As of February 2024, domain authentication is more strictly enforced by Google and Yahoo. To avoid potential deliverability issues, DKIM and DMARC authentication must be set up for your sender email address domain.

About DKIM

DomainKeys Identified Mail (DKIM) is a form of email authentication that helps verify that an email’s sender address is legitimate and is not being spoofed by a third party. Inboxes view DKIM-signed emails as more trustworthy, which helps reduce bounces and improve deliverability. For more information about how DKIM works and why it matters, see this article.

You can only set up DKIM for a domain that you own. If you do not own a domain and are currently sending from a free email domain, such as @gmail.com, please refer to our article about domain names and registrars.

If you have a specific question about DKIM after reading through these instructions, please refer to the frequently asked questions section at the end of this article or our article dedicated to frequently asked questions about authentication.

Each email marketing account or subaccount can only have one authenticated domain at a time. It is not possible to authenticate more than one domain in a single account or subaccount.

Standalone accounts, such as Lite, Pro, and Plus accounts, do not have subaccounts and are limited to one authenticated domain. Tiered accounts can authenticate one domain in each subaccount, but the domains can differ between subaccounts. For more information about domains and tiered accounts, please refer to this article.

Setting up DKIM

To set up DKIM in your account, you’ll need to create four new DNS records for the domain that you’re authenticating. Three of those records will be CNAME records and one will be a TXT record. If you are authenticating the same domain for multiple accounts, you will need to create one TXT record for each subaccount, but you’ll only need to create the CNAME records once.

If you’re not familiar with DNS records, no need to worry! We’ve collected a list of some of the most common domain providers and their instructions for how to edit DNS records. Just click on the link that corresponds to your domain provider; if you don’t see yours listed here, try visiting your provider’s website and searching their help documents, or contact their Support team.

• Amazon Route 53: Configuring DNS, DNS record types
• Bluehost: DNS Management
• Cloudflare*: Manage DNS records, Proxy status
• Domain.com: How to update DNS records, How to update TXT records, How to update CNAME records
• Dreamhost: DNS overview
• GoDaddy: Add a CNAME record, Add a TXT record
• Google Domains: DNS basics
• Hostgator: Basics of DNS records
• Hover: Managing DNS records
• IONOS: Configuring a CNAME record, Managing TXT records
• Namecheap: How to create a CNAME record, How to add a TXT record
• Network Solutions: How do I manage DNS records?
• Siteground: Manage your DNS records
• Squarespace: Accessing your DNS settings, Adding custom DNS records
• Wix: Adding or updating CNAME records, Adding or updating TXT records
• WordPress: Manage your DNS records

If you are using Cloudflare, your CNAME records cannot be proxied. They must be DNS only.

Step 1: Default sender email

This step occurs in your email marketing account.

Before you begin, you’ll need to make sure that your default sender email matches the domain that you’re planning to authenticate. If it does not match, you can update the default sender email in the Sender info tab.

Step 2: CNAME records

This step occurs in your DNS provider, not in your email marketing account.

Log in to your DNS provider and create the three CNAME records. You can find the syntax for each record in the table below. Depending on your DNS provider, the exact syntax of these records may vary slightly. In some cases, your host name may instead show as e2ma-k1._domainkey.yourdomain. In other cases, your DNS provider may not allow the trailing periods at the end of the values. In these situations, it’s okay to defer to your DNS provider’s requirements.

Host Name	Value
e2ma-k1._domainkey	e2ma-k1.dkim.e2ma.net.
e2ma-k2._domainkey	e2ma-k2.dkim.e2ma.net.
e2ma-k3._domainkey	e2ma-k3.dkim.e2ma.net.

Step 3: TXT record

This step occurs in your DNS provider, not in your email marketing account.

In order to create your TXT record, you’ll need your account’s validation hash. Once you’ve located the validation hash, create your TXT record using the syntax below. Replace xxxx with your account’s validation hash.

The host name may vary based on your DNS provider, but is often the @ symbol. If your DNS provider does not allow you to use the @ symbol, try using your domain instead or refer to your DNS provider’s documentation for assistance.

Host Name	Value
@	e2ma-verification=xxxx

Finding your validation hash

Every account and subaccount has its own unique validation hash. If you have a tiered account, there are separate hashes for each subaccount and the parent account. Validation hashes are not interchangeable, so you must create a TXT record for each subaccount that you’re authenticating. As a result, the location of your validation hash depends on your account type and your role.

1. Navigate to your Account > Deliverability tab.
   1. Parent account: Click on the gear icon in the upper right corner of your screen and choose Account from the dropdown menu.
   2. Subaccounts: Navigate to the appropriate subaccount and click on the gear icon in the upper right corner of the screen.
      1. If you are a Manager or Parent user, scroll down to Subaccount settings and choose Account from the dropdown menu.
      2. If you are an Administrator user, choose Account from the dropdown menu.
   3. Standalone accounts: Click on the gear icon in the upper right corner of your screen and choose Account from the dropdown menu.
2. On the next screen, click on the Deliverability tab.
3. The validation hash will be located in the middle of the page.

Step 4: Final validation

This step occurs in your email marketing account.

Once you’ve completed all of the above, follow the steps below to complete the DKIM setup:

1. Return to the screen where you found your validation hash.
2. Click inside the DKIM domain box and type in your domain.
3. Click on the Save button.

Once this step is complete, DKIM is set up for this specific account or subaccount.

This step is easily overlooked, but DKIM setup cannot be completed without it. Please be careful not to skip it!

Frequently asked questions about DKIM

For more frequently asked questions about DKIM, check out this article.

I send less than 5,000 emails a day, do I really have to set up DKIM?

Yes, you do still need to set up DKIM. You may send less than 5,000 emails a day, but our system sends far more than that. Sending from any email service provider (ESP), will qualify you as a bulk sender to inbox providers.

Can I authenticate multiple sending domains in one account?

No, only one sending domain can be authenticated per account / subaccount. The sending domain is hard-coded into the DKIM settings for each account / subaccount, so using any other domain or subdomain in your sender email will result in DKIM and / or DMARC failures.

Tiered accounts only: If you have a none p=none DMARC policy (p=none) on your domain, then you can set up DKIM for your top-level domain in your email marketing account and send from multiple subdomains. For example, if you set up DKIM for domain.com, then you could send from both mail.domain.com and hr.domain.com and both subdomains would pass DMARC. It’s important to note that this only works for subdomains, i.e. athletics.school.edu will work, but schoolathletics.edu will not. If you have a DMARC policy set to quarantine or reject, this will not work.

If you use adkim=s in your DMARC policy, then the method above will not work, even if your enforcement is set to p=none. We recommend not including adkim in your DMARC policy at all, as it defaults to relaxed when not included. If you have questions about how your organization’s DMARC policy is configured, please contact your IT team or domain administrator.

Can the TXT record be removed once DKIM setup is complete?

Yes, once you’ve completed the DKIM setup process for your account, you may remove the TXT record from your DNS. The CNAME records cannot be removed.

I have a tiered account, do I need to create a separate TXT record for each of my subaccounts?

Depending on certain factors, you may need to create a separate TXT record for each of your subaccounts. Please refer to our DKIM for tiered accounts article for more information.

My organization has more than one separate account, can I set up DKIM for both? Will one account’s TXT record interfere with the other account’s TXT record?

Yes, you can absolutely set up DKIM for the same domain in multiple fully separate accounts. Due to the unique validation hashes, our system can distinguish between the TXT record for one account and the TXT record for another, even if those records are on the same domain.

My DNS provider won’t accept the syntax for one of the records, what should I do?

Every DNS provider has slightly different syntax requirements. The records that we’ve listed here in the article show the syntax that most commonly works. However, you should always follow the syntax requirements of your DNS provider first. If your DNS provider is rejecting the @ symbol in the TXT record or the trailing period in the CNAME records, you can simply omit that portion of the record or replace it with whatever your DNS provider does accept.

I followed all of the DKIM setup instructions, but I’m seeing an error when I try to complete the final validation step! Did I do something wrong?

It can take up to 48 hours for DNS records to fully propagate, so there’s no need to panic if you can’t complete DKIM setup right away. Just give the records some time and then try again.

If you’re still seeing errors after 48 hours, there may be a small typo in one of your records. Try checking each record for errant spaces or typos. For the CNAME records, make sure that the numbers are correct in each record; sometimes folks will accidentally have two CNAME records with k1, for example, instead of one each for k1, k2, and k3.

Finally, if you copied and pasted the records into your DNS, try typing them in manually instead. Alternately, you can paste them into a text editor, copy them again, and then paste them into your DNS. The goal is to strip any hidden formatting that might tag along when you enter or paste the records into your DNS, as this formatting can prevent our system from reading those records.

I’ve set up DKIM, but my test emails say that they are failing DKIM, what’s going on?

Make sure that you’ve completed the final validation step in your email marketing account. If you’re not sure, please refer to step four of this article. If you have a tiered account, it’s possible that the final validation step has been completed in some subaccounts or in the parent account, but not in the subaccount that you’re sending tests from.

I’ve set up DKIM in my account, but my emails are still bouncing internally. Why is this happening?

Emails can still bounce or be sent to junk for internal contacts, even after DKIM is set up. This is typically caused by an organization’s network settings and can usually be resolved by allowlisting our IP addresses.

Additional resources

• Email authentication: Frequently asked questions
• Email authentication: Overview
• Authentication and security
• Domain names and registrars
• DKIM and deliverability
• DKIM for tiered accounts
• DMARC and SPF setup
• How to allowlist