How to Set Up Email Domain Authentication

Knowledge Base Home aero-right Delivery How to Set Up Email Domain Authentication

Delivery Updated on November 22, 2022

To authenticate your email domain, you’ll need to add two Benchmark CNAME records to your DNS settings. These CNAME records are unique to your account and can be generated on the Email Domain Authentication page. The CNAMEs are what create your DKIM signature.

The Email Domain Authentication feature is only available in our Lite, Pro, and Enterprise plans, as well as any legacy plans.

SEE PLAN OPTIONS

Using email domain authentication prevents email phishing, and it can also prevent your email from being filtered as spam. The main benefit of using email domain authentication is it gives you the sender sole responsibility for your domain’s sending reputation. Once your email domain is authenticated, you can follow up by adding a DMARC signature.

CONSIDER

To generate and use your Benchmark CNAME records, you’ll need a private domain, access to your domain’s DNS settings, and a verified email address in Benchmark.

Topics included in this article:

DKIM Signature

When you authenticate your email domain with Benchmark, you add a unique DKIM Signature to your domain, this signature is visible in your email headers. The DKIM signature is composed using the two CNAME records provided in your Benchmark account.

DKIM is short for DomainKeys Identified Mail; it is used to prevent email messages from being forged by adding a digital signature to all emails sent from your domain. DKIM verifies the domain through cryptographic authentication. When DKIM is signed, receiving ISPs, such as Yahoo, Gmail, AOL, and others, can confirm that emails from your domain are legitimate.

Here is an example of email headers with and without the two CNAME records.

Your email headers will display your domain instead of Benchmark’s, making you look more professional and helping your emails land in the inbox instead of junk.

CNAME RECORDS PUBLISHED


DKIM-Signature:v=1; a=rsa-sha256; d=yourdomain.com; s=1234567; c=relaxed/relaxed; i=email@yourdomain.com; t=1598860888; h=subject:from:reply-to:to:date:message-id:list-unsubscribe: content-type: mime-version; bh=VJiLnp1piFKGczzrsciR1Mxy1LTL+aPflXht5kNI5w=; b=Csm6hrngAjg7GebKP4UBybWGC8i1SS8z/tkW9CUqDG9f1QtHFPe+6i2SSD2/dgTYL3xitdEMYuCtRwTQZRreH6xLOjKy7A5vWbx5HgKei4+3jUuWhXboTZGK20PSF+tXjRI1OcBGHLDITaMvZyk4n4ue4pFbPfLT+YHjdBynoV4=

WITHOUT CNAME RECORDS PUBLISHED


DKIM-Signature:v=1; a=rsa-sha256; d=yourdomain.com; s=bmdeda; c=relaxed/relaxed; t=1598860888; h=subject:from:reply-to:to:date:message-id:list-unsubscribe: content-type: mime-version; bh=VJiLnp1piFKGczzrsciR1Mxy1LTL+aPflXht5kNI5w=; b=IhpgMyO1JEy4FhullJon/dkAldaguMqU6ppYvg6ZUjMT49MczetfzHTTg3tlQnmiQPg2COSAersBfaxPdSxVQuhkg2qUDDgdOE5cNJWwgPgScYiNod6cf3HLgZLHI34QXqvqbrj0mhMk+gZmeTIrYn9A/oO1HFImH06S4Qbyeo=

From: user1 <email@yourdomain.com>

Additionally, DKIM removes the message that shows in the inbox next to your email address as “via” or “on behalf of bmsend.com.” This text is used to indicate the sending server. For some email clients removing this text is not an option.

Before generating your Benchmark CNAME records, ensure that you have a verified email address in your Benchmark account.

Back to the top ↑

How to add a domain to authenticate

If you’ve previously verified a private email address, chances are you already have a private domain in your account ready for authentication. Please note that only private domains can have email authentication.

SUGGESTION

To learn how to verify an email address, please click here.

To see a list of previously verified email addresses, visit your Email Verification page. If there are no private verified email addresses, please add the email associated with the domain you’d like to authenticate.

IMPORTANT

If you cannot verify your private domain, please contact our support team at support@benchmarkemail.com.

Back to the top ↑

How to get CNAME Records

Once you have a verified email domain, you can move on to the next step, the CNAME Records. We recommend using two browser windows to move from one page to another quickly—one for Benchmark Email and another for your Domain DNS settings.

CNAME is short for Canonical Name, and it is used to alias a domain to another domain. With the following CNAME records, you’ll be removing Benchmark Email from your email headers.

To generate your CNAME Records, follow the steps below.

Click on your account name and select Account Settings.

Then, select Domain Authentication. Here you will see the domains available to authenticate.
If your domain is available to authenticate, click on the Start option.

Confirm your choice by clicking Start Authentication. After confirming, we will begin generating your records. These can typically take up to 30 minutes to generate. Exit this page by clicking on the X on the top right of the page.

Back on the Domain authentication page, you’ll see the authentication status of the records. If your records are ready to be added to your DNS, the DNS Record column will read View instead of Start.

Click on the View option to see your CNAME records.

In another browser window, go to your domain’s DNS settings. If you are not sure how to add the records to your DNS settings, check out some of the services listed here for instructions.
Copy and paste each CNAME record separately in your DNS settings.

Once you are done, go back to Benchmark and click on the Check Configuration option.

You will see a success message and green checkmarks next to each record if you added them correctly. Record configuration can take up to 48 hours, depending on your domain hosting service.

Additionally, the domain’s status will change to In Progress; no further action is needed from you. The authentication period can take up to 24 hours. You should not send any emails from your domain during this time as the domain is not yet authenticated.

When your domain is ready to send emails, the status will change to Authenticated.

If you did not add your records correctly, you would see an error message and an X next to the records that need updating.

If you receive an error message, review the records you added to your DNS settings. If the error is not visible to you, delete both of the records previously added and add them again.

If you continue to see an error message, please contact our support team at support@benchmarkemail.com.

Back to the top ↑

Domain Status Descriptions

Not Authenticated

The CNAME records have not been created.

In Progress

The records were created and added to your DNS settings but waiting for confirmation. During this stage, no action is needed.

Action Required

The records were created, but they were not added to your DNS settings, or the records do not match. If you see this, check the message within the records. You’ll see a red X on the error that needs to be corrected. Back in your DNS settings, check if the records were added exactly as Benchmark provided. If you are not sure, delete the previous CNAME records, and proceed to add them again. If you still see an error, please contact our support team.

Authenticated

Indicates the records were added successfully, and no further action is needed.

Back to the top ↑

DMARC Signature

DMARC, short for Domain-based Message Authentication, Reporting & Conformance, is the third method for email domain authentication. ISPs like Yahoo, Gmail, AOL, and others, check to see if SPF and DKIM align with the DMARC signature. To take full advantage of the SPF and DKIM records, we recommend adding a DMARC signature to your domain.

If you already have a DMARC signature, skip this step as you can only have one DMARC signature per domain.

The DMARC signature is added as a TXT record in your DNS settings. You’ll need to add your Benchmark client ID and your email address.

DMARC Signature Example

v=DMARC1;p=none;sp=none;pct=100;adkim=r;aspf=r;rua=mailto:rCLIENTID@dc.bmesrv.com,mailto:YOUREMAILADDRESS;ruf=mailto:rCLIENTID@dc.bmesrv.com,mailto:YOUREMAILADDRESS;rf=afrf;ri=86400;fo=0

Name:

 _dmarc

Value:

v=DMARC1;p=none;sp=none;pct=100;adkim=r;aspf=r;rua=mailto:rCLIENTID@dc.bmesrv.com,mailto:YOUREMAILADDRESS;ruf=mailto:rCLIENTID@dc.bmesrv.com,mailto:YOUREMAILADDRESS;rf=afrf;ri=86400;fo=0

You can change the TTL or leave it as is.

Your client ID can be found within your CNAME records, or on your Partner page.

To get your Client ID, follow the steps below.

From your CNAME record:

Log in to your Benchmark account, and click on your account name.
Select Domain Authentication, and then click on the View option.
Copy ONLY the number ID within one of the CNAME records.

From the Partner page:

Log in to your Benchmark account, and click on your account name.
Click on the Partner Program option.

Copy the Partner ID (this is the same as your ClientID).

While the DMARC signature is not required, adding it to your DNS will maximize the benefits of your domain authentication. The DMARC signature tells email providers where they can send their DMARC Reports, a type of report created by email providers to share domain and IP addresses that send emails on your behalf.

Back to the top ↑

How to add your CNAME Records to your DNS provider

The process of adding the records will vary depending on your domain host. If you do not have access to your DNS settings, contact your IT team or contact your domain hosting service.

IMPORTANT

Please allow 24 hours before sending any emails from your domain to accommodate the 24 hours. Any email sent during this time may not reflect the changes.

If you prefer a video tutorial, watch this video.

Below we have added some popular domain hosting services; for steps on adding your CNAME Records or your DMARC signature, click on the CNAME Records link or the DMARC link for your domain hosting service.

Please let our support team know if you do not see your domain service listed.

GoDaddy