Authenticating Your Mail Domain (Using Your Own Email Domain)

Last Updated -

IMPORTANT NOTE: This article is only relevant to users using a mailbox set up through, and does not apply to self hosted mailboxes.

If you've chosen to use a custom domain ( rather than the default, and you want to use Mail ( rather than your own outbound mail server, you'll also want to set up email authentication to help ensure your emails reach the inbox of your recipient. Although will add a signature by default, authenticating specifically on your own domain is the best option.

In this article:

How Authentication Works and Why it's Important
Setting up your Authentication

How Authentication Works and Why it's Important

Why is Authentication Important?

ISPs rely heavily on authentication to fight spam and prevent phishing and other means of fraud. Firstly, authentication is essential for securing your brand. It's there in part to prevent spoofed messages from damaging your online reputation. Imagine a phishing email appearing to be sent from your company because someone had forged your information. Angry recipients and spam complaints resulting from it become your mess to clean up, in order to repair your reputation. Authentication is there to prevent that.

Secondly, authentication is good for your deliverability. It helps your emails reach your recipient's inbox. Many ISPs use authentication, among other things, to track sender reputation. Without it, the chances of your emails being filtered are much higher.

Lastly, some email clients will show a message if you haven't authenticated your domain. For the best customer experience you want to be sure authentication is set up so those alerts don't show.



How Does Authentication Work?

Because of the way email was originally built it's very easy to forge. For example, an email message might claim to be from your bank, but it's actually a scam aimed at stealing money or spreading malicious software.

When you have authentication setup, your emails are sent with a specific signature that matches a record in your DNS. This gives ISPs a method of identification to check, to ensure the sender is legitimate. Emails that do not pass authentication may be blocked or put through additional filtering, potentially preventing them from reaching the inbox.

At, adding authentication is important so that any receiving server will be able to tell that the email is legitimately from your company, not someone else pretending to be you. Always something essential for something as important as support!

Setting up your authentication

First add a mailbox. Go to: Admin > Channels > Email > Outbound Mailbox. Click on Add Mailbox button and add a mailbox. Enter your From Email including your custom domain ( in the image below) and click on Add. You will receive an email to confirm the email address.

Once you're done setting up your mailbox, you'll see a "Domain Authentication" section beneath Outbound Mailboxes in your Admin Panel. Go to: Admin > Channels > Email > Domain Authentication

Click the Eye icon to the far right of your domain name. The DKIM and SPF records will open in a window similar to below.

These records will need to be set up in your domain name's DNS settings.

While we can't walk you through specifically how to add the records (though we do have some help below), as every provider is different, in generally what you'll want to do is:

  1. Log into your hosting panel and then click on DNS
  2. Click a button to add a new records and choose TXT as the record type. Use the instructions below for the individual authentication types.


  1. The record will be the host name. With some hosts you'll enter that full host name, with others you'll leave off the part. 
  2. The second part that starts with k=rsa; will be entered as the TXT value. 
  3. Save!


For the SPF record you'll be given this as your record:
v=spf1 a mx ~all

You'll add that record as a TXT record. The host name will be your domain, it will be blank, or it will be @. It varies from host to host but they generally make it clear.

If you already have an SPF record, all you need to add is to your existing record.

Instructions for some commonly used hosts can be found here:

Using DMARC with your Postmark mailbox.
Postmark does support using DMARC policies on your own domain. You can find out more about it in this article.

If you are going to use your own DMARC policies, we recommend that you create a CNAME in your DNS server to point it to  so that the name that appears in your DMARC monitoring is part of your domain. Once that is done, email and let us know what the CNAME is for your site, and we can add the entry to the Return Path in the Sender Signature for your site and you should be all set!


Does have a list of IP addresses that need to be whitelisted in my firewalls, spam filters, mail server or other network security devices and applications?
Generally speaking, this is not a requirement. However, depending on your network security you may need to add the SMTP Endpoints from this article to your whitelists. We suggest that you consult with your internal IT team or network Administrators. Here is the list of their IP's, if needed you would need to add the IP's in the following sections :
SMTP Endpoints (for using SMTP outbound service)
Outbound SMTP Servers (where we send email from)
What if I don't add the records, what happens?

Without the authentication records your emails could be filtered as spam or blocked all together. Your recipients will also see a message displayed in Gmail and Outlook.



Do I need to add both SPF and DKIM?

For optimal deliverability, yes. Different ISPs look for different types of authentication. Having both records ensures you'll comply with what individual ISPs are looking for.

How do I verify my records are there?

To validate your records, you can go to a site like EmailStuff and look up your domain name.  From there you'll be able to see what records are present for your domain and if the authentication records you've added have propagated.

If no record is found, check the TTL value in your DNS record (where you added the records). This value—"time to live"—is the number of seconds DNS servers will cache your record. Lowering the value will make the record propagate faster.

If you're running into problems, please get in touch with our support team. Please be sure to let us know what domain name you're having troubles with.

Can I send emails before verifications happen?

Yes, but we don't recommend it. Until the records are present in your DNS your emails will send without a signature and the negative consequences will potentially happen.

I'm getting an error when trying to add the records, what can I do?


Some hosts do not support underscores (_) in DNS records, and adding the DKIM record can cause an error. The underscore is required and you'll want to contact your host and see if they can manually add the record for you or if they disallow underscores entirely

Semicolons (;)

Some hosts require that you escape semicolons in records. If you're getting an error try replacing ; with \; .

Will adding authentication affect my regular email?

No. The records are written specifically to allow the Postmark servers to send for you but not to disallow other servers.

My host doesn't support TXT records, what do I do?

Often, a host won't allow you to add records yourself, but will add them for you. As a first step we recommend you talk to your hosting company to see if they can help. If records are disallowed entirely, you'd either need to go without authentication or switch your web host or host your DNS at a company separate from your web hosting.

I'm seeing a phishing warning in Gmail, why?

If you're sending from a Gmail address, adding authentication isn't possible because you don't control the domain. Instead, what you'll want to do is verify that you can legitimately forward to and send from that address

Note: This article is for setting up authentication when using for your email. If you're not currently using's email, please contact your Account Executive, Sales, or our Support Team for more information.