As of February 2024, domain authentication is more strictly enforced by Google and Yahoo. To avoid potential deliverability issues, DKIM and DMARC authentication must be set up for your sender email address domain.
Tiered accounts and standalone accounts follow a similar process when setting up DKIM authentication, but there are some key points to consider that only apply to tiered accounts. The information below can help guide your organization as you plan your authentication strategy. If you’re looking for step-by-step instructions for setting up DKIM, check out this article. If your IT team has security concerns about setting up DKIM, please refer to this article.
DKIM domain
The first thing you’ll need to decide is what domain your subaccounts will be sending from. Will you be using the same sending domain across all subaccounts? Or will some subaccounts use a different sending domain?
Each subaccount can only have one authenticated domain at a time – it’s not possible to authenticate multiple domains in a single subaccount. You can choose to use the same domain across all subaccounts or different domains for each subaccount. You can also set up DKIM in the parent account.
Parent-level DKIM
There are a few important things to know about parent-level DKIM. First, once DKIM is set up at the parent level, any subaccounts that you create in the future will automatically inherit DKIM authentication from the parent account. You can change the authenticated domain after the subaccount has been created by following the standard DKIM setup instructions for the desired domain in that subaccount.
Second, when DKIM is set up at the parent level, it will not be automatically applied to any existing subaccounts. Existing subaccounts will remain unauthenticated unless you follow the DKIM setup instructions for them as well or unless you checked the Apply changes to all existing subaccounts box, which you can read more about below.
Using the same domain
If you plan to use the same domain in all subaccounts, it’s easiest to set DKIM up at the parent level first. During the final validation step, you’ll see a checkbox that says Apply changes to all existing subaccounts. Checking that box will apply the parent account’s DKIM to all existing subaccounts. Once the parent DKIM is set up, any subaccounts that you create in the future will automatically inherit the parent’s DKIM authentication.
Using different domains
If you plan to use the different domains in some or all subaccounts, you will need to follow the DKIM setup process outlined in this article for each subaccount. This process will require three CNAME records per domain and one TXT record per subaccount.
If you plan to use one domain across most of your subaccounts and a different domain for just a few others, it may be easiest to set up DKIM at the parent level for the domain that you’ll use most. When setting up DKIM at the parent level, you’ll have the chance to apply the parent account’s DKIM to all existing subaccounts. Once you’ve finished setting up DKIM for the parent account and applied it to your existing subaccounts, you can change the authenticated domain in each of the desired subaccounts by following the normal DKIM setup process for the other domain.
Frequently asked questions about DKIM
I send less than 5,000 emails a day, do I really have to set up DKIM?
Yes, you do still need to set up DKIM. You may send less than 5,000 emails a day, but our system sends far more than that. Sending from any email service provider (ESP), will qualify you as a bulk sender to inbox providers.
Can I authenticate multiple sending domains in one account?
No, only one sending domain can be authenticated per account / subaccount. The sending domain is hard-coded into the DKIM settings for each account / subaccount, so using any other domain or subdomain in your sender email will result in DKIM and / or DMARC failures.
If you have a none DMARC policy (p=none) on your domain, then you can set up DKIM for your top-level domain in your account and send from multiple subdomains. For example, if you set up DKIM for domain.com, then you could send from both mail.domain.com and hr.domain.com and both subdomains would pass DMARC. It’s important to note that this only works for subdomains, i.e. athletics.school.edu will work, but schoolathletics.edu will not. If you have a DMARC policy set to quarantine or reject, this will not work.
If you use adkim=s in your DMARC policy, then the method above will not work, even if your enforcement is set to p=none. We recommend not including adkim in your DMARC policy at all, as it defaults to relaxed when not included. If you have questions about how your organization’s DMARC policy is configured, please contact your IT team or domain administrator.
Can the TXT record be removed once DKIM setup is complete?
Yes, once you’ve completed the DKIM setup process for your account, you may remove the TXT record from your DNS. The CNAME records cannot be removed.
I’ve set up DKIM in my parent account and want to authenticate the same domain in all of my existing subaccounts. Do I really have to create a TXT record for every single subaccount?
No, if all of your subaccounts are sending from the same domain, you can set up DKIM at the parent level to avoid creating a TXT record for each subaccount. During the final validation step of DKIM setup for the parent account, you’ll see a checkbox that says Apply changes to all existing subaccounts. Checking that box will apply the parent account’s DKIM to all existing subaccounts. Once the parent DKIM is set up, any subaccounts that you create in the future will automatically inherit the parent’s DKIM authentication.
My organization has more than one separate account, can I set up DKIM for both? Will one account’s TXT record interfere with the other account’s TXT record?
Yes, you can absolutely set up DKIM for the same domain in multiple fully separate accounts. Due to the unique validation hashes, our system can distinguish between the TXT record for one account and the TXT record for another, even if those records are on the same domain.
My DNS provider won’t accept the syntax for one of the records, what should I do?
Every DNS provider has slightly different syntax requirements. The records that we’ve listed here in the article show the syntax that most commonly works. However, you should always follow the syntax requirements of your DNS provider first. If your DNS provider is rejecting the @ symbol in the TXT record or the trailing period in the CNAME records, you can simply omit that portion of the record or replace it with whatever your DNS provider does accept.
I followed all of the DKIM setup instructions, but I’m seeing an error when I try to complete the final validation step! Did I do something wrong?
It can take up to 48 hours for DNS records to fully propagate, so there’s no need to panic if you can’t complete DKIM setup right away. Just give the records some time and then try again.
If you’re still seeing errors after 48 hours, there may be a small typo in one of your records. Try checking each record for errant spaces or typos. For the CNAME records, make sure that the numbers are correct in each record; sometimes folks will accidentally have two CNAME records with k1, for example, instead of one each for k1, k2, and k3.
Finally, if you copied and pasted the records into your DNS, try typing them in manually instead. Alternately, you can paste them into a text editor, copy them again, and then paste them into your DNS. The goal is to strip any hidden formatting that might tag along when you enter or paste the records into your DNS, as this formatting can prevent our system from reading those records.
I’ve set up DKIM, but my test emails say that they are failing DKIM, what’s going on?
Make sure that you’ve completed the final validation step in the subaccount that you are using to send test emails. It’s possible that the final validation step has been completed in some subaccounts, but if it has not been completed in the subaccount that’s sending the tests, those emails will continue to fail DKIM.
For accounts sending from the same domain in all or most subaccounts, if DKIM has been set up in the parent account, but has not been applied to the subaccounts using the Apply changes to all existing subaccounts checkbox, then your subaccounts will remain unauthenticated.
I’ve set up DKIM in all my subaccounts, but my emails are still bouncing internally. Why is this happening?
Emails can still bounce or be sent to junk for internal contacts, even after DKIM is set up. This is typically caused by an organization’s network settings and can usually be resolved by allowlisting our IP addresses.
Is there a place where I can view the DKIM status for all of my subaccounts?
Yes, the account Parent and Managers with permission to create accounts can see the DKIM status for all subaccounts by clicking on the Subaccounts tab at the top of the screen and then clicking on the Deliverability section.