Email authentication is a technical process that requires working with Domain Name Servers (DNS). For those who aren't used to working with DNS, it can be a confusing process, as each DNS host uses different configuration software, and it can sometimes take up to 48 hours for your changes to be seen around the internet.
Below we've listed the most common issues people have when trying to set up email authentication.
Errors you may see in your Sending Domains settings dashboard
When you try to authenticate your Sending Domains settings, you may see the errors below. We've detailed the most common reasons for receiving the errors, and how you can resolve them.
- Incomplete: You have not completed the domain authentication.
- Missing record: The TXT record could not be found. Please create the appropriate TXT record.
- Invalid record: Record found but is invalid. Please re-create the TXT record. It can take some time for our systems to see a new record once added or changed.
- Possibly invalid: Record found but is invalid. Please re-create the TXT record. It can take some time for our systems to see a new record once added or changed. A valid SPF record includes “_spf.createsend.com” domain.
- Key length: Key is shorter than the minimum of 1024 bits.
- This domain has already been authenticated with another account.
Incomplete: You have not completed the domain authentication.
This status is shown when a freshly added sending domain has not been through any verification checks yet. Click the Authenticate button and follow the on-screen instructions to finish setting up.
Missing record: The TXT record could not be found. Please create the appropriate TXT record.
This error can appear for DKIM or DMARC records. For SPF records, the icon will be colored orange instead of red, and the tooltip will also include A valid SPF record includes “_spf.createsend.com” domain.
Note: Setting up an SPF record for your sending domain is recommended but not currently required, as we automatically handle SPF for you. To improve your email setup and future proof the delivery of your emails, we recommend adding "include _spf.createsend.com” to your SPF record in case it becomes necessary in future.
There are a couple of reasons you might see this error, as listed below:
- There's a typo in the domain name you provided
- You've entered an incorrect record name in your DNS host
THERE'S A TYPO IN THE DOMAIN NAME YOU PROVIDED HEADING
Make sure the domain you entered in your Sending Domains settings matches the one you set up authentication for in your DNS host, then try again.
YOU'VE ENTERED AN INCORRECT RECORD NAME IN YOUR DNS HOST
Many DNS hosts only require you to enter cm._domainkey, _dmarc, or @ as the TXT record name instead of the full domain, as they automatically add your domain to the end. If this is the case with your host, and you've entered the full domain, your TXT record name will actually be cm._domainkey.yourdomain.com.yourdomain.com, _dmarc.yourdomain.com.yourdomain.com, or yourdomain.com.yourdomain.com, and Marketing 360® will be looking in the wrong place to verify your authentication.
DMARC
- If you already have a DMARC record in place, you do not need to make any changes to the p value.
- You only need to have a DMARC record on your top level domain, you do not need to add an additional DMARC record for your subdomain(s).
If you are setting up authentication on a subdomain (eg. mail.example.com) you can ignore the warning if you have a valid DMARC record on your top level domain (eg. example.com).
Invalid record: Record found but is invalid. Please re-create the TXT record. It can take some time for our systems to see a new record once added or changed.
This error can appear for DKIM and DMARC. Make sure the records match exactly by copying the record we show on screen, and pasting it into your DNS host.
There are a couple of reasons you might see this error, as listed below:
- The change hasn't propagated yet
- The same record name exists multiple times in your DNS
THE CHANGE HASN'T PROPAGATED YET
This can occur when our servers are still seeing your original DNS settings, and haven't picked up your changes yet.
DNS changes also aren't instantaneous. Depending on your DNS host settings, it can take up to 48 hours for the entire internet, including our servers, to see any updates as they propagate across the world. The timing can vary, involves multiple systems controlled by various organizations, and it isn't something Marketing 360® can speed up.
WHAT YOU CAN DO
If you're reading this after you updated your record, and everything is set up correctly, the only option is to wait until the changes propagate. You can still send emails during this time, but we will make a couple of changes to the sending domain you nominate. For future DNS changes, read about lowering your Time To Live (TTL) setting.
You can use a validator like EmailStuff to check published DKIM or DMARC records and help you to verify that servers outside your DNS host can see your changes, and that the TXT records are present and valid. When you verify your record, the domain name is the one you are sending from, and in the case of DKIM, the selector is often cm.
You can also check if different servers around the world are seeing the same DNS record values with Whatsmydns. For DKIM, enter cm._domainkey.mail.example.com in the search box. For DMARC, enter _dmarc.mail.example.com. Replace mail.example.com with the domain you're trying to authenticate in both examples. Set the dropdown menu next to it to TXT, then click Search. The record value for each server should match the TXT record value you entered in your DNS host if they have seen the update. Note that this is just an indicator, and doesn't represent the whole internet.
If you continue to have problems, contact your DNS host for assistance.
THE SAME RECORD NAME EXISTS MULTIPLE TIMES IN YOUR DNS
The invalid record error can occur if you have more than one record with the same name. Email servers will often reject multiple records as invalid. Make sure there is only one record of that name in your DNS.
Mismatches can also occur if someone else authenticated the same domain in the past. This means the matching record name can have a different value in your DNS host, compared to what you need. We recommend removing any previous DKIM record generated by Marketing 360® from the DNS. For SPF, we recommend updating the existing record to include:_spf.createsend.com immediately after the v=spf1 . Make sure you include the space after "v=spf1".
Possibly invalid: Record found but is invalid. Please re-create the TXT record. It can take some time for our systems to see a new record once added or changed. A valid SPF record includes “_spf.createsend.com” domain.
Note: Updating an existing SPF record for your sending domain is recommended but not currently required, as we automatically handle SPF for you. To improve your email setup and future proof the delivery of your emails, we recommend adding "include _spf.createsend.com” to your SPF record in case it becomes necessary in future.
This error is unique to SPF only. It can appear for the same reasons as for DKIM and DMARC above, but also if you have an existing SPF record that does not include _spf.createsend.com. Please add include:_spf.createsend.com immediately after the v=spf1 in the existing record. Make sure you include the space after "v=spf1".
Once updated, your SPF record should look something like v=spf1 include:_spf.createsend.com include:_spf.google.com ~all, where include:_spf.google.com is an example of another domain that is also included. Your SPF record may have more domains included.
You can use a validator like EmailStuff to check your published SPF record. The domain name is the one you are sending from.
You can also check if different servers around the world are seeing the same DNS record values with Whatsmydns. Enter the domain you're trying to authenticate, set the dropdown menu next to it to TXT, then click Search. The record value for each server should match the TXT record value you entered in your DNS host if they have seen the update. Note that this is just an indicator, and doesn't represent the whole internet.
If you continue to have problems, contact your DNS host for assistance.
Key length: Key is shorter than the minimum of 1024 bits.
This record will appear if you have an older, 768 bit DKIM key. This key length is not considered secure enough and your emails will fail authentication as a result. You will need to remove this entry and add the sending domain again to regenerate a stronger, 1024 bit DKIM. Remember to delete the old record from your DNS too.
This domain has already been authenticated with another account.
The sending domain you've entered has already been authenticated by another Marketing 360® account. This protection is put in place to prevent credentials from being used fraudulently.
In some cases, this means authentication has already been set up for another account you manage. If you're the owner of the authenticated domain, and have access to the private and public keys previously generated by Marketing 360®, you can manually copy-paste the DKIM details from the authenticated account.
Comments
0 comments
Please sign in to leave a comment.