What to do if your Domain Authentication is failing

Leif Catania
Leif Catania
  • Updated

In order to improve your email deliverability and security you should take time to configure and properly authenticate your domain. These are technical settings that validate mailbox identity and authorization at a domain level. Amplemarket currently tests for SPF, DKIM, and DMARC.

If you head to your Domain Health Center under the authentication column you can test these three to see if they pass.

Please work with your IT team or email domain administrator to finalize any failing authentications

If you're using one of the following pairs, click on it for the detailed instructions:

Generic instructions to set up your Domain Authentication


SPF is a standard email authentication method. SPF helps protect your domain against spoofing and helps prevent your outgoing messages from being marked as spam by receiving servers.


SPF typically does not fail as it is usually set up when the domain is set up, but you will want to you’ll want to head to where you purchased or manage the domain and confirm in your DNS that you have a:

  • TXT record
    • Host:@
    • Value: v=spf1 include:_spf.google.com ~all



Set up DKIM to help protect your domain against spoofing, and help prevent your outgoing messages from being marked as spam.


DKIM is set up by going into the admin console of your mailbox provider (Outlook or Google), creating keys, entering them into your domain management tool (like GoDaddy), and then confirming that DKIM is turned on.


Setting up DKIM with Outlook

Note: you will need to be a system administrator to follow these steps

  1. Head into your email provider (Outlook) and Sign in to the Microsoft 365 Defender Portal. Use your Microsoft 365 email address and password. Head to https://security.microsoft.com/dkimv2 note you will need to be a system administrator to follow these steps
  2. Find the Under DomainKeys Identified Mail (DKIM), and select your domain name. A window will open on the rightmost side.
  3. Select Create DKIM keys. The keys will be generated as CNAME records. This will also generate two DKIM keys
  4. Copy both keys (recommend saving them on a doc) and ensure you have both the hostname and the value
  5. Head back into your domain management tool (GoDaddy) and navigate to the DNS settings
    1. Select Add New Record.
    2. Add your first CNAME record to your DNS.
      1. Type: Select CNAME.
      2. Name: Using the first key that you generated in step 1, enter the hostname.
      3. Value: Using the first key that you generated in step 1, enter the value.
      4. TTL: Leave it as Default.
    3. Select Add More Records.
    4. Repeat the steps to add your second CNAME record.
    5. Select Save All Records.
  6. Next, reopen the tab in your email admin (Outlook) where you generated the DKIM keys, and activate DKIM. 
    1. If the DKIM records that you added were detected, the toggle will be enabled and your DKIM will be set up.
    2. If your DKIM records were not detected and you see an error, double-check that you entered the CNAME records correctly. In addition, the DNS we added typically takes ~1 hour to propagate, so we sometimes recommend allowing up to 48 hours to activate the DKIM in your email provider.

Setting up DKIM with Google

Note: you will need to be a system administrator to follow these steps

  1. Log into admin.google.com account and on the left navigation bar head to Apps > Google Workspace > Gmail > Authenticate Email (you can also find this easier by searching DKIM on the top search bar).
  2. On the DKIM authentication page, select the domain you would like to set this up for, and select “Generate New Record” and maintain the defaults provided. Copy the text that appears, and confirm you have copied the “host name” and “record value. It should look like this:
  3. Head into your Domain Management tool (e.g. GoDaddy) and navigate to the domain that we are setting up the DKIM for. Find the “DNS Records” section for this domain
  4. Select Add to add a record to this domain's DNS. We are going to populate the box that appears with the following values:
    1. Type: TXT
    2. Name: This will be the DNS Host Name that we copied above (e.g. google._domainkey)
    3. Value: This will be the TXT Record Value that we copied above (e.g. all 5 lines that start with v=DKIM1: k=rsa;
    4. TTL: Leave this as the default value or 1 hour
  5. Wait for the Success message from your domain provider and then head back over to the DKIM authentication page at Google and click the “Start Authentication” button. Allow it some time to complete, but if you receive an error message, know that it can take up to 48 hours to propagate, so it is ok to wait awhile to reattempt. Once you can successfully receive the success message, then you have completed DKIM!



DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication, policy, and reporting protocol. Specifically, DMARC can help to successfully prevent direct domain spoofing, where attackers use an organization's exact domain name in the “from” address within an email.


To set up DMARC, you’ll want to head to where you purchased or manage the domain.


  1. Head into where you manage the domain (e.g. GoDaddy), navigate to the domain you want to set this up for, then Navigate to the DNS of the domain
  2. Under the DNS we are going to add a record and insert the following information
    1. Type - TXT
    2. Name - “_dmarc”
    3. Value - “v=DMARC1;p=none”
    4. TTL - “default” 
  3. Hit Save


Note: the “p” value is actually the policy. We usually recommend none as it is the simplest. Below are the options you could also use:

  • p=none: The domain owner requests no specific action be taken on mail that fails DMARC authentication and alignment. 
  • p=quarantine: The domain owner instructs that mail failing the DMARC authentication and alignment checks be treated as suspicious by mail receivers. This can mean receivers place the email in the spam/junk folder, flag it as suspicious, or scrutinize this mail with extra intensity. 
  • p=reject: The domain owner requests that mail receivers reject the email that fails the DMARC authentication and alignment checks. Rejection should occur during the SMTP transaction. This is the strictest policy and offers the highest level of protection.


I am seeing an error related to Domain Authentication (SPF, DKIM, or DMARC) and am still seeing the error, how do I make it go away?



If you’re seeing the error above (or similar), it means that something has not been set up in your Domain Authentication configuration.

  • Once have configured everything above, now it’s time to test it:
    • Go to Amplemarket and head to the Domain Health Center 
    • There you can see all your Domains, including the ones that are experiencing Domain Authentication issues:


  • By clicking on the “Failed” icon you’ll be able to test your SPF, DMARC and DKIM configuration:


  • Then, by clicking on “Refresh”, we’ll check if your SPF, DKIM, and DMARC are properly configured. The test might take some minutes to be completed, so you can now leave this page.

  • If your Domain Authentication is properly configured, the error banner will disappear. You also should see the following result after your test is completed:

If, for any reason, the error banner is still surfacing, it means that something isn’t quite right with your Domain Authentication setup. Follow the steps provided by your ESP to properly configure it.


Google + GoDaddy domain configuration

Google + DNSimple domain configuration


Microsoft + GoDaddy domain configuration

Microsoft + DNSimple domain configuration

Related to

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request