You will need to add certain records to your DNS provider to allow Customer.io to send emails using your domain.
Creating great copy means nothing if your messages don’t make it to the People you’re trying to reach. Although it’s just one piece of the deliverability puzzle (along with your copy and overall reputation), authenticating the domains you use to send email from Customer.io can help your messages reach your users. Check out our post on Email Deliverability to know more about how it works.
In addition to improving email deliverability, authenticating your sending domains in Customer.io will also let you control the appearance of your tracked links. How about Universal Links? If you need to enable them for your mobile app, HTTPS domain authentication is required as well.
You will place the DNS records we ask for on subdomains (like:
krs._domainkey.cio#####.yourdomain.com) rather than the primary/root domain name. These records will not conflict with anything you have configured for the primary/root domain. Domain authentication allows us to start sending on your behalf using that subdomain as the Envelope-From address (different from the FROM address).
A Sending Domain defines who and where your emails are from. You must set up at least one sending domain before you can send emails from your workspace.
If you’re setting up a new workspace, you can configure your domain during the set up process. We show you how that works in the Domain Authentication section below.
If you did not configure your email messaging channel when you set up your workspace, or you just want to add new sending domains, you can:
- Go to Settings > Workspace Settings.
- Click Email Settings and then click Add Sending Domain.
- Enter the Domain, Display Name, and Email Address that you want to send messages from, and click Add Domain.
Unless you use a custom SMTP server, you must authenticate your sending domain before you can use your new sender.
To set up basic authentication you’ll need to add four DNS records at your DNS hosting provider for any domain you wish to send from using your Customer.io account:
- MX Records: Two MX records are necessary for delivering email to your domain. MX (Mail Exchange) records identify which mail servers accept incoming email for your domain.
- SPF Record: One TXT record that allows Customer.io to sign emails sent on your behalf. SPF (Sender Policy Framework) records identify which IP addresses are allowed to send email using your domain.
- DKIM Record: One TXT record that allows Customer.io to sign emails sent on your behalf. DKIM (Domain Keys Identified Mail) signatures ensure that the message that arrives at the inbox provider is identical to the message that you sent.
Each domain you choose to authenticate must first be used in one or more of the From Addresses that are configured in your account. Once added, each domain will be assigned its own values for the DNS records that need to be added at your DNS host.
To see these values, follow the Workspace Settings link in the left-hand menu in your Customer.io account, choose Email from the list of message types and then select the Sending Domains tab:
Next, click the Verify domain button for the domain you would like to authenticate. This is where you will see the MX, SPF, and DKIMs records you need to add to your domain’s DNS records in order to authenticate your domain:
After you have added these records at your DNS host and they have had time to propagate, you will need to come back to the Deliverability page and click the Verify domain button. We will verify that the records are in place and you’ll see the results of our check.
- MX: A green checkmark means we have verified that your MX records are configured. If SPF and DKIM also have a green checkmark, we will sign your email messages with your domain.
- SPF: A green checkmark means we have verified that your SPF TXT record is configured. If Domain and DKIM also have a green checkmark, we will sign your email messages with your domain.
- DKIM: A green checkmark means we have verified that your DKIM TXT record is configured. If Domain and SPF also have a green checkmark, we will sign your email messages with your domain.
To use your domains for tracked links, you’ll need to add your CNAME record at your DNS hosting provider for any domain you wish to send from using your Customer.io account:
- CNAME Record: CNAME records enable white-label link tracking. When configured, your tracked links will use your domain instead of our default link tracking domain (customeriomail.com).
To edit your link tracking settings, click the Manage Domain button and navigate to the Link Tracking tab for the domain you’d like to set up link tracking for. This is where you will enter your subdomain and see the CNAME record you need to add to your domain’s DNS records in order enable white labeling of your tracked links:
After you have added this record at your DNS host and it has had time to propagate, you will need to come back to the Deliverability page and click the Verify domain button. We will verify that the record is in place and you’ll see the results of our check.
- CNAME: A green checkmark means we have verified that your CNAME record is configured. The domain must also be verified before your tracking links can use this domain.
- HTTP link status: A green link status means we are able to contact your CNAME domain without error over at least HTTP. Unless you have successfully configured HTTPS Link Tracking, we’ll generate http links whenever link tracking is enabled in your messages. NOTE: If HSTS (HTTP Strict Transport Security) is enabled on your domain you must configure HTTPS Link Tracking or your tracked links will not resolve correctly.
- HTTPS link status: A green HTTPS link status (shown below) means you have successfully configured HTTPS Link Tracking and we’ll generate https links whenever link tracking is enabled in your messages. The domain must also be verified before your tracking links can use this domain. NOTE: If HSTS (HTTP Strict Transport Security) is enabled on your domain you must configure HTTPS Link Tracking or your tracked links will not resolve correctly.
For your convenience, here is a list of links to the instructions for adding DNS records at commonly used hosts:
- 123 Reg - MX | TXT | CNAME
- bluehost - MX | TXT and CNAME
- DNS Made Easy - MX | TXT | CNAME
- DNSimple - TXT | CNAME
- Dreamhost - MX | TXT | CNAME
- DYN - MX, TXT, and CNAME
- GoDaddy* - MX | TXT | CNAME
- Hostgator - MX | TXT and CNAME
- Hover - MX, TXT, and CNAME
- Media Temple - MX, TXT, and CNAME
- Namecheap - MX | TXT and CNAME
- Network Solutions - MX | TXT and CNAME
- Register.com - MX | TXT | CNAME
*Instead of entering the full hostname (ie cio12345.yourdomain.com), these providers automatically append your domain to the record. Enter just the front portion of the hostname (ie cio12345) when adding records to these providers. See FAQ below for screenshot examples.
For verifying HTTPS for regular links please visit our documentation on Setting Up HTTPS Link Tracking. If you also need to support links to iOS or Android apps, our documentation on setting up Setting Up Universal Links would be more appropriate.
When using custom SMTP, you do not need to authenticate your domain in Customer.io. However, you should check your custom SMTP provider’s documentation to see if you still need to add DNS records (such as SPF and DKIM) to your domain to use their services successfully.
Branded link tracking with custom SMTP
If you want to use branded custom link tracking in Customer.io (using your domain instead of “customeriomail.com” when generating tracked links), you must verify the domain by adding the CNAME record shown in the Domain Settings section of your workspace.
The CNAME record will not validate your domain for branded link tracking if your domain has a HSTS policy, but does not currently have SSL coverage. Please see our HTTPS Link Tracking documentation for more information on getting this set up.
On the Email Deliverability page, we’ll show you the verification status of any domains you’ve added.
Domains will have one of the following statuses:
- Verified: The domain’s DNS records have been verified and the domain can be used to send signed emails.
- Unverified: The domain’s DNS records have not been verified and the domain cannot be used to send signed emails.
- Undetermined: The domain’s status cannot be determined because the From Address uses liquid code.
Note: Until you verify your domain we will not be able to send signed emails on that domain’s behalf. For example, emails from the address email@example.com can’t be signed until
mydomain.com has been verified.
The domain list is made up of domains used in the From Addresses that are configured in your account. If you want to add another domain, follow the Message Settings link in the left-hand menu in your Customer.io account, choose Email from the list of message types, then select the From Addresses tab, and then click the “Add From Address” button at the top of the domain list.
Without the authentication records (SPF & DKIM), your emails could be filtered as spam or blocked all together. Your recipients will also see a “via” or “on behalf of” message displayed in Gmail and Outlook:
Yes. If any of the first two TXT records (SPF & DKIM) aren’t checked then we can’t sign your emails with your domain. This means your recipients will also see a “via” or “on behalf of” message in their email app. Note: Some receiving servers only look for one type of authentication and adding both ensures you’ll comply with a server looking only for SPF or only for DKIM.
Make sure you’re using a TXT record as indicated in our instructions, and not a SPF type record. If the record is still not validated, get in touch and we’ll troubleshoot the issue with you!
Cloudflare CNAME records won’t be validated if their DNS proxy feature is enabled. Disable this setting in Cloudflare first, and then you can verify your tracking domain in Customer.io.
GoDaddy already adds your domain when creating DNS records, so it’s likely that your domain is being posted twice to the records. Simply update the record to be only the subdomain value (as shown below) and re-verify after a few minutes.
You can confirm this by checking your DNS using a free online tool like viewDNS.info and testing the full hostname URL listed in your Customer.io email settings (ie cio12345.yourdomain.com). If the DNS records don’t appear, then double check that your records are set up correctly.
Underscores: Some hosts do not support underscores (
_) in DNS records, and adding the DKIM record can cause an error. The underscore is required and you’ll want to contact your host to see if they disallow underscores entirely or if they can manually add the record for you.
Semicolons: Some hosts require that you escape semicolons in records. If you’re getting an error try replacing
No. The records are written specifically to allow our servers to send for you but not to disallow other servers.
You place DNS records on a Customer.io-specific subdomain found in your domain settings (like
cio#####.example.com). This ensures that we do not see or manipulate your primary mail service.
Often, a host won’t allow you to add records yourself, but will add them for you. As a first step we recommend you talk to your hosting company to see if they can help. If records are disallowed entirely, you’ll need to:
- Go without authentication.
- Switch to a different web host that allows you to add TXT and CNAME records.
- Host your DNS at a company separate from your web hosting.
Wix doesn’t allow you to add a sub-domain in an MX record, preventing you from verifying your domain. If you use Wix, you might consider setting up a custom SMTP server.
By default, Customer.io now generates a
2048-bit DKIM public key when you add a new domain to your workspace. While this longer key provides stronger protections for your email sending domain, there can be caveats when adding it to your DNS hosting provider due to record value character limits.
The longer key (401 characters) is well supported by many popular DNS hosting providers, but may need to be broken up into smaller 225-character strings if you’re getting an error saying the TXT is too long.
For example, a value of
k=rsa; p=abcDEF123ghi456JKL would be entered as
"k=rsa; p=abcDE" "F123ghi4" "56JKL" (except without spaces). More information and examples can be found here for Amazon’s Route 53 and Google Cloud DNS.