SPF, DKIM, and DMARC Authentication

When you send emails, mailbox providers (such as Gmail, Outlook, AOL, and Yahoo) need to identify whether the message is a legitimate email sent from the domain name's owner or email address or a forged email sent by a spammer or phisher. This includes emails sent from ActiveCampaign.

Before getting to the heart of the authentication methods, make sure you are using a valid (existing and established) sending domain that you own: your domain should be older than 30 days, with a valid "A record."

It's also essential that this domain has an MX record: this record specifies the mail server responsible for accepting email messages on behalf of a domain name. 

Is your sending domain valid and with an MX record? Time to authenticate it!

There are three established methods used to verify a sender's identity. These are SPF, DKIM, and DMARC. We recommend setting up these email authentication methods for several reasons. The most common reasons are:  

  • Reinforce your branding
    You can reinforce your branding by removing the "via..." header from Gmail. A positive side effect of setting up DKIM authentication is that this header disappears.
  • Build a reputation as an email sender on your domain name
    Sending emails without authentication is like turning in homework without your name. You may have aced the assignment, but you can't take credit for it without your name on it. DKIM authentication, in particular, helps build your reputation as an email sender.
  • Enforce stricter security on your domain name
    Authentication standards such as DMARC help protect your domain name from potentially fraudulent use.

Email authentication does not solve all deliverability problems, such as whether or not the recipient wants the email. However, authentication does solve the problem of determining who the email is coming from.

A sender who follows best practices, such as sending high-quality, personalized emails to an opt-in list and performing regular list hygiene, will typically see higher deliverability when using email authentication. Their domain will build a reputation as a good sender with recipients who want to engage with their emails.

A sender who does not follow best practices, such as using a rented or purchased list, not having clear messaging during the opt-in process about what kind of emails will be sent and at what frequency, or who never performs any list hygiene will typically see lower deliverability with email authentication. Their domain may build a reputation as a sender of unwanted emails.

Authentication allows good senders to solidify their reputation further and protect their domain from bad senders who may try to hijack their domain.

​​As explained below, ActiveCampaign already authenticates all its traffic with SPF and DKIM. However, it's still possible for you to authenticate your sending domain with these standards.

Please note that while you are not required to do so, we strongly encourage you to set up authentication on your sending domain.


SPF (Sender Policy Framework) records are TXT records on your domain that authorize specific servers to send mail using your domain name. ActiveCampaign automatically configures SPF for all customers. This means you don't need to create an SPF record or modify an existing one to work with ActiveCampaign. This applies even if you are using a Custom Domain.

If you would still like to add ActiveCampaign to your existing SPF record (even though it is unnecessary), you can add "include:emsd1.com" to your current SPF record. For example, if you send emails from both G Suite and ActiveCampaign, your SPF record might look like this:

v=spf1 include:emsd1.com include:_spf.google.com ~all

You can only create one SPF record for your domain name. If you have an existing SPF record, you will need to modify your current record instead of creating a new SPF record.

To learn more, check out this detailed SPF guide from our Postmark team.


DKIM (Domain Keys Identified Mail) is a signature any sender can apply to their email messages. This signature makes clear that the message's purported sender is actually the message's sender. You can use any domain as the signature. For example, a company called "Dog Bandanas" will sign their messages with the "dogbandanas.com" domain to confirm that the message was sent by "Dog Bandanas."

This is accomplished by inserting a hidden, cryptographic signature into your email header (ActiveCampaign will do this) and then placing a public key on your website that verifies the authenticity of this signature.

All mail sent from ActiveCampaign will use ActiveCampaign's DKIM signature by default. ActiveCampaign's DKIM signature has an excellent reputation and is sufficient for most senders. However, it is easy to set up DKIM for your domain if you want to.

To setup DKIM:

  1. Log in to your ActiveCampaign account as your account's admin user.
  2. Click "Settings," located on the left menu.
  3. Click the "Advanced" tab.
  4. Click the "I will manage my own email authentication" option.
  5. Type your sending domain into the DomainKeys Identified Mail (DKIM) field and click the "Generate" button.

We'll generate a TXT Record Name and TXT Record Value.

  The values generated here will not save on the page. You will need to use these values to configure a TXT record at your DNS host.

Your DNS host is typically the company with which you registered your domain or who hosts your website. Most DNS hosts will require the following items to set up your TXT record:

  • Type
    Choose TXT.
  • Name or Host
    Enter dk._domainkey (most common) or the full TXT Record Name shown inside ActiveCampaign (less common). Which one you should use depends on whether your DNS provider automatically appends the domain name to the DNS records you create. If you are unsure which to use, look at the format of other DNS records in your settings (do they include the domain name in the Name or Host field?) or ask your DNS host.
  • Value or Record
    Enter the TXT Record Value shown inside ActiveCampaign.
  • TTL
    TTL means "Time Till Live." Use the recommended or default setting of your DNS host. If there isn't a default setting, we recommend 3600 (one hour).

To find specific instructions for your host, use your preferred search engine to look up "Add TXT record at _____", replacing the blank line with your DNS provider. For convenience, we've included some common DNS providers below:

Once finished, you can use our authentication tool or test a live email with mail-tester.com to ensure that DKIM is working.

Watch a video

Here is a quick video walkthrough of setting up DKIM:


DMARC (Domain-based Message Authentication, Reporting & Conformance) is a standard that builds on top of SPF and DKIM. It allows the domain owner to create a policy that tells mailbox providers (such as Google or Microsoft) what to do if the email fails SPF and DKIM checks. 

DMARC supports three main policy configurations:

  • "None"
    Indicates that emails should be treated normally if DMARC fails. It is equivalent to not having a DMARC record, although you can still take advantage of DMARC's reporting features.
  • "Quarantine"
    Indicates that emails should be delivered to the spam folder if the DMARC check fails.
  • "Reject"
    Indicates that emails should be bounced (not delivered to the recipient) if the DMARC check fails.

Using a DMARC policy of "Quarantine" or "Reject" will require that you have a proper DKIM record setup for your sending domain, or else all your mail from ActiveCampaign will fail the DMARC test. This will filter it to the spam folder ("Quarantine") or block it entirely ("Reject"). Make sure you set up DKIM for all your sending domains before setting up a strict DMARC record.

DMARC is not a tool to enhance deliverability, and you are not required to set up DMARC to send emails from ActiveCampaign. However, you should use DMARC if:

  • Someone is spoofing your domain, sending fraudulent mail, and tarnishing your reputation. DMARC would let you identify this malicious activity and shut it down
  • Your organization has an email security policy that requires DMARC authentication, such as a governmental entity or financial organization
  • You want to display a BIMI logo for your emails

To get started with DMARC, we recommend you begin with a policy of "None" so that you don't impact your deliverability in case of a misconfiguration. You can then monitor your DMARC reports to see what the impact would be if you use a stricter policy.

We have a recommended initial DMARC policy below. You can set it up by creating a TXT record with a Host or Name of _dmarc at your DNS provider and entering the value below for the Value or Record. Please be sure to replace the email address below with your email address:

v=DMARC1; p=none; pct=100; rua=mailto:youremail@example.com

If you don't replace the email address in the example above with your email address, you will not receive DMARC reports. However, depending on the volume of emails you send, the mailbox for the email address specified could be overwhelmed and filled to quota. Plus, since DMARC reports are sent in an XML format, they're tough to read. That's why we highly recommend working with a DMARC Monitoring solution that can be configured to ingest these emails/reports and provide more legible and actionable results. Check out DMARC Digests, which is now part of the ActiveCampaign product family.


Please also note that the amount of time to investigate and take proper actions could take from a short time to a very long time before being able to configure DMARC in Enforcement mode.

If you want to implement more robust security on your domain, you can set up a stricter DMARC record using a policy of "Quarantine" or "Reject." To set up a strict DMARC record, we advise you to visit dmarc.org for recommendations on configuring the record properly.

Additional authentication methods


BIMI (Brand Indicators for Message Identification) is a new standard that builds on top of DMARC. It allows domain owners who have implemented DMARC in Enforcement mode to purchase a Verified Mark Certificate (VMC) to display a BIMI logo for their brand in email messages. This gives recipients an easy way to identify trusted messages visually.

As BIMI is such a new standard, it does not yet have widespread adoption by domain owners or mailbox providers, and you do not need to set up BIMI. However, if you are interested in learning more, you can review the following sites:


SenderID is an authentication standard that was created by Microsoft and intended as a replacement for SPF. However,  Sender ID has since been deprecated and is no longer used; therefore, you do not need to configure it.

If you have any Sender-ID records currently set in DNS (TXT record starting with spf2.0), you should remove them.

SPF (record starting with v=spf1) is still the industry's authentication standard widely supported and recommended.

Additional Reading

In this article, we didn't attempt to explain the technical process of how SPF, DKIM, and DMARC work. Each of these authentication protocols has a public website where the technical specification is explained in depth:

Was this article helpful?
55 out of 67 found this helpful

Have more questions? Submit a request

Start free trial