How to set up Email Domain Authentication (SPF and DKIM)

Modified on Wed, 05 Jun 2024 at 03:29 PM

When you send emails, mailbox providers (such as Gmail, Outlook, AOL, and Yahoo) identify if emails are legitimate or are sent by a spammer or phisher. This includes emails sent from SpinOffice CRM. This is why setting up email authentication is important.

There are three authentication standards used to verify a sender's identity. SPF, DKIM, and DMARC. Since February 2024, Gmail and Yahoo require DKIM and DMARC authentication to achieve delivery. Other mailbox providers already expect senders to authenticate their email traffic through SPF.

With SpinOffice, we offer SPF and DKIM authentication. Therefore, we highly recommends all customers to set up both for their sending domains. This is a one-time configuration step per domain name.


SPF (Sender Policy Framework) records are TXT records on your domain that authorize specific servers to send mail using your domain name. SPF is like a security guard for emails. It allows you (the sender) to publish a public record that lists what IPs can send from your domain. The record is created in the DNS as a TXT record for your domain. When a Mailbox Provider like Gmail receives a message using this domain, it can look at your public DNS record to see if the IP is permitted to send the campaign. In simple terms, SPF acts as a gatekeeper, ensuring only legitimate emails get through, keeping you and your subscribers safe from phishing scams.

You can only create one SPF record for your domain name. If you have an existing SPF record, you will need to modify your current record instead of creating a new SPF record. To check if your domain has an SPF record, visit MX Toolbox.

To set up SPF, please the option below that is applicable for your domain:

1. Your domain does not have a SPF record:

  • Login to your DNS provider of your domain and located your DNS record settings.
  • Create a new TXT record and paste the following line in the text box:

v=spf1 -all

  • Save the record.

2. Your domain already has an SPF record:

  • Login to your DNS provider of your domain and located your DNS record settings.
  • Add following text to the existing TXT record, before the closing -all tag:

  • Save the record.

After you've made the required SPF changes, please wait 24 hours for the changes to propagate.


DKIM (DomainKeys Identified Mail) is a signature any sender can apply to their email messages. This signature makes clear that the message's sender is actually the message's sender and not a bad actor. You can use any domain as the signature. For example, a company called "Red Bananas" will sign their messages with the "" domain to confirm that the message was sent by "Red Bananas."

This is accomplished by inserting a hidden, cryptographic signature into your email header (SpinOffice will do this) and then placing a public key on your website's DNS that verifies the authenticity of this signature.

DKIM will help prevent spoofing and phishing of your domain, and an added benefit is that it allows Mailbox Providers such as Gmail, Microsoft, Yahoo, and AOL to track the email reputation of your sending domain.

If the reputation of your sending domain is stronger than the reputation of the sending IPs, Mailbox Providers may default to your sending domain reputation, which could improve your email performance.

To set up DKIM with SpinOffice, follow the instructions for creating new CNAME records:

  1. Login to the DNS provider of your domain.
  2. Copy the following values and paste them into the appropriate fields for your domain:
  3. Save the CNAME records.
  4. Send a message to to indicate which domain(s) DKIM has been set up for.
  5. We route your email via the DKIM mail server that has been set up for this purpose.
  6. DKIM applies once your domain has been added to this DKIM mail server.

Troubleshooting DKIM Issues

General Issues

  • If you get an error 'DKIM = did not pass' or 'DKIM_PermError' when sending emails, contact SpinOffice support at with a screenshot of the error.
  • If you have added the DKIM CNAME records for new domains, contact with your request.
  • If the DKIM records are unique and valid but not verified yet, contact your DNS provider's support or contact us at CCing them in the email.

DKIM Verification issues

  1. Records not matching:
    There may be instances where certain characters are missing or extra characters are added in the DNS compared to what is configured in SpinOffice. In such cases, the DKIM verification may fail. Ensure that there are no spaces in the DNS.
  2. Avoid spaces in CNAME record:
    Ensure that there are no spaces before or after any of the characters in the CNAME record.
  3. Records not published:
    Even if the DKIM records are correctly added to the DNS, they may not be published. To verify if the records are published, perform a DKIM lookup by entering your domain:mrsel1 in MX Toolbox. For example, for sending domain enter as DKM lookup A published CNAME record should look like this:

    When test is positive/green, the record is found in your domain.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article