This means that you don't need to create an SPF record or modify an existing one to work with ActiveCampaign. This applies even if you are using a Custom Domain.
If you would still like to add ActiveCampaign to your existing SPF record (even though it is unnecessary), you can do so by adding “
include:emsd1.com” to your existing SPF record. For example, if you send email from both G Suite and ActiveCampaign, your SPF record might look like this:
v=spf1 include:emsd1.com include:_spf.google.com ~all
You can only create one SPF record for your domain name. If you have an existing SPF record, you will need to modify your existing record instead of creating a new SPF record.
DKIM (Domain Keys Identified Mail) is essentially a signature any sender can apply to their email messages. This signature makes clear that the purported sender of the message is actually the sender of the message. Any domain can be used as the signature. For example, a company called "Dog Bandanas" will sign their messages with the
dogbandanas.com domain to confirm that the message was actually sent by "Dog Bandanas."
This is accomplished by inserting a hidden, cryptographic signature into your email header (ActiveCampaign will do this) and then placing a public key on your website that verifies the authenticity of this signature.
All mail sent from ActiveCampaign will use ActiveCampaign's DKIM signature by default. ActiveCampaign's DKIM signature has a very good reputation and it is sufficient for most senders. However, it is easy to setup DKIM for your own domain if you want to.
To setup DKIM:
- Log in to your ActiveCampaign account as your account's admin user.
- Click "Settings" located on the left menu.
- Click the “Advanced” tab.
- Click the “I will manage my own email authentication” option.
- Type your sending domain into the DomainKeys Identified Mail (DKIM) field and click the "Generate" button.
We'll generate a TXT Record Name and TXT Record Value.
Note that the values generated here will not save on the page. You will need use these values to configure a TXT record at your DNS host.
Your DNS host is typically the company you registered your domain with or host your website through. Most DNS hosts will require the following items to set up your TXT record:
- Name or Host
dk._domainkey(most common), or the full TXT Record Name shown inside ActiveCampaign (less common). Which one you should use depends on whether your DNS provider automatically appends the domain name to DNS records you create. If you are unsure which to use, look at the format of other DNS records in your settings (do they include the domain name in the Name or Host field?) or ask your DNS host.
- Value or Record
Enter the TXT Record Value shown inside ActiveCampaign.
This is "Time Till Live." Use the recommended or default setting of your DNS host. If there isn't a default setting, we recommend 3600 (one hour).
To find specific instructions for your host, use your preferred search engine to look up "Add TXT record at _____", replacing the blank line with your DNS provider. For convenience, we've included some common DNS providers below:
Here is a quick video walkthrough of setting up DKIM:
DMARC (Domain-based Message Authentication, Reporting & Conformance) is a standard that builds on top of SPF and DKIM. It allows the domain owner to create a policy that tells mailbox providers (such as Google or Microsoft) what to do if email fails SPF and DKIM checks.
DMARC supports three main policy configurations:
Indicates that emails should be treated normally if DMARC fails. It is equivalent to not having a DMARC record at all, although you can still take advantage of DMARC's reporting features.
Indicates that emails should be delivered to the spam folder if the DMARC check fails.
Indicates that emails should be bounced (not delivered to the recipient) if the DMARC check fails.
Using a DMARC policy of “Quarantine” or “Reject” will require that you have a proper DKIM record setup for your sending domain, or else all your mail from ActiveCampaign will fail the DMARC test. This will filter it to the spam folder (“Quarantine”) or block it entirely (“Reject”). Make sure you have set up DKIM for all of your sending domains before setting up a strict DMARC record.
DMARC is not a tool to enhance deliverability and you are not required to set up DMARC to send emails from ActiveCampaign. However, you should use DMARC if:
- Someone is actively spoofing your domain, sending fraudulent mail, and tarnishing your reputation. DMARC would let you identify this malicious activity and shut it down
- Your organization has an email security policy that requires DMARC authentication, such as a governmental entity or financial organization
- You want to display a BIMI logo for your emails
To get started with DMARC, we recommend you begin with a policy of “None” so that you don't impact your deliverability in case of a misconfiguration. You can then monitor your DMARC reports to see what the impact would be if you use a stricter policy.
We have a recommended initial DMARC policy below. You can set it up by creating a TXT record with a Host or Name of
_dmarc at your DNS provider and entering the value below for the Value or Record. Please be sure to replace the email address below with your own email address:
v=DMARC1; p=none; pct=100; rua=mailto:email@example.com
If you don't replace the email address in the example above with your own email address, you will not receive DMARC reports. However, depending on the volume of emails you send, the mailbox for the email address specified could be overwhelmed and filled to quota. We highly recommend working with a DMARC Monitoring solution that can be configured to ingest these emails/reports and provide more legible and actionable results.
Please also note that, depending on the various factors, the amount of time to investigate and take proper actions could take from a short time to a very long time before being able to configure DMARC in Enforcement mode.
If you want to implement stronger security on your domain, you can set up a stricter DMARC record using a policy of “Quarantine” or “Reject." To set up a strict DMARC record, we would advise you to visit dmarc.org for recommendations on how to configure the record properly.
Additional authentication methods
BIMI (Brand Indicators for Message Identification) is a new standard that builds on top of DMARC. It allows domain owners who have implemented DMARC in Enforcement mode to purchase a Verified Mark Certificate (VMC) to display a BIMI logo for their brand in email messages. This gives recipients an easy way to visually identify trusted messages.
As BIMI is such a new standard, it does not yet have widespread adoption by domain owners or mailbox providers, and you do not need to set up BIMI. However, if you are interested in learning more, you can review the following sites:
SenderID is an authentication standard that was created by Microsoft and intended as a replacement for SPF. However, Sender ID has since been deprecated and is no longer used; therefore, you do not need to configure it.
In fact, if you have any Sender-ID records currently set in DNS (TXT record starting with spf2.0), you should remove them.
SPF (record starting with v=spf1) is still the authentication standard widely supported and recommended by the Industry.
In this article, we didn't attempt to explain the technical process of how SPF, DKIM, and DMARC work. Each of these authentication protocols has a public website where the technical specification is explained at depth: