SPF, DKIM, and DMARC Authentication


  DKIM and DMARC authentication is required beginning February 2024 following upcoming changes by Gmail and Yahoo regarding authentication requirements. ActiveCampaign highly recommends all senders set up DKIM and DMARC. Learn how to set up DKIM and DMARC authentication.

For more information on these changes see our blog post A Guide to Google and Yahoo authentication Changes in 2024.

When you send emails, mailbox providers (such as Gmail, Outlook, AOL, and Yahoo) identify if emails are legitimate or are sent by a spammer or phisher.  This includes emails sent from ActiveCampaign. This is why setting up email authentication is important.

Before you start, make sure to use an established sending domain that you own. In addition, your domain should be older than 30 days, and point to a valid website, not a blank page. If using a new domain, learn how to warm it up.

There are three established methods used to verify a sender's identity. SPF, DKIM, and DMARC. Starting in February 2024 Gmail and Yahoo will require DKIM and DMARC authentication to achieve delivery. Other mailbox providers already expect senders to authenticate their email traffic. Therefore, ActiveCampaign highly recommends all senders set up DKIM and DMARC.

With ActiveCampaign, you have two options for DKIM, DMARC, and SPF authentication when adding a sending domain:

Configure Doman and Set up manually buttons.png

  • If you use the “Configure Domain” option, DKIM, DMARC, and SPF authentication will be set up for you.
  • If you choose the “Set up manually” option, we will walk you through the configuration of DKIM, DMARC, and SPF authentications.

These are the DNS records you set up with ActiveCampaign when you use “Set up manually":


There are many benefits to authenticating DKIM and DMARC:

  • Reinforce your branding
    You can reinforce your branding by removing the "via..." header from Gmail. A positive side effect of setting up DKIM authentication is that this header disappears.
  • Build a reputation as an email sender on your domain name
    Sending emails without authentication is like turning in homework without your name. You may have passed the assignment, but you can't take credit for it without your name on it. DKIM authentication, in particular, helps build your reputation as an email sender.
  • Enforce stricter security on your domain name
    Authentication standards such as DMARC help protect your domain name from potentially fraudulent use.

Email authentication does not solve all deliverability problems, such as whether or not the recipient wants the email. However, authentication does solve the problem of determining who the email is coming from.

A sender who follows best practices, such as sending high-quality, personalized emails to an opt-in list and performing regular list hygiene, will typically see higher deliverability when using email authentication. Their domain will build a reputation as a good sender with recipients who want to engage with their emails.

A sender who does not follow best practices, such as using a rented or purchased list, not having clear messaging during the opt-in process about what kind of emails will be sent and at what frequency, or who never performs any list hygiene will typically see lower deliverability with email authentication. Their domain may build a reputation as a sender of unwanted emails.

Authentication allows good senders to solidify their reputation further and protect their domain from bad senders who may try to hijack their domain.


SPF (Sender Policy Framework) records are TXT records on your domain that authorize specific servers to send mail using your domain name. When you set up a sending domain, this process includes setting up a Mailserver Domain with ActiveCampaign where you point your domain to us via a CNAME record. This allows ActiveCampaign to serve the necessary SPF record for you. As long as you have set up the Mailserver Domain, SPF will be fully covered in ActiveCampaign.

This means you don't need to create an SPF record or modify an existing one to work with ActiveCampaign. 

However, there are some benefits of manually setting up ActiveCampaign SPF records for your From domain, even though this isn't required for SPF to pass. Learn more about SPF in our understanding SPF and how it impacts email deliverability guide.

You can only create one SPF record for your domain name. If you have an existing SPF record, you will need to modify your current record instead of creating a new SPF record.

To learn more, check out this detailed SPF guide from our Postmark team.


DKIM (Domain Keys Identified Mail) is a signature any sender can apply to their email messages. This signature makes clear that the message's sender is actually the message's sender and not a bad actor. You can use any domain as the signature. For example, a company called "Dog Bandanas" will sign their messages with the "dogbandanas.com" domain to confirm that the message was sent by "Dog Bandanas."

This is accomplished by inserting a hidden, cryptographic signature into your email header (ActiveCampaign will do this) and then placing a public key on your website's DNS that verifies the authenticity of this signature.

DKIM will help prevent spoofing and phishing of your domain, and an added benefit is that it allows Mailbox Providers such as Gmail, Microsoft, and Oath (Yahoo, AOL, Verizon) to track the email reputation of your sending domain.

If the reputation of your sending domain is stronger than the reputation of the sending IPs, Mailbox Providers may default to your sending domain reputation, which could improve your email performance.

To set up DKIM with ActiveCampaign you just need to set up a sending domain. Setting up a sending domain walks you through setting up DKIM.

To learn more about DKIM, you can check out this detailed DKIM guide from our Postmark team.


DMARC (Domain-based Message Authentication, Reporting & Conformance) is a standard that builds on top of SPF and DKIM. It allows the domain owner to create a policy that tells mailbox providers (such as Google or Microsoft) what to do if the email fails SPF and DKIM checks.

When you set up a sending domain with ActiveCampaign we will help you set up a basic DMARC record as a bare minimum. You can think of this simple DMARC record as a placeholder and it will have no impact on the messages you send but it will satisfy Gmail and Yahoo’s requirement for a basic DMARC record. If you want to further secure your domain with DMARC, we recommend that you consider our partner product DMARC Digests.

DMARC Digests .png

DMARC supports three main policy configurations:

  • "None"
    Indicates that emails should be treated normally if DMARC fails. It is equivalent to not having a DMARC record, although you can still use DMARC's reporting features.
  • "Quarantine"
    Indicates that emails should be delivered to the spam folder if the DMARC check fails.
  • "Reject"
    Indicates that emails should be bounced (not delivered to the recipient) if the DMARC check fails.

Using a DMARC policy of "Quarantine" or "Reject" will require a proper DKIM record setup for your sending domain, or else all your mail from ActiveCampaign will fail the DMARC test. This will filter it to the spam folder ("Quarantine") or block it entirely ("Reject"). Ensure you set up DKIM for all your sending domains before setting up a strict DMARC record. When you set up a sending domain with ActiveCampaign, this will take care of DKIM. 

Some of the many benefits of setting up DMARC include:

  • DMARC records prevent someone spoofing your domain
  • DMARC is necessary for setting up BIMI. Check out this detailed BIMI guide from our Postmark team
  • DMARC is a requirement for basic delivery to many email providers like Gmail and Yahoo

Our friends at Postmark have a great deep dive into DMARC: What it is and why do you need it?

After setting up authentication

It's also essential that this domain has an MX (mail exchanger) record. This record specifies the mail server responsible for accepting email messages on behalf of a domain name. This is typically accomplished by setting up a provider like Gsuite or Office to accept messages. If you are already receiving messages with your domain, this is taken care of for you.

Additional authentication methods


BIMI (Brand Indicators for Message Identification) is a new standard that builds on top of DMARC. It allows domain owners who have implemented DMARC in Enforcement mode to purchase a Verified Mark Certificate (VMC) to display a BIMI logo for their brand in email messages. This gives recipients an easy way to identify trusted messages visually.

As BIMI is such a new standard, it does not yet have widespread adoption by domain owners or mailbox providers, and you do not need to set up BIMI. However, if you are interested in learning more, you can review the following sites:


SenderID is an authentication standard that was created by Microsoft and intended as a replacement for SPF. However,  Sender ID has since been deprecated and is no longer used; therefore, you do not need to configure it.

If you have any Sender-ID records currently set in DNS (TXT record starting with spf2.0), you should remove them.

SPF (record starting with v=spf1) is still the industry's authentication standard widely supported and recommended.

Additional Reading

In this article, we didn't attempt to explain the technical process of how SPF, DKIM, and DMARC work. Each of these authentication protocols has a public website where the technical specification is explained in depth:

Was this article helpful?
123 out of 203 found this helpful

Have more questions? Submit a request

Start free trial