Overview
Email domain authentication is critical to ensuring email deliverability. If you don't properly configure domain name system (DNS) records like SPF, DKIM, and DMARC, your emails are at risk of being labeled as spam. After you link your mailbox to Apollo, follow the instructions in this guide to set up your DNS records.
Having trouble with email domain authentication? If you're receiving errors, check out Troubleshoot Email Domain Authentication for an error glossary and tips to solve the problem.
Check out the following sections to understand why email domain authentication is important, and how to set up SPF, DKIM, and DMARC records.
SPF
Think of a sender policy framework (SPF) record like a trusted mailman who is tasked with delivering your messages.
SPF records are specially formatted DNS records that declare to receiving mail servers which servers you've authorized to send mail on behalf of your domain. Receiving mail servers use the information in your SPF record to decide how to treat incoming mail. They also help prevent email spoofing and phishing attacks, where someone pretends to be from your organization.
Many mailbox providers (MBPs) reject or mark as spam any email messages from domains that do not publish SPF records. This means that if you don't set up SPF records for your domains, there's a strong chance your emails won't land in your recipients' inboxes.
First, verify that your SPF record exists. If it doesn't exist, add an SPF record.
Verify SPF
Your domain's SPF records are typically managed by your IT department or your domain administrator, but you can also check SPF records with a free tool like mail-tester. Just copy the randomly generated email address from the mail-tester port and send a message to this email address from your mailbox. Then, head back to the port and click Then check your score. Mail-tester analyzes your message, your mail server, and your sending IP, and shows you a detailed report of what's configured properly and what's not. Learn more.
If no record is found, you need to add an SPF record to resolve the issue. If you encounter an error when connecting your mailbox or working in Apollo, check out Troubleshoot Email Domain Authentication for tips to resolve it.
Add SPF
If you ran the test above and the SPF record was present and passed, there's no need to add or update it. If your domain doesn't have an SPF record, follow these steps to enable it:
- Google Workspace:
- Before You Set Up SPF
- Identify all your email senders
- Determine your SPF record
- Add your SPF record to your domain
- Microsoft 365:
If you're using a provider other than Google or Microsoft, SPF setup instructions depend on your domain or email provider. Reach out to your provider, IT team, or domain administrator for help.
If you're the IT or domain administrator for your organization, verify that you have the correct list of IP addresses. Email servers could mark your emails as spam if you misconfigure your SPF record.
Next, check your DKIM records.
DKIM
Think of domain-keys identified mail (DKIM) like an invisible thumbprint on your messages that only mailbox providers can check. If someone tries to forge a message from you, DKIM helps mailbox providers identify that it's a fake. DKIM is an authentication method that uses cryptography to add an encrypted digital signature to your organization's outgoing emails. Your mail server uses a private key to encrypt the email data. Then receiving email servers retrieve the corresponding public key from your domain’s DNS records to decrypt it. This verifies that your email is genuinely sent from your domain and hasn’t been altered on its way to the recipient. Many mailbox providers have either already implemented a “no auth, no entry” policy or indicated plans to do so in the future. This means that if you don't set up DKIM, there's a very strong chance your emails will never enter your recipients' inboxes. First, verify that your DKIM record exists. If it doesn't exist, add a DKIM record.
Verify DKIM
Your IT department or domain administrator typically manages your domain's DKIM records, but you can also check DKIM records with a free tool like mail-tester. If you already ran the report to check your SPF record, just click the DKIM drop-down in your report to check your DKIM signature is valid and to view your signature and public key. If you haven't already ran the test, head to mail-tester and copy the randomly generated email address from the mail-tester port. Send a message to this email address from your mailbox then head back to the port and click Then check your score. Mail-tester analyzes your message, your mail server, and your sending IP, and shows you a detailed report of what's configured properly and what's not. Learn more. 
If the DKIM signature wasn't present or didn't pass the check, you need to add a DKIM record to resolve the issue. If you encounter an error when connecting your mailbox or working in Apollo, check out Troubleshoot Email Domain Authentication for tips to resolve it.
Did you know? DKIM can be verified using either of these elements:
- Your organization's domain name, like
apollo.io. -
A DKIM selector, which is the text added with the domain to create a unique DNS record used during DKIM. This allows different systems, date ranges, or third-party services to create different signatures.
Reach out to your IT department, domain administrator, or domain provider if you need help identifying these elements.
Add DKIM
If you've followed the steps above and found a DKIM record, there's no need to configure it any further. If your domain doesn't have a DKIM record, your IT or domain administrator should coordinate with your domain or email provider to configure the record:
- Google Workspace:
- Check if DKIM is already set up
- Generate a DKIM key pair
- Add the DKIM key to your domain
- Turn on and verify DKIM
- Microsoft 365:
If you use a provider other than Google or Microsoft, DKIM setup instructions depend on your domain or email provider. Reach out to your IT team, domain administrator, or provider for help.
If you're the domain administrator, be careful when you configure DKIM. Incorrect configurations can lead to your mail being undeliverable.
If you use Google Workspace for your domain, Google creates a DKIM key for you and adds it in your DNS records once you've created your site. Follow Google Support's instructions in Turn on DKIM for Your Domain to configure your domain for DKIM.
Next, check your DMARC records.
DMARC
Think of domain-based message authentication, reporting, and conformance (DMARC) like a rule enforcer who determines how inboxes should handle your messages when DKIM and SPF aren't conclusive.
DMARC are records that specify what email providers should do if DKIM or SPF checks fail. DMARC also allows you to report on emails to ensure they aren't being spoofed.
First, verify that your DMARC record exists. If it doesn't exist, add a DMARC record.
Verify DMARC
Your IT department or domain administrator typically manage your DMARC records, but you can also check DMARC records with a free tool like mail-tester. If you already ran the report to check your SPF or DKIM records, just click the DMARC drop-down in your report to check your DMARC record is set correctly and that your message passes the test.
If you haven't already ran the test, head to mail-tester and copy the randomly generated email address from the mail-tester port. Send a message to this email address from your mailbox then head back to the port and click Then check your score. Mail-tester analyzes your message, your mail server, and your sending IP, and shows you a detailed report of what's configured properly and what's not. Learn more.
If no record is found or your message didn't pass the test, you need to add a DMARC record to resolve the issue. If you encounter an error when connecting your mailbox or working in Apollo, check out Troubleshoot Email Domain Authentication for tips to resolve it.
Add DMARC
If your domain has a DMARC record, there's no need to configure it any further. If your domain doesn't have a DMARC record, follow these steps to enable it:
- Google Workspace:
- Before you begin
- Set up a group or mailbox for reports
- Authenticate third-party email
- Determine your DMARC record
- Add your DMARC record to your domain
- Microsoft 365:
If you use a provider other than Google or Microsoft, DMARC setup instructions depend on your domain or email provider. Reach out to your IT team, domain administrator, or provider for help.
Next Steps
With your email domain authenticated, ensure you follow email deliverability best practices to keep your domain safe. Now you're ready to view and respond to emails directly on Apollo.
Ready to run outreach like a pro? Set up multichannel outreach campaigns with sequences, then track your performance with email analytics and Apollo reports and dashboards.
Looking for more email deliverability tips? Join Apollo's Email Deliverability 101 webinar and Q&A to learn from seasoned sales pros about the ABCs of linking your mailbox, how to set up domains for maximum deliverability, and how to monitor the health of your email performance.