Setting Up Authentication
Why set-up Authentication?
Creating great copy means nothing if your message doesn't make it to your user. Although it’s just one piece of the deliverability puzzle (along with your copy and overall reputation), authenticating the domains you use to send email messages from Customer.io can help your messages reach your users. Check out our post on Email Deliverability to know more about how it works.
In addition to improving email deliverability, authenticating your sending domains in Customer.io will also let you control the appearance of your tracked links. How about Universal Links? If you need to enable them for your mobile app, HTTPS domain authentication is required.
Setting up Authentication
To set up basic authentication you'll need to add four DNS records at your DNS hosting provider for any domain you wish to send from using your Customer.io account:
- Ownership Record: TXT record that verifies you own the sending domain.
- SPF Record: TXT record that allows Customer.io to sign emails sent on your behalf. SPF (Sender Policy Framework) records identify which IP addresses are allowed to send email using your domain.
- DKIM Record: TXT record that allows Customer.io to sign emails sent on your behalf. DKIM (Domain Keys Identified Mail) signatures ensure that the message that arrives at the inbox provider is identical to the message that you sent.
- Link Tracking Record: CNAME record that enables white label link tracking. When configured, your tracked links will use your domain instead of our default link tracking domain (customeriomail.com).
Each domain you choose to authenticate must first be used in one or more of the From Addresses that are configured in your account. Once added, each domain will be assigned its own values for the DNS records that need to be added at your DNS host.
To see these values, follow the Message Settings link in the left-hand menu in your Customer.io account, choose Email from the list of message types and then select the Deliverability tab:
Next, click the Configure or re-check button for the domain you'd like to authenticate. This is where you will see the TXT and CNAME records you need to add to your domain's DNS records in order to verify domain ownership, configure SPF, configure DKIM and to enable white labeling of your tracked links:
After you have added these records at your DNS host and they have had time to propagate, you will need to come back to the setting screen (pictured above) and click the Check now button. We will verify that the records are in place and take you back to the domain list where you'll see the results of our check.
- Ownership: A green checkmark means we have verified that your Ownership TXT record is configured. If SPF and DKIM also have green checkmarks, we will sign your email messages with your domain and "via customeriomail.com" will no longer be added to your emails.
- SPF: A green checkmark means we have verified that your SPF TXT record is configured. If Ownership and DKIM also have green checkmarks, we will sign your email messages with your domain and "via customeriomail.com" will no longer be added to your emails.
- DKIM: A green checkmark means we have verified that your DKIM TXT record is configured. If Ownership and SPF also have green checkmarks, we will sign your email messages with your domain and "via customeriomail.com" will no longer be added to your emails.
- CNAME: A green checkmark means we have verified that your CNAME record is configured. Ownership must also be verified before your tracking links can use this domain.
- HTTP: A green checkmark means we are able to contact your CNAME domain without error over at least HTTP. Unless you have successfully configured HTTPS Link Tracking, we'll be generating http links whenever link tracking is enabled in your messages. Ownership must also be verified before your tracking links can use this domain. NOTE: If HSTS (HTTP Strict Transport Security) is enabled on your domain you must configure HTTPS Link Tracking or your tracked links will not resolve correctly.
- HTTPS: A green checkmark means you have successfully configured HTTPS Link Tracking and we’ll be generating https links whenever link tracking is enabled in your messages. Ownership must also be verified before your tracking links can use this domain. NOTE: If HSTS (HTTP Strict Transport Security) is enabled on your domain you must configure HTTPS Link Tracking or your tracked links will not resolve correctly.
For your convenience, here is a list of links to the instructions for adding DNS records at commonly used hosts:
- 123 Reg - TXT | CNAME
- bluehost - TXT and CNAME
- DNS Made Easy - TXT | CNAME
- DNSimple - TXT | CNAME
- Dreamhost: TXT | CNAME
- DYN - TXT and CNAME
- GoDaddy - TXT | CNAME
- Hostgator - TXT and CNAME
- Hover - TXT and CNAME
- Media Temple - TXT and CNAME
- Namecheap - TXT and CNAME
- Network Solutions - TXT and CNAME
- Register.com - TXT | CNAME
For verifying HTTPS for regular links please visit our documentation on Setting Up HTTPS Link Tracking. If you also need to support links to iOS or Android apps, our documentation on setting up Setting Up Universal Links would be more appropriate.
Do I need to set up authentication if I'm using a custom SMTP?
No. If you are using a custom SMTP you'll add SPF and DKIM records according to your custom SMTP provider's documentation. If you want to white label your tracking links to use your domain rather than customeriomail.com, you can still add the domain Ownership TXT record and the CNAME record. Note: The CNAME record alone will not validate.
How do I verify my records are there?
On the Email Deliverability page, we'll show you the verification status of any domains you've added, like this:
Note: Until you verify ownership of your domain we will not be able to send signed emails on that domain's behalf. For example, emails from the address email@example.com can't be signed until
mydomain.comhas been verified.
How do I add another "From Address"?
The domain list is made up of domains used in the From Addresses that are configured in your account. If you want to add another domain, follow the Message Settings link in the left-hand menu in your Customer.io account, choose Email from the list of message types, then select the From Addresses tab, and then click the "Add From Address" button at the bottom of the domain list.
What if I already have an SPF record?
All you'll need to do is add include:customeriomail.com to your existing record. For example, this:
v=spf1 include:_spf.google.com ~all
v=spf1 include:_spf.google.com include:customeriomail.com ~all
What if I don't add the DNS records? What happens?
Without the authentication records (Verified, SPF, & DKIM), your emails could be filtered as spam or blocked all together. Your recipients will also see a "via" or "on behalf of" message displayed in Gmail and Outlook:
Do I need to add both SPF and DKIM?
Yes. If any of the first three TXT records (Verified, SPF, & DKIM) aren’t checked then we can’t sign your emails with your domain. This means your recipients will also see a "via" or "on behalf of" message in their email app. Note: Some receiving servers only look for one type of authentication and adding both ensures you'll comply with a server looking only for SPF or only for DKIM.
The SPF record is correct, but it's not validating!
Make sure you're using a TXT record as indicated in our instructions, not a SPF one. If the record is still not validated after 48 hours, get in touch and we'll troubleshoot the issue for you :)
I'm hosting my DNS with Cloudflare and the CNAME record is correct, yet the checkmark remains red.
CloudFlare CNAME records won't be validated if the HTTP proxy feature is enabled. Disable it and the record will go through correctly.
I'm getting an error in my DNS panel when trying to add the records, what can I do?
Underscores: Some hosts do not support underscores (
_) in DNS records, and adding the DKIM record can cause an error. The underscore is required and you'll want to contact your host to see if they disallow underscores entirely or if they can manually add the record for you.
Semicolons: Some hosts require that you escape semicolons in records. If you're getting an error try replacing
Will adding authentication affect my regular email?
No. The records are written specifically to allow our servers to send for you but not to disallow other servers.
My host doesn't support TXT records. What do I do?
Often, a host won't allow you to add records yourself, but will add them for you. As a first step we recommend you talk to your hosting company to see if they can help. If records are disallowed entirely, you'll need to:
- Go without authentication.
- Switch to a different web host that allows you to add TXT and CNAME records.
- Host your DNS at a company separate from your web hosting.