As of February 2024, domain authentication is more strictly enforced by Google and Yahoo. To avoid potential deliverability issues, DKIM and DMARC authentication must be set up for your sender email address domain.

DMARC

Domain-based Message Authentication, Reporting and Conformance (DMARC) policies are a form of authentication that commonly works in tandem with DKIM. DMARC policies are created and controlled outside of your email marketing account and function as a “lock” for a particular domain.

When an organization has added a DMARC policy to their domain, it typically means that no one can send unauthenticated or unaligned emails using that domain; if someone tries to use that domain to send an unauthenticated email, it will result in a DMARC failure and that email will usually hard bounce or get sent to the recipient’s junk folder. For more in-depth information about how DMARC works, please visit DMARC.org.

Many major inbox providers now require that anyone sending emails through an email service provider (ESP), have a DMARC policy on their domain. As a result, if you don’t already have a DMARC policy on your domain, you’ll need to set one up before you begin sending campaigns.

Checking for DMARC

If you’re not sure whether your domain already has a DMARC policy or not, you can easily find out right in your email marketing account. You will need to have DKIM set up before you can use this tool.

1. Navigate to your Account > Deliverability tab.
   1. Parent account: Click on the gear icon in the upper right corner of your screen and choose Account from the dropdown menu.
   2. Subaccounts: Navigate to the appropriate subaccount and click on the gear icon in the upper right corner of your screen.
      1. If you are a Manager or Parent user, scroll down to Subaccount settings and choose Account from the dropdown menu.
      2. If you are an Administrator user, choose Account from the dropdown menu.
   3. Standalone accounts: Click on the gear icon in the upper right corner of your screen and choose Account from the dropdown menu.
2. On the next screen, click on the Deliverability tab.
3. Scroll down to the section that says DMARC status check.
4. Click on the Check DMARC status button.

If you do have a DMARC policy on your domain, you will see a green pill icon in the Policy row. The icon will be labeled according to the type of DMARC policy you have – all of the options listed below are considered valid DMARC policy options:

• None: Your DMARC policy is p=none
• Quarantine: Your DMARC policy is p=quarantine
• Reject: Your DMARC policy is p=reject

If the DMARC status check tool is unable to find a DMARC policy on your domain, or if it encounters an error, then you will see an error message.

Error messages typically contain information that indicates the source of the problem. For example, if you see an error message that states that your domain has more than one DMARC record, then the problem is that your domain has more than one DMARC record and you will need to remove one.

There are also many free tools that you can use to check your DMARC policy online, such as emailstuff.org. To check your DMARC record with emailstuff.org, click on the Authentication button and scroll down to the Check a published DMARC policy heading. Type your domain in the Domain name box and click on the Check button. If you have a valid DMARC policy, you’ll see a green rectangle that says Valid Record.

Setting up DMARC

There are many ways to set up DMARC for your domain, depending on your organization’s needs and priorities. In most cases, implementing DMARC should be done by someone who really understands DNS because it can involve a significant amount of testing, reviewing technical reports, and securing all your mail streams carefully.

Below, we have provided one option for creating a DMARC policy on your domain. This option meets the minimum requirements for DMARC set by most major inbox providers.

1. In your DNS provider, create a new TXT record.
2. Enter the following text into your record, exactly as it appears below.
   1. Name: _dmarc
   2. Value: v=DMARC1; p=none;
3. Select the TTL value (300 seconds – 30 minutes).
4. Save the record.

While this is not the only option for setting up DMARC, we cannot provide any additional guidance beyond what is shown above. If you would like to set up your DMARC policy differently, that’s okay, but you will need to direct any questions to your IT team or DNS administrator.

When in doubt, we recommend getting help from service providers who specialize in DMARC. Listed below in alphabetical order are three services that can help you through the DMARC implementation process. This list is not an endorsement of any particular service over another.

• Agari
• DMARCian
• ValiMail

If you choose to move forward with creating your own DMARC policy, here are some resources that you may find helpful:

• Overview from DMARC.org under the heading Anatomy of a DMARC resource record in the DNS
• Cloudflare’s Learning Center article What is a DNS DMARC record?
• MX Toolbox’s DMARC record generator

SPF

SPF (Sender Policy Framework) authentication checks the DNS records of the domain in the return-path address of a mailing and the IP addresses authorized to send emails for that domain. If a sender’s IP address is not listed in the DNS records of the return-path domain, their email won’t pass SPF.

The return-path for all emails sent through our system is e2ma.net. This cannot be changed.

Since SPF alignment is partially dependent on the return-path of the sender address, even if you add us to your SPF records, the mailings that you send from your email marketing account will only partially pass SPF. This is another reason why setting up DKIM is so important; DMARC only requires SPF alignment OR DKIM alignment in order to pass, not both. So as long as you have DKIM set up in your account, your campaigns should still pass DMARC.

Checking for SPF

Even though all emails sent from our system will only partially pass SPF, we still recommend adding us to your SPF record, just to be safe. If you’re not sure whether your domain already has us in your SPF record, you can easily find out right in your email marketing account. Just as a heads up, you will need to have DKIM set up before you can use this tool.

1. Navigate to your Account > Deliverability tab.
   1. Parent account: Click on the gear icon in the upper right corner of your screen and choose Account from the dropdown menu.
   2. Subaccounts: Navigate to the appropriate subaccount and click on the gear icon in the upper right corner of your screen.
      1. If you are a Manager or Parent user, scroll down to Subaccount settings and choose Account from the dropdown menu.
      2. If you are an Administrator user, choose Account from the dropdown menu.
   3. Standalone accounts: Click on the gear icon in the upper right corner of your screen and choose Account from the dropdown menu.
2. On the next screen, click on the Deliverability tab.
3. Scroll down to the section that says SPF status check.
4. Click on the Check SPF status button.

If you have added us to your SPF record, you’ll see a green pill icon that says Pass. If you have not added us to your SPF record, you’ll see a red pill icon that says Fail. If you do not have an SPF record, you’ll see a red pill icon that says No SPF record found.

If your SPF record is flattened or hidden from public lookup, our system will be unable to check your SPF record and will return the red pill icon that says Fail. If you have questions about this, please reach out to your IT team for assistance.

There are also many free tools that you can use to check your SPF record online, such as emailstuff.org. To check your SPF record with emailstuff.org, click on the Authentication button and scroll down to the Check a published SPF record heading. Type your domain in the Domain name box and click on the Check button. If you see e2ma listed in the record, then you have already added us to your SPF record.

Setting up SPF

Similar to DMARC, there are many ways to set up your domain’s SPF record, depending on your organization’s needs and priorities. As always, when in doubt, we urge you to reach out to someone who specializes in DNS if you need assistance.

If you already have a record that contains v=spf1, then you just need to add include:_spf.e2ma.net immediately after that text in your existing record. If your organization prohibits you from adding domains to your SPF record, you can add us by our IP range, which is listed here. If you do not already have an SPF record, we have provided one option for creating an SPF record below.

1. In your DNS provider, create a new TXT record.
2. Enter the following text into your record, exactly as it appears below. (If your DNS provider does not allow you to use the @ symbol as the name, that’s fine. Just use whatever name their documentation recommends.)
   1. Name: @
   2. Value: v=spf1 include:_spf.e2ma.net ~all
3. Select the TTL value (300 seconds – 30 minutes).
4. Save the record.

While this is not the only option for setting up SPF, we cannot provide any additional guidance beyond what is shown above. If you choose to set up your SPF record differently, that’s okay, but we will be unable to assist with any questions or troubleshooting related to it. We also cannot assist with general SPF questions or troubleshooting, as these topics are outside of our scope. Your IT team or DNS specialist will be your best resources for these questions.

Frequently asked questions about DMARC and SPF

I followed all of the instructions exactly, but I’m seeing an error when I try to check them! Did I do something wrong?

It can take up to 48 hours for DNS records to fully propagate, so there’s no need to panic if you don’t see the DMARC or SPF record check tool update right away. Just give the records some time and then try again.

If you’re still seeing errors after 48 hours, there may be a small typo in one of your records. Try checking each record for errant spaces or typos. Additionally, if you copied and pasted the records into your DNS, try typing them in manually instead. Alternately, you can paste them into a text editor, copy them again, and then paste them into your DNS. The goal is to strip any hidden formatting that might tag along when you enter or paste the records into your DNS, as this formatting can prevent our system from reading those records.

Finally, when it comes to SPF, if your SPF record is flattened or hidden from public lookups, it is expected for the error to remain visible.

I’ve added you to my SPF record, why are my campaigns still showing SPF failures?

It is expected for SPF to remain unaligned, even after you’ve added _spf.e2ma.net to your SPF record. This is because SPF is checked against an email’s return-path. By default, emails that come from our servers will always use our domain for the return-path, so when SPF is checked for a mailing, a portion of it won’t pass for your domain. At this time, it is not possible to update the return-path to a different domain.

This should not interfere with DMARC because DMARC checks require SPF or DKIM, not both. As long as you have DKIM set up, your mailings should pass DMARC.

The SPF status check tool is showing an error about the “maximum number of DNS lookups”, what does this mean?

If you see an error message that says something like Parsing the SPF record requires x/10 maximum DNS lookups, then you have most likely added our sending domain to your SPF record correctly. However, SPF records typically have a maximum of 10 “lookups” and your record has exceeded this limit. Resolving this error is not within our scope, so you’ll need to reach out to your IT team or DNS specialist for assistance.

I send less than 5,000 emails a day, do I really have to set up authentication?

Yes, you do still need to set up authentication. At minimum, you should set up DKIM and DMARC, but SPF is strongly recommended. You may send less than 5,000 emails a day, but our system sends far more than that. Sending from any email service provider (ESP), will qualify you as a bulk sender to inbox providers.

I don’t have an IT team and I don’t know how to do any of this. Where do I even put these records?

We understand that authenticating your domain can feel overwhelming, especially for someone who may not have a lot of experience with these topics. Our goal is to make this process as smooth as possible for everyone, so we’ve collected several resources that will hopefully help you feel a little more confident.

As far as the DNS records are concerned, you or whoever manages your domain should be able to log in to the registrar that hosts your domain to create the required records. Every DNS provider looks a little different, so if you have specific questions about where to click or what to do, your registrar’s help documentation will be your best bet for guidance.

We’ve collected a list of some popular domain providers and their instructions for how to edit DNS records. Just click on the link that corresponds to your domain provider; if you don’t see yours listed here, try visiting your provider’s website and searching their help documents, or contact their Support team.

• Amazon Route 53: Configuring DNS, DNS record types
• Bluehost: DNS Management
• Cloudflare: Manage DNS records
• Domain.com: How to update DNS records, How to update TXT records, DKIM & DMARC
• Dreamhost: DNS overview
• GoDaddy: Add a TXT record
• Hostgator: Basics of DNS records
• Hover: Managing DNS records
• IONOS: Managing TXT records
• Namecheap: How to add a TXT record
• Network Solutions: How do I manage DNS records?, Help & Support home
• Siteground: Manage your DNS records
• Squarespace: Accessing your DNS settings, Adding custom DNS records
• Wix: Adding or updating TXT records
• WordPress: Manage your DNS records

Additional resources

• Email authentication: Frequently asked questions
• Email authentication: Overview
• Authentication and security
• Domain names and registrars
• DKIM and deliverability
• DKIM authentication setup
• DKIM for tiered accounts
• How to allowlist