Kualo / docs
On this page

Authenticate your sending domain

Authenticate your domain with SPF, DKIM and DMARC so your MailMachine emails reach the inbox.

4 min read Updated 10 Jun 2026

Gone are the days of sending email without worrying whether it'll be delivered. Spam has existed for as long as email itself, and inbox providers have got strict about who they trust. Authentication is how you prove that MailMachine has your permission to send on your behalf - it's the single most important thing you can do for deliverability, and it stops spammers from spoofing your domain.

Providers like Gmail and Yahoo now require authentication to accept mail from a domain. Sending from an unauthenticated domain is known to cause significant delivery problems with all major providers - many recipients simply won't get your emails.

If your domain isn't authenticated, Gmail and other providers may warn your recipients that the message might not really be from you, or send it straight to spam:

A Gmail "be careful with this message" warning shown on an unauthenticated email

Before you start

You'll need access to your domain's DNS records at your hosting or domain provider. If you're not sure who that is, it's whoever manages your website or email address - ask that person or team. If your domain is hosted with Kualo, you can add these records in cPanel.

Authenticate your domain

  1. In MailMachine, click your company name / email address in the top-right corner to open the dropdown menu, then click Senders.
  2. Make sure your sender domain has been entered. An unauthenticated domain shows in a yellow bar - if you haven't added a sender yet, choose and enter it now.
  3. Click Authenticate domain.
  4. The instructions appear on the page. You can copy and paste them to share with whoever manages your DNS.
  5. You (or your DNS administrator) add the records to the relevant fields at your domain host. This is a delicate step - make sure each record is exactly what's shown.
  6. Wait for the change to propagate. This usually takes a few hours, but can take up to 24.
  7. Come back to Senders and verify. Once it's working the bar turns blue. If it's still yellow after 24 hours, open a support ticket with a screenshot of the records you entered.

The records must match exactly. A single extra space, a stray full stop, or any small change will stop authentication from working.

What SPF, DKIM and DMARC actually do

MailMachine sets up three complementary standards for you. Together they tell receiving servers that your mail is genuine.

SPF (Sender Policy Framework)

SPF has been around since 2003. It publishes a list of the servers authorised to send on behalf of your domain, so a receiving server can check that a message claiming to be from you actually came from one of those servers.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to your mail. It proves two things: that the message content wasn't altered in transit, and that it genuinely came from the domain it claims to be from.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC's big advantage is that you control what happens to mail that fails the checks, not the receiver. You can tell receivers to block mail you didn't send, and you get reports of anyone using your domain without permission. It's the gold standard in use today.

Troubleshooting

SPF validation fails

  • Only one SPF record is allowed per domain - check for duplicates.
  • It should start with v=spf1 and end with -all or ~all.
  • Watch for syntax errors and extra spaces, and don't exceed the 10 DNS-lookup limit.

DKIM doesn't verify

  • Make sure the record is published on the correct subdomain and the selector matches the one MailMachine gave you.
  • Copy the key without introducing line breaks or spaces, and allow 24-48 hours to propagate.

DMARC isn't recognised

  • The record belongs at _dmarc.yourdomain.com.
  • Start with p=none before moving to quarantine or reject, and make sure the syntax is right (e.g. v=DMARC1; p=none; rua=mailto:...).

Authentication passes but mail still goes to spam

  • Authentication is only one factor - content and sending reputation matter too. Review your sending practices and list hygiene, and check whether your domain or IP appears on any blocklists.

DNS changes don't seem to take effect

  • Allow up to 48 hours for full propagation, and use a DNS-lookup tool (or a different DNS server) to confirm the records are visible.

You send from more than one domain

  • Each sending domain needs its own authentication setup, and subdomains may need separate configuration.
Was this helpful?
Your feedback helps us find gaps in the docs.
Related articles
Senders & deliverability
Add and manage senders
Add and verify the "from" address your campaigns send from, and the deliverability rules t...
Senders & deliverability
Use your suppression list
How the suppression list keeps you from emailing people who complained or opted out, and h...
Senders & deliverability
Email deliverability basics
What deliverability is, why permission and reputation drive it, and the factors that get y...
Senders & deliverability
Protect your sender reputation
Why sending from your own authenticated domain - not a free address - protects trust and d...
Still need a hand?
Real people, around the clock - start a chat or open a ticket and we'll help you put it right.
Contact us Start a chat