How to authenticate your email marketing software

This guide will show you:

  1. What SPF and DKIM mean and how are they important for your business
  2. How to generate an SPF and DKIM records
  3. How to implement the SPF and DKIM records
  4. How to verify their validity

Only 28% of all messages sent worldwide ever reach the inbox. This is what a report by Return Path has found.

Are you emails getting delivered?

Let’s say you have decided that you’d like to start sending out a newsletter to a bunch of contacts’ email addresses. You’ve also looked into some of the email marketing software (EMS) options on the internet, such as Mailchimp, Drip or ActiveCampaign.

After finally settling on one, you write a copy and import subscribers (hope you verified their validity).

Now you’re finally ready to send your email campaign.

Or are you?

If you’ve pressed Send, the receiver got the email that looked something like this.

The header of an un-authenticated email

Notice all of the underlined rows? They signify that your EMS is not authenticated to send the emails on your behalf.

On the other hand, correct authentication results in the email looking like the one below.

The header of an authenticated email

However, it goes much further than just the looks!

Setting-up the authentication is important for three reasons; 1) it makes emails you send look more professional, 2) the inboxing rate – the number of emails that end up in the inbox as opposed to the spam folder – greatly improves and 3) it protects your domain from the sender and domain spoofing – spammers disguising as you (you can learn about spoofing, here).

If not set up, spammers can use your domain to send spam or junk email in your name. This can tarnish your domain and more importantly your business reputation.

It’s easy to verify whether you don’t have SPF and DKIM records set-up.

Check if your domain has SPF record set-up with free MXToolBox tool. Just type your domain name and press the button. If the result is “No SPF Record found”, it means that you have no settings.

Verify if you have SPF records set

Follow this guide and by the end of it, your email marketing software (EMS) should be fully authenticated to send emails on your behalf and you should have your domain protected against spoofers. 


The guide will use Mailchimp as an example. It’s one of the most popular EMS and it has an amazing free tier. The aim is to authorize Mailchimp to send emails on our domain’s behalf. Emails from other sources will not be authenticated – i.e recipients won’t trust them.

If you’re using different EMS (like Drip), don’t worry. There is almost no difference between setting the records.

Authenticating any EMS to send emails on your behalf, requires you to mingle with the DNS settings of your domain (more about that later). To authenticate an EMS to send emails on your behalf, you’ll need to add its (Mailchimp) SPF and DKIM records to your domain DNS settings.

In essence, these records let the world know that the emails sent by Mailchimp were sent by you and Mailchimp was authorised to send the email. This helps establish trust for all the parties involved.

For instance, you send out a newsletter via Mailchimp to your subscribers. Upon receiving, the recipient’s server checks whether the sending domain has SPF and DKIM records present in the DNS settings. If it does and they match, the recipient trusts the sender as genuine. SPF and DKIM allow receivers of emails to ensure that the domains of a received email really came from email servers of those claimed domains.

Now that we know why setting these records is important, let’s dive deeper into the SPF and DKIM.

1) SPF

It stands for sender policy framework. SPF works by preventing spoofing of a legitimate email real return address domain. Meaning whenever someone replies to your email, they can be sure that it will be sent to the intended mailbox (you).

Let’s get our hands dirty and see how an SPF record for Mailchimp looks like.

v=spf1 include:servers.mcsv.net ~all

Let’s break down the record to better understand each part

v=spf1Indicated that this TXT record is about SPF
include:Which domains can send emails on our behalf. It can include multiple include: if you’re using multiple providers.
In our case, servers.mcsv.net is allowed to send emails on our behalf
~allSets how strict your settings are. Options are:-all (emails sent by a provider not listed will be rejected – STRICT)~all (emails sent by a provider not listed will be marked as soft-fail – GOOD)?all (No policy)+all (allows any provider – BAD)

Not too complicated, right? Let’s now see how we can generate an SPF record.


Skip if not using Mailchimp

In the case of Mailchimp, you’ll need to verify the domain beforehand.

Go to Account->Domains>Verify Domain

Domains settings in Mailchimp

You’ll receive an email to your mailbox that you’d entered. Click the button in the email to verify the account – this is Mailchimp requirement which is not related to SPF or DKIM.

Email to verify that the sending domain belongs to you

1.1 – Retrieving an SPF record. 

The vast majority of the EMSs have readily available SPF record for you to use. If it’s not available, you should Google “Set SPF records for {EMS Name provider}”.

It should get you to one of their support pages with full instruction. For instance, Googling “Set SPF records for Mailchimp” gets you here. As already seen before for Mailchimp, the SPF record that we must use is:

v=spf1 include:servers.mcsv.net ?all

Mailchimp makes it very easy for us. All of the information needed is located under Domains sub-page we have already visited (ignore the DKIM record for now).

DKIM and SPF records for leadxgen.net

In the unlikely case that you’re not able to find the SPF record for your EMS, there is a tool called SPF Wizard which will generate it for you.

1.2 – Implementing an SPF record into your DNS settings

Let’s now look at how to implement the record so your emails will be fully SPF authenticated. For this, we will need to create a text (TXT) record in your DNS settings. DNS stands for domain name system, often referred to the phonebook of the internet. 


Intermission for DNS

Without going down the DNS rabbit-hole, what you need to know is that every domain has it’s own DNS settings where domain owners (you or your domain administrator) can set-up variety of rules, usually through the control panel.

You’ll need to find where have you registered your domain and get the access to the control panel.  

For instance, Goddady’s DNS settings can be found following these steps: 

Domains->Manage->Settings->Manage DNS

I’d suggest setting Cloudflare to manage your DNS records. You can find a list of guides on how to do just that for most popular domain registrars here.

Again, even if you don’t use Cloudflare, the underlying logic of managing DNS settings is the same. If you’re not able to find the settings option, feel free to reach out to the customer support.

Continue to the next part, once you’re in the DNS settings of your domain.

Cloudflare DNS management page

1.3 – Back to implementation of the SPF record

In essence, we need to add a text record (TXT) to our domain name system settings (DNS).

Follow these 5 steps to add the SPF record:

  1. Click on Add record
  2. Select TXT under Type
  3. Set @ under Name – references to the domain, in this case, leadxgen.net
  4. Paste the record generated with SPF Wizard or the one provided from Mailchimp into the Content
  5. Press Save
Settings for the SPF records in Cloudflare

That’s it! You’ve now added the SPF record 🎊🎊🎊 As always, it’s a good practice to verify your work.

P.S. Notice that there are two include statements, that’s because I’m authenticating two separate providers to send emails on my behalf. Additionally, I’ve set “~all” instead of “?all”.

1.4 – Verify the SPF record

1.4.1. – Use EMS tool to check the SPF record

Similarly to the generation of the records, EMSs in most cases offer the ability to verify whether the records were correctly entered. After applying the changes it can take up to a couple of hours to mitigate said changes (however, it shouldn’t take more than few minutes). Meaning the verification might fail if tried too soon after the changes to DNS have been made. I’d advise you to wait for an hour if the verification fails. 

Mailchimp offers verification out the box. By pressing Authenticate, Mailchimp with test whether the records are correctly set-up. If everything is fine, you’ll be presented with the following view.

Proof that the authentication was successful

1.4.2 – Use MXToolBox to verify the SPF

Great free tool to verify your SPF records are without any issue is MXToolBox. I’d advise running a second check even if your EMS offers the verification.

Enter the domain name and hit SPF Record Lookup. If you have set-up your SPF record correctly, your results should match the ones presented below.

MXToolBox results of an SPF check

P.S. SPF records cannot be over 255 characters in length and cannot include more than ten include statements, also known as “lookups.” If you need more than 10 entries, check out this article.

2) – DKIM

With SPF out of the way, let’s now focus on the DKIM record.

It stands for domain keys identified mail. It’s an additional email authentication technique that allows the receiver to check that an email was indeed sent and authorized by the owner of that domain. 

DKIM works by preventing the spoofing of the “Display From” email address domain. The Display From address is almost always shown to an end-user when they receive the email.

It adds a digital signature to every email sent out. It servers as a guarantee to a receiver that the message body and attachments haven’t been modified along the way. 

Usually, DKIM signatures are not visible to end-users, the validation is done on a server level. The DKIM key is generated by the individual provider and are unique for every domain.

You add it in a similar way you’ve added the SPF records. The difference is that you are now adding CNAME instead of TXT record. 

For leadxgen.net and Mailchimp the required entry to authenticate with DKIM is the following:

Name equals to (swap bolded text for your domain):

K1._domainkey.leadxgen.net

While Target is:

Dkim.mcsv.net

All combined in one screenshot. Once you’re happy with it, press Save.

Settings for the DKIM records in Cloudflare

Your DKIM record should now be successfully added. As part of good practice, let’s head back to MXToolbox site to verify it as we did in the previous step.

Insert the full DKM record and select DKIM Lookup option from the drop-down menu (Orange box). If you have successfully added DKIM record, your results should be similar to the one below.

Results of the DKIM verification

There is an extra layer of protection, named DMARC. With it, you can determine what happens with emails that don’t have SPF or DKIM properly set-up. Essentially, you get complete control over the sent emails. 

Moreover, it gives you the possibility to monitor the domain and exactly see how many emails were sent and how many were compliant. Subscribe here to get it!

What EMS do you use?

Leave A Comment

Your email address will not be published.