Setting Up Authentication
Why We Require Domain Authentication
Creating great copy means nothing if your messages don't make it to the People you're trying to reach. Although it’s just one piece of the deliverability puzzle (along with your copy and overall reputation), authenticating the domains you use to send email from Customer.io can help your messages reach your users. Check out our post on Email Deliverability to know more about how it works.
In addition to improving email deliverability, authenticating your sending domains in Customer.io will also let you control the appearance of your tracked links. How about Universal Links? If you need to enable them for your mobile app, HTTPS domain authentication is required as well.
We will NOT take over your primary/root domain
You will place the DNS records we ask for on subdomains (like:
krs._domainkey.cio#####.yourdomain.com) rather than the primary/root domain name. This means these records will not conflict with anything you have configured for the primary/root domain. Domain authentication allows us to start sending on your behalf using that subdomain as the Envelope-From address (different from the FROM address).
Setting up Domain Authentication
To set up basic authentication you'll need to add three DNS records at your DNS hosting provider for any domain you wish to send from using your Customer.io account:
- MX Record: MX records are necessary for delivering email to your domain. MX (Mail Exchange) records identify which mail servers accept incoming email for your domain.
- SPF Record: TXT record that allows Customer.io to sign emails sent on your behalf. SPF (Sender Policy Framework) records identify which IP addresses are allowed to send email using your domain.
- DKIM Record: TXT record that allows Customer.io to sign emails sent on your behalf. DKIM (Domain Keys Identified Mail) signatures ensure that the message that arrives at the inbox provider is identical to the message that you sent.
Each domain you choose to authenticate must first be used in one or more of the From Addresses that are configured in your account. Once added, each domain will be assigned its own values for the DNS records that need to be added at your DNS host.
To see these values, follow the Workspace Settings link in the left-hand menu in your Customer.io account, choose Email from the list of message types and then select the Sending Domains tab:
Next, click the Verify domain button for the domain you would like to authenticate. This is where you will see the MX, SPF, and DKIMs records you need to add to your domain's DNS records in order to authenticate your domain:
After you have added these records at your DNS host and they have had time to propagate, you will need to come back to the Deliverability page and click the Verify domain button. We will verify that the records are in place and you'll see the results of our check.
- MX: A green checkmark means we have verified that your MX records are configured. If SPF and DKIM also have a green checkmark, we will sign your email messages with your domain.
- SPF: A green checkmark means we have verified that your SPF TXT record is configured. If Domain and DKIM also have a green checkmark, we will sign your email messages with your domain.
- DKIM: A green checkmark means we have verified that your DKIM TXT record is configured. If Domain and SPF also have a green checkmark, we will sign your email messages with your domain.
Setting up Link Tracking
To use your domains for tracked links, you'll need to add your CNAME record at your DNS hosting provider for any domain you wish to send from using your Customer.io account:
- CNAME Record: CNAME records enable white-label link tracking. When configured, your tracked links will use your domain instead of our default link tracking domain (customeriomail.com).
To edit your link tracking settings, click the Manage Domain button and navigate to the Link Tracking tab for the domain you'd like to set up link tracking for. This is where you will enter your subdomain and see the CNAME record you need to add to your domain's DNS records in order enable white labeling of your tracked links:
After you have added this record at your DNS host and it has had time to propagate, you will need to come back to the Deliverability page and click the Verify domain button. We will verify that the record is in place and you'll see the results of our check.
- CNAME: A green checkmark means we have verified that your CNAME record is configured. The domain must also be verified before your tracking links can use this domain.
- HTTP link status: A green link status means we are able to contact your CNAME domain without error over at least HTTP. Unless you have successfully configured HTTPS Link Tracking, we'll generate http links whenever link tracking is enabled in your messages. NOTE: If HSTS (HTTP Strict Transport Security) is enabled on your domain you must configure HTTPS Link Tracking or your tracked links will not resolve correctly.
- HTTPS link status: A green HTTPS link status (shown below) means you have successfully configured HTTPS Link Tracking and we’ll generate https links whenever link tracking is enabled in your messages. The domain must also be verified before your tracking links can use this domain. NOTE: If HSTS (HTTP Strict Transport Security) is enabled on your domain you must configure HTTPS Link Tracking or your tracked links will not resolve correctly.
For your convenience, here is a list of links to the instructions for adding DNS records at commonly used hosts:
- 123 Reg - MX | TXT | CNAME
- bluehost - MX | TXT and CNAME
- DNS Made Easy - MX | TXT | CNAME
- DNSimple - TXT | CNAME
- Dreamhost - MX | TXT | CNAME
- DYN - MX, TXT, and CNAME
- GoDaddy* - MX | TXT | CNAME
- Hostgator - MX | TXT and CNAME
- Hover - MX, TXT, and CNAME
- Media Temple - MX, TXT, and CNAME
- Namecheap - MX | TXT and CNAME
- Network Solutions - MX | TXT and CNAME
- Register.com - MX | TXT | CNAME
*Instead of entering the full hostname (ie cio12345.yourdomain.com), these providers automatically append your domain to the record. Enter just the front portion of the hostname (ie cio12345) when adding records to these providers. See FAQ below for screenshot examples.
For verifying HTTPS for regular links please visit our documentation on Setting Up HTTPS Link Tracking. If you also need to support links to iOS or Android apps, our documentation on setting up Setting Up Universal Links would be more appropriate.
Do I need to set up authentication if I'm using a custom SMTP?
When using a custom SMTP, you'll add SPF and DKIM records according to your custom SMTP provider's documentation. You will only need to add the MX and CNAME records found in your Customer.io settings if you want to white label your tracking links to use your link-tracking domain rather than "customeriomail.com". Note: The CNAME record alone will not validate.
How do I verify my records are there?
On the Email Deliverability page, we'll show you the verification status of any domains you've added.
Domains will have one of the following statuses:
- Verified: The domain's SPF and DKIM records are verified and the domain can be used to send signed emails.
- Unverified: The domain's SPF and DKIM records are not verified and the domain cannot be used to send signed emails.
- Undetermined: The domain’s status cannot be determined because the From Address uses liquid code.
Note: Until you verify your domain we will not be able to send signed emails on that domain's behalf. For example, emails from the address email@example.com can't be signed until
mydomain.com has been verified.
How do I add another "From Address"?
The domain list is made up of domains used in the From Addresses that are configured in your account. If you want to add another domain, follow the Message Settings link in the left-hand menu in your Customer.io account, choose Email from the list of message types, then select the From Addresses tab, and then click the "Add From Address" button at the top of the domain list.
What if I don't add the DNS records? What happens?
Without the authentication records (SPF & DKIM), your emails could be filtered as spam or blocked all together. Your recipients will also see a "via" or "on behalf of" message displayed in Gmail and Outlook:
Do I need to add both SPF and DKIM?
Yes. If any of the first two TXT records (SPF & DKIM) aren’t checked then we can’t sign your emails with your domain. This means your recipients will also see a "via" or "on behalf of" message in their email app. Note: Some receiving servers only look for one type of authentication and adding both ensures you'll comply with a server looking only for SPF or only for DKIM.
The SPF record is correct, but it's not validating!
Make sure you're using a TXT record as indicated in our instructions, not a SPF one. If the record is still not validated after 48 hours, get in touch and we'll troubleshoot the issue for you :)
I'm hosting my DNS with Cloudflare and the CNAME record is correct, yet the checkmark remains gray.
CloudFlare CNAME records won't be validated if the HTTP proxy feature is enabled. Disable it and the record will go through correctly.
I'm using GoDaddy and my DNS records are still not verified after 72 hours.
GoDaddy already adds your domain when creating DNS records, so it's likely that your domain is being posted twice to the records. Simply update the record to be only the subdomain value (as shown below) and re-verify after a few minutes.
GoDaddy MX Record example
GoDaddy SPF example
GoDaddy DKIM example
You can confirm this by checking your DNS using a free online tool like viewDNS.info and testing the full hostname URL listed in your Customer.io email settings (ie cio12345.yourdomain.com). If the DNS records don't appear, then double check that your records are set up correctly.
I'm getting an error in my DNS panel when trying to add the records, what can I do?
Underscores: Some hosts do not support underscores (
_) in DNS records, and adding the DKIM record can cause an error. The underscore is required and you'll want to contact your host to see if they disallow underscores entirely or if they can manually add the record for you.
Semicolons: Some hosts require that you escape semicolons in records. If you're getting an error try replacing
Will adding authentication affect my regular email?
No. The records are written specifically to allow our servers to send for you but not to disallow other servers.
My host doesn't support TXT records. What do I do?
Often, a host won't allow you to add records yourself, but will add them for you. As a first step we recommend you talk to your hosting company to see if they can help. If records are disallowed entirely, you'll need to:
- Go without authentication.
- Switch to a different web host that allows you to add TXT and CNAME records.
- Host your DNS at a company separate from your web hosting.