Knowledge Base Home Delivery How to Set Up Email Domain Authentication
To authenticate your email domain, you’ll need to add two Benchmark CNAME records to your DNS settings. These CNAME records are unique to your account and can be generated on the Email Domain Authentication page. The CNAMEs are what create your DKIM signature.
The Email Domain Authentication feature is only available in our Lite, Pro, and Enterprise plans, as well as any legacy plans.
Using email domain authentication prevents email phishing, and it can also prevent your email from being filtered as spam. The main benefit of using email domain authentication is it gives you the sender sole responsibility for your domain’s sending reputation. Once your email domain is authenticated, you can follow up by adding a DMARC signature.
To generate and use your Benchmark CNAME records, you’ll need a private domain, access to your domain’s DNS settings, and a verified email address in Benchmark.
When you authenticate your email domain with Benchmark, you add a unique DKIM Signature to your domain, this signature is visible in your email headers. The DKIM signature is composed using the two CNAME records provided in your Benchmark account.
DKIM is short for DomainKeys Identified Mail; it is used to prevent email messages from being forged by adding a digital signature to all emails sent from your domain. DKIM verifies the domain through cryptographic authentication. When DKIM is signed, receiving ISPs, such as Yahoo, Gmail, AOL, and others, can confirm that emails from your domain are legitimate.
Here is an example of email headers with and without the two CNAME records.
Your email headers will display your domain instead of Benchmark’s, making you look more professional and helping your emails land in the inbox instead of junk.
CNAME RECORDS PUBLISHED
DKIM-Signature:v=1; a=rsa-sha256; d=yourdomain.com; s=1234567; c=relaxed/relaxed; firstname.lastname@example.org; t=1598860888; h=subject:from:reply-to:to:date:message-id:list-unsubscribe: content-type: mime-version; bh=VJiLnp1piFKGczzrsciR1Mxy1LTL+aPflXht5kNI5w=; b=Csm6hrngAjg7GebKP4UBybWGC8i1SS8z/tkW9CUqDG9f1QtHFPe+6i2SSD2/dgTYL3xitdEMYuCtRwTQZRreH6xLOjKy7A5vWbx5HgKei4+3jUuWhXboTZGK20PSF+tXjRI1OcBGHLDITaMvZyk4n4ue4pFbPfLT+YHjdBynoV4=
WITHOUT CNAME RECORDS PUBLISHED
DKIM-Signature:v=1; a=rsa-sha256; d=yourdomain.com; s=bmdeda; c=relaxed/relaxed; t=1598860888; h=subject:from:reply-to:to:date:message-id:list-unsubscribe: content-type: mime-version; bh=VJiLnp1piFKGczzrsciR1Mxy1LTL+aPflXht5kNI5w=; b=IhpgMyO1JEy4FhullJon/dkAldaguMqU6ppYvg6ZUjMT49MczetfzHTTg3tlQnmiQPg2COSAersBfaxPdSxVQuhkg2qUDDgdOE5cNJWwgPgScYiNod6cf3HLgZLHI34QXqvqbrj0mhMk+gZmeTIrYn9A/oO1HFImH06S4Qbyeo= From: user1 <email@example.com>
Additionally, DKIM removes the message that shows in the inbox next to your email address as “via” or “on behalf of bmsend.com.” This text is used to indicate the sending server. For some email clients removing this text is not an option.
Before generating your Benchmark CNAME records, ensure that you have a verified email address in your Benchmark account.
If you’ve previously verified a private email address, chances are you already have a private domain in your account ready for authentication. Please note that only private domains can have email authentication.
To learn how to verify an email address, please click here.
To see a list of previously verified email addresses, visit your Email Verification page. If there are no private verified email addresses, please add the email associated with the domain you’d like to authenticate.
If you cannot verify your private domain, please contact our support team at firstname.lastname@example.org.
Once you have a verified email domain, you can move on to the next step, the CNAME Records. We recommend using two browser windows to move from one page to another quickly—one for Benchmark Email and another for your Domain DNS settings.
CNAME is short for Canonical Name, and it is used to alias a domain to another domain. With the following CNAME records, you’ll be removing Benchmark Email from your email headers.
To generate your CNAME Records, follow the steps below.
Back on the Domain authentication page, you’ll see the authentication status of the records. If your records are ready to be added to your DNS, the DNS Record column will read View instead of Start.
Additionally, the domain’s status will change to In Progress; no further action is needed from you. The authentication period can take up to 24 hours. You should not send any emails from your domain during this time as the domain is not yet authenticated.
When your domain is ready to send emails, the status will change to Authenticated.
If you did not add your records correctly, you would see an error message and an X next to the records that need updating.
If you receive an error message, review the records you added to your DNS settings. If the error is not visible to you, delete both of the records previously added and add them again.
If you continue to see an error message, please contact our support team at email@example.com.
The CNAME records have not been created.
The records were created and added to your DNS settings but waiting for confirmation. During this stage, no action is needed.
The records were created, but they were not added to your DNS settings, or the records do not match. If you see this, check the message within the records. You’ll see a red X on the error that needs to be corrected. Back in your DNS settings, check if the records were added exactly as Benchmark provided. If you are not sure, delete the previous CNAME records, and proceed to add them again. If you still see an error, please contact our support team.
Indicates the records were added successfully, and no further action is needed.
DMARC, short for Domain-based Message Authentication, Reporting & Conformance, is the third method for email domain authentication. ISPs like Yahoo, Gmail, AOL, and others, check to see if SPF and DKIM align with the DMARC signature. To take full advantage of the SPF and DKIM records, we recommend adding a DMARC signature to your domain.
If you already have a DMARC signature, skip this step as you can only have one DMARC signature per domain.
The DMARC signature is added as a TXT record in your DNS settings. You’ll need to add your Benchmark client ID and your email address.
DMARC Signature Example
You can change the TTL or leave it as is.
Your client ID can be found within your CNAME records, or on your Partner page.
To get your Client ID, follow the steps below.
From your CNAME record:
From the Partner page:
While the DMARC signature is not required, adding it to your DNS will maximize the benefits of your domain authentication. The DMARC signature tells email providers where they can send their DMARC Reports, a type of report created by email providers to share domain and IP addresses that send emails on your behalf.
The process of adding the records will vary depending on your domain host. If you do not have access to your DNS settings, contact your IT team or contact your domain hosting service.
Please allow 24 hours before sending any emails from your domain to accommodate the 24 hours. Any email sent during this time may not reflect the changes.
If you prefer a video tutorial, watch this video.
Below we have added some popular domain hosting services; for steps on adding your CNAME Records or your DMARC signature, click on the CNAME Records link or the DMARC link for your domain hosting service.
Please let our support team know if you do not see your domain service listed.
If you have any questions, please contact our support team.