Home / / Email authentication: Frequently asked questions

Email authentication: Frequently asked questions

As of February 2024, domain authentication is more strictly enforced by Google and Yahoo. To avoid potential deliverability issues, DKIM and DMARC authentication must be set up for your sender email address domain.

I don’t have an IT team and I don’t know how to do any of this. Where do I even put these records?

We understand that authenticating your domain can feel overwhelming, especially for someone who may not have a lot of experience with these topics. Our goal is to make this process as smooth as possible for everyone, so we’ve created several resources that will hopefully help you feel a little more confident. All of those resources are listed in this article.

As far as the DNS records are concerned, you or whoever manages your domain should be able to log in to the registrar that hosts your domain to create the required records. Every DNS provider looks a little different, so if you have specific questions about where to click or what to do, your registrar’s help documentation will be your best bet for guidance.

We’ve collected a list of some popular domain providers and their instructions for how to edit DNS records. Just click on the link that corresponds to your domain provider; if you don’t see yours listed here, try visiting your provider’s website and searching their help documents, or contact their Support team.

Frequently asked questions about DKIM

I send less than 5,000 emails a day, do I really have to set up DKIM?

Yes, you do still need to set up DKIM. You may send less than 5,000 emails a day, but our system sends far more than that. Sending from any email service provider (ESP), will qualify you as a bulk sender to inbox providers.

Who controls the DKIM keys and their rotation?

We control the DKIM keys and their rotation.

Can I use my own DKIM keys?

No, you cannot.

Why use a CNAME instead of the actual DKIM key?

DKIM records are complex and it’s very easy to make a mistake when adding them to the DNS. These records must be absolutely correct in order to prevent significant mail delivery problems, so even a tiny error can have a large impact. Additionally, DKIM should be changed on a regular basis, which would require frequent contact, updates, and an overall heavier lift for our users to accomplish.

Using CNAME records allows for a once-and-done setup of the DKIM configuration. CNAME records also give us absolute knowledge of which keys are valid at any given time, as well as control over key rotation for all customers. This allows us to follow security best practices while also minimizing the burden on our users.

Why do you use multiple DKIM keys?

DKIM keys should be rotated at regular intervals in order to prevent replay spoofing and protect account security. The rotation process invalidates an older key and replaces it with a new key that is used to sign for future emails. When there is only one key, any emails that are in progress or sent within a few days of the rotation could lose their authentication because the current key doesn’t match the expected value.

Using multiple keys provides a window of time in which both the old key and the new key are valid, which bypasses the key rotation validity problem and provides a seamless transition between keys. We also work to prevent key validity problems by publishing the next key in the DNS well before it’s used to sign messages.

What is the key rotation period?

Our system rotates DKIM keys on a monthly basis. At the start of each month, new messages sent will be using a new DKIM signing key. Each key will be rotated out a full month after it was last used and rotated in a full month before it will be used again. Each rotation generates a new private / public key pair.

Is there a place where I can view the DKIM status for all of my subaccounts?

Yes, the account Parent and Managers with permission to create accounts can see the DKIM status for all subaccounts by clicking on the Subaccounts tab at the top of the screen and then clicking on the Deliverability section.

Frequently asked questions about CNAME and TXT records

Can the TXT record be removed once DKIM setup is complete?

Yes, once you’ve completed the DKIM setup process for your account, you may remove the TXT record from your DNS. The CNAME records cannot be removed.

My organization has more than one separate account, can I set up DKIM for both? Will one account’s TXT record interfere with the other account’s TXT record?

Yes, you can absolutely set up DKIM for the same domain in multiple fully separate accounts. Due to the unique validation hashes, our system can distinguish between the TXT record for one account and the TXT record for another, even if those records are on the same domain.

My DNS provider won’t accept the syntax for one of the records, what should I do?

Every DNS provider has slightly different syntax requirements. The records that we’ve listed in our article show the syntax that most commonly works. However, you should always follow the syntax requirements of your DNS provider first. If your DNS provider is rejecting the @ symbol in the TXT record or the trailing period in the CNAME records, you can simply omit that portion of the record or replace it with whatever your DNS provider does accept.

I’ve set up DKIM in my parent account and want to authenticate the same domain in all of my existing subaccounts. Do I really have to create a TXT record for every single subaccount?

No, if all of your subaccounts are sending from the same domain, you can set up DKIM at the parent level to avoid creating a TXT record for each subaccount. During the final validation step of DKIM setup for the parent account, you’ll see a checkbox that says Apply changes to all existing subaccounts. Checking that box will apply the parent account’s DKIM to all existing subaccounts. Once the parent DKIM is set up, any subaccounts that you create in the future will automatically inherit the parent’s DKIM authentication.

If your subaccounts are not sending from the same domain, then you will need to create a TXT record for each subaccount. Another option is to set up DKIM in the parent account for the most commonly used domain and apply that to all existing subaccounts. Then, you can create the required DNS records for the other domains and update the DKIM for the subaccounts that will be sending from those domains.

Please refer to our DKIM for tiered accounts article for more information.

Frequently asked questions about SPF and DMARC

I’ve added you to my SPF record, why are my campaigns still showing SPF failures?

It is expected for SPF to remain unaligned, even after you’ve added _spf.e2ma.net to your SPF record. This is because SPF is checked against an email’s return-path. By default, emails that come from our servers will always use our domain for the return-path, so when SPF is checked for a mailing, a portion of it won’t pass for your domain. At this time, it is not possible to update the return-path to a different domain.

This should not interfere with DMARC because DMARC checks require SPF or DKIM, not both. As long as you have DKIM set up, your mailings should pass DMARC.

The SPF status check tool is showing an error about the “maximum number of DNS lookups”, what does this mean?

If you see an error message that says something like Parsing the SPF record requires x/10 maximum DNS lookups, then you have most likely added our sending domain to your SPF record correctly. However, SPF records typically have a maximum of 10 “lookups” and your record has exceeded this limit. Resolving this error is not within our scope, so you’ll need to reach out to your IT team or DNS specialist for assistance.

Frequently asked questions about domains

What is a domain?

Put simply, a domain is the name of a website or a web address. For example, the web address for our help site is help.e2ma.net, so that is our domain. When it comes to email, the domain is the section of the email address that’s after the @ symbol.

For more information about domain names, including how to get one, check out this article.

Can I authenticate multiple sending domains in one account?

No, only one sending domain can be authenticated per account / subaccount. The sending domain is hard-coded into the DKIM settings for each account / subaccount, so using any other domain or subdomain in your sender email will result in DKIM and / or DMARC failures.

Tiered accounts only: If you have a none DMARC policy (p=none) on your domain, then you can set up DKIM for your top-level domain in your email marketing account and send from multiple subdomains. For example, if you set up DKIM for domain.com, then you could send from both mail.domain.com and hr.domain.com and both subdomains would pass DMARC. It’s important to note that this only works for subdomains, i.e. athletics.school.edu will work, but schoolathletics.edu will not. If you have a DMARC policy set to quarantine or reject, this will not work.

If you use adkim=s in your DMARC policy, then the method above will not work, even if your enforcement is set to p=none. We recommend not including adkim in your DMARC policy at all, as it defaults to relaxed when not included. If you have questions about how your organization’s DMARC policy is configured, please contact your IT team or domain administrator.

Frequently asked questions about authentication errors

I followed all of the DKIM setup instructions, but I’m seeing an error when I try to complete the final validation step! Did I do something wrong?

It can take up to 48 hours for DNS records to fully propagate, so there’s no need to panic if you can’t complete DKIM setup right away. Just give the records some time and then try again.

If you’re still seeing errors after 48 hours, there may be a small typo in one of your records. Try checking each record for errant spaces or typos. For the CNAME records, make sure that the numbers are correct in each record; sometimes folks will accidentally have two CNAME records with k1, for example, instead of one each for k1, k2, and k3.

Finally, if you copied and pasted the records into your DNS, try typing them in manually instead. Alternately, you can paste them into a text editor, copy them again, and then paste them into your DNS. The goal is to strip any hidden formatting that might tag along when you enter or paste the records into your DNS, as this formatting can prevent our system from reading those records.

I followed all of the DMARC or SPF instructions exactly, but I’m seeing an error when I try to check them in my email marketing account! Did I do something wrong?

The information from the previous question applies here as well. Try walking through those steps to see if it helps. Additionally, error messages can provide a lot of helpful information that may help direct your troubleshooting. For example, if you receive an error message stating that the domain has 2 DMARC records, then the problem is likely that you have 2 DMARC records on your domain. Each domain should only have one DMARC record, so you’ll need to remove one of them.

Finally, when it comes to SPF, if your SPF record is flattened or hidden from public lookups, it is expected for the error to remain visible in your email marketing account.

Frequently asked questions about delivery problems

I’ve set up DKIM, but my test emails say that they are failing DKIM, what’s going on?

Make sure that you’ve completed the final validation step in your email marketing account. If you’re not sure, please refer to step four of this article. If you have a tiered account, it’s possible that the final validation step has been completed in some subaccounts or in the parent account, but not in the subaccount that you’re sending tests from.

I’ve set up DKIM in my account, but my emails are still bouncing internally. Why is this happening?

Emails can still bounce or be sent to junk for internal contacts, even after DKIM is set up. This is typically caused by an organization’s network settings and can usually be resolved by allowlisting our IP addresses.

Additional resources