Improving email deliverabilty

Authenticating Your Email

Email authentication

Email authentication verifies that an email is actually from you or your business. Think of it like a digital signature: it protects your brand, identity and reputation. It’s one of the most important steps you can take to improve your deliverability.

This article explains why it’s important to authenticate, and how it changes the way email servers and email clients treat your email.

Ready to set up authentication for your sending domain? Read the instructions.

Why authentication matters

The way email was originally designed makes sender details easy to forge, or “spoof”. Spammers and phishers take advantage of this by posing as banks, auction sites, energy companies or otherwise to steal money or spread malicious software. In addition to harming the recipients of these scam emails, the companies and brands that have been impersonated are also harmed.

Email services such as Gmail, and Yahoo use email authentication to help determine if something is spam, or is worth blocking completely to protect their users. As such, any unauthenticated email, no matter how legitimate the content, runs the risk of ending up in someone’s spam folder.

To send transactional email, you must manage your own authentication.

Authenticate your domain

We aim to simplify domain authentication for partners by working together. To get started, contact your representative at Extu and provide or confirm your sending domain. Your sending domain is the email address that recipients see in their inbox, so it should reflect your brand and be easily identifiable as related to your business.  

Authenticating your base domain will not authenticate subdomains, each unique domain or subdomain must be authenticated separately.  

Example: Authenticating just the base domain name will not authenticate

Your representative will:  

  • Add the sending domain to generate the DNS TXT Name and TXT Value  
  • Share the DNS TXT Name and TXT Value records with you

You will: 

  • Add the records to your domain’s DNS 

This process depends on the service you use to manage your DNS; but typically, it requires logging into your server as an admin, right clicking the domain name, and adding the proper record (TXT record).  

It can take up to 72 hours for DNS propagation; that’s the maximum time required for DNS servers worldwide to update their cached information for that domain. Once complete, the record should be visible on your zone records. 

  • Confirm completion with your representative  

Once these steps are completed, your Extu representative will verify the record. These updates can take some time and the servers may not immediately reflect the changes. But, once it has been correctly set up, the domain will be listed on the Account Settings > Authentication page.  

Any questions or problems? This resource can help you troubleshoot errors and apply solutions.  


Some DNS hosts do not support semicolons ( ; ) or underscores ( _ ), which are required to authenticate with Campaign Monitor. In some cases you can work around semicolons by replacing any occurrences of ; with \;. If this doesn’t work, or your host doesn’t support underscores, you will need to switch DNS providers to authenticate your email.

The next time you send an email campaign, you will be able to select the authenticated domain for the sender’s “From” address with a dropdown menu on the right.

Instructions for modifying DNS records

Below are links to instructions from commonly used DNS providers for changing their TXT records. If you have a different host, they may have their own instructions, or one of examples below may be similar.


Manage your own authentication with DKIM

DomainKeys Identified Mail (DKIM) is a way to authorize Email Service Providers (ESPs) to send email on your or your company’s behalf. DKIM authentication allows a sender to take responsibility for their email, and is used to help separate legitimate email from spam and phishing campaigns.

To authenticate using DKIM, you will need:

  • your own domain name, which you are using for your email address
  • access to your domain’s DNS records
  • familiarity with modifying DNS records

Managing your own authentication is one of the most important steps you can take to improve your deliverability.

Manage your own authentication

Managing your own email authentication is highly recommended. The default level of authentication added to each email sent through Campaign Monitor proves that the email came from our servers, however, to prove that the email comes from your or your company’s domain, you need to authorize Campaign Monitor to send on your behalf. This is the case with all Email Service Providers (ESPs).

You can do this by modifying the DNS records attached to a domain name you own, so that any email sent through Campaign Monitor is verified as coming from your own domain. Authenticating this way improves deliverability, as you are properly stating your identity to recipient mail servers.

See instructions for setting up your own authentication

How authentication affects deliverability

Managing your own authentication changes how your emails are displayed in email clients. If you haven’t authorized an ESP to send email on your behalf, many major email clients flag the email as coming from a different server, which can potentially cause the email to be blocked, or lead recipients to believe they’re receiving spam.

For example, in Outlook 2016 if you haven’t authorized your ESP to send email on your behalf, your email will display in the recipient’s inbox as being “sent by” someone else. In the image below, while the From address shows correctly as “”, the email is flagged as coming from a Campaign Monitor mail server (“”):

In this case, the email has also been sent to the junk folder as a result of the sending domain not being authenticated. This won’t happen every time — unauthenticated mail can still make it to the inbox, and there are many other reasons why an email can be filtered as spam.

Once you have authenticated your own domain, the “sent by” phrase and sending server are not present:

Gmail uses the word “via” to indicate an email hasn’t had its sending domain authenticated:

After authenticating the sending domain, “via” and the sending server are removed:

Similarly, uses the phrase “on behalf of:”

This is removed for domain authenticated email:

Frequently asked questions

Below are some answers to questions we’re commonly asked about authentication. For help with something we haven’t addressed, please visit the Knowledge Base by clicking here.


Some web and DNS hosts won’t let you modify your DNS records yourself, however many will add authentication records for you. Contact your host to find out if they offer this service.


Not necessarily. DNS records are usually hosted by the same company that hosts your site, but it doesn’t have to be that way. It’s possible to keep your webhost and change who provides your DNS records using services like DNS Made EasyZoneEdit and easyDNS.


After following the instructions above, only emails sent through Campaign Monitor using your chosen domain will be authenticated. Emails sent through other services that use the same domain will not be authenticated. If you opt to send email from an unauthenticated domain in Campaign Monitor, your email will also not be authenticated.


DNS record changes can take a while to propagate, sometimes more than 24 hours. If the records still cannot be verified after a few days, it may be because they were not added correctly.

You can use a third party DNS testing tool like EmailStuff to check if DNS record changes have propagated. On the EmailStuff site, click DNS, enter the domain name you are trying to verify into the hostname TXT field and click the TXT button.

If the record has propagated, the “Answer” given will contain the TXT value that Campaign Monitor generated for you earlier, and the “DKIM” tag will be in the “Type” column.

If no record is found, try lowering the “time to live” (TTL) value in your DNS. This is the amount of time DNS servers will cache your record for, and lowering the value will make the record propagate faster. The method to do this will vary depending on the DNS host you use.

If after this the records are still not showing up, contact your DNS host to make sure everything is working as it should be, and if there are no problems found, please contact support and let them know the domain name you’re trying to authenticate.