Email Authentication (DKIM, DMARC, and SPF)


For the Max Classic/Ultimate editions of Keap, please refer to this article: Email Authentication (DKIM, DMARC, and SPF)

Why Domain Authentication is Required

Email providers like Google and Yahoo are now mandating domain authentication to enhance security and combat spam and phishing. By requiring authentication, these providers aim to protect their users and ensure that legitimate emails are delivered to inboxes. Keap is following these industry requirements to give you the best chance for success in your email marketing efforts. To meet these standards, you must send emails from a custom domain that is fully authenticated with DKIM and DMARC. This will not only improve your email deliverability but also help maintain your sender reputation. Follow the steps below or watch the video to get your domain set up properly.

If you'd like to see Greg Jenkins from our partner Monkeypod walk you through the process, simply click the link below.


What are DKIM and DMARC?

  • DKIM (DomainKeys Identified Mail): Adds a digital signature to your emails, verifying they were sent from your domain.
  • DMARC (Domain-based Message Authentication, Reporting & Conformance): Specifies how email providers should handle unauthorized emails.


Step-by-Step Process for Authenticating Your Domain in Keap

  1. Access Email Authentication Settings 
    1. Pro/Max Edition: Click on your profile picture in the bottom left corner, select Settings, and navigate to the Domains page.

    2. Ultimate/Classic Edition: Click on the hamburger menu dropdown, select Marketing > Settings, and click on Email Authentication.
  2. Add Your Domain
    1. Click on the + Connect Email Domain button
    2. Enter your domain
    3. Select your domain host from the dropdown list. If unsure of your domain host, use this tool.
    4. Determine if you already have DMARC records using this DMARC checker.
    5. If setting up DMARC, it’s recommended to set the policy to Quarantine and 10%.
    6. Click Continue
  3. Generate and Add DKIM Records
    1. Keap will generate 3 CNAME records that will look like:
      1. appname.yourdomain.com
      2. appname1._domainkey.yourdomain.com
      3. appname2._domainkey.yourdomain.com
    2. Click on the record to copy it (do not highlight manually to avoid copying extra text).
    3. In your domain’s DNS settings, add these as CNAME records:
      1. Depending on your DNS provider, the fields for entering these keys may be labeled as "Host" and "Points to" or "Name" and "Value." Enter the keys in the provided order, from left to right, regardless of the labeling.
  4. Set Up DMARC
    1. If you already have a DMARC record you can check the “I already have a DMARC record" box
    2. If you’re not sure if you have a DMARC record, we have provided you a link to Dmarcian to check for free, just enter your domain and click inspect the domain.
    3. On the same Email Authentication page, Keap will generate the TXT record for your DMARC.
    4. In your domain's DNS settings, add a TXT record for DMARC:
      1. Host: _dmarc.yourdomain.com
      2. Value: v=DMARC1; p=quarantine; pct=10; rua=mailto:[email protected]
    5. Save the record
  5. How Do I Set It Up?
    1. You'll need to create CNAME and TXT entries in your DNS records. If you're unsure how, contact your DNS provider for assistance, as steps may vary. Here are links to help articles for common DNS providers:
      1. GoDaddy
      2. Cloudflare
      3. BlueHost
      4. Host Gator
      5. DreamHost
      6. Liquid Web
      7. In-Motion
      8. Amazon CloudFront
      9. Google Cloud
  6. Finalize and Verify
    1. Once all records are added to your DNS provider, click Finish in Keap.
    2. You’ll return to the Domains or Email Authentication page, where your domain status will show as Pending or Connected.
    3. It may take 24-48 hours for your domain to connect. If it remains pending for longer, verify your DNS entries using the DIG tool mentioned earlier.


Additional help/FAQs

Handling Domain Conflicts:

  • If the CNAME keys are already in use, click on the "Conflict with your domain?" dropdown to enter a custom subdomain prefix.
  • If your domain authentication is stuck in "Pending": If you previously had your domain authenticated within Keap and it is stuck in the Pending status for more than 48 hours, you will need to click on the edit button (pictured below) and go through the steps above, if you have already copied over the appropriate records just click confirm when you get to the records page. If your records have been verified it will move into Connected and if it is still verifying it will remain in the Pending status until verification is completed.