Setting Up Authentication

Creating great copy means nothing if your message doesn’t make it to your user. Although it’s not a sure-fire method (your copy and overall reputation matter as much, if not more), setting up authentication can help. Check out our authentication overview on our blog to know more about how it works.

Why set-up Authentication?

Verifying your sending domain in has a number of benefits that help improve deliverability as well as the appearance of your tracked links. In addition, HTTPS domain authentication is required to enable Universal Links.

In brief, to set-up basic authentication you’ll need to add four DNS records at your DNS hosting provider:

  • Verify Record: TXT record that verifies you own the sending domain.
  • SPF Record: TXT record that allows to sign emails sent on your behalf.
  • DKIM Record: TXT record that allows to sign emails sent on your behalf.
  • Link Tracking Record: CNAME record that enables white label link tracking.

Setting up Authentication

To get your authentication records (SPF & DKIM), you’ll want to go to the Email & Actions area in the left navigation, and select Deliverability:

Account - Email Deliverability

Next select the Configure or re-check button for the domain you’d like to authenticate, you’ll see the TXT and CNAME records you need to add to your domain’s DNS to verify and configure SPF, DKIM and link white labeling.

Email - Configure

While we can’t walk you through specifically how to add the records, we’ve compiled a list of instructions for commonly used hosts:

HTTPS Authentication

In addition to the basic DNS configuration steps listed above, there is additional configuration required to verify your domain for HTTPS links. For verifying HTTPS for regular links we have documentation on HTTPS verification available for you to review. If you also need to support links to iOS or Android apps our documentation on setting up Universal Links would be more appropriate.


Do I need to set up authentication if I’m using a custom SMTP?

No, in that case, you’ll add SPF and DKIM records according to your custom SMTP provider’s authentication documentation. If you want to brand your tracking links to use your domain rather than, though, you can still add the domain ownership TXT record and the CNAME record. The CNAME record alone won’t validate.

How do I verify my records are there?

On the Email Deliverability page, we’ll show you the verification status of any domains you’ve added, like this:

Email - Verification Status

Note: Until you verify ownership of your domain we will not be able to send signed emails on that domain’s behalf. For example, emails from the address can’t be signed until has been verified.

How do I add another “From Address”?

If you want to add another domain, click on the From Addresses tab in your Email & Actions settings, and add a new address.

What if I already have an SPF record?

All you’ll need to do is add to your existing record. For example, this:

v=spf1 ~all

Would become:

v=spf1 ~all

What if I don’t add the records? What happens?

Without the authentication records, your emails could be filtered as spam or blocked all together. Your recipients will also see a “via” or “on behalf of” message displayed in Gmail and Outlook:


Outlook - on behalf of


Gmail - sent via

Do I need to add both SPF and DKIM?

Ideally, yes. Some receiving servers only look for one type of authentication and adding both ensures you’ll comply with a server looking only for SPF or only for DKIM.

The SPF record is correct, but it’s not validating!

Make sure you’re using a TXT record as indicated in our instructions, not a SPF one. If the record is still not validated after 48 hours, get in touch and we’ll troubleshoot the issue for you :)

I’m hosting my DNS with Cloudflare and the CNAME record is correct, yet the checkmark remains red.

CloudFlare CNAME records won’t be validated if the HTTP proxy feature is enabled. Disable it and the record will go through correctly.

I’m getting an error in my DNS panel when trying to add the records, what can I do?

Underscores: Some hosts do not support underscores (_) in DNS records, and adding the DKIM record can cause an error. The underscore is required and you’ll want to contact your host and check if if they can manually add the record for you, or if they disallow underscores entirely.

Semicolons: Some hosts require that you escape semicolons in records. If you’re getting an error try replacing ; with \;.

Will adding authentication affect my regular email?

No. The records are written specifically to allow our servers to send for you but not to disallow other servers.

My host doesn’t support TXT records. What do I do?

Often, a host won’t allow you to add records yourself, but will add them for you. As a first step we recommend you talk to your hosting company to see if they can help. If records are disallowed entirely, you’d need to:

  • Go without authentication
  • Switch your web host
  • Host your DNS at a company separate from your web hosting.