# Authenticate your sending domain > Authenticate your domain with SPF, DKIM and DMARC so your MailMachine emails reach the inbox. Source: https://www.kualo.com/knowledgebase/senders-deliverability/authenticating-my-domain-with-spf-dkim-and-dmarc-protocols Updated: 2026-06-10 --- Gone are the days of sending email without worrying whether it'll be delivered. Spam has existed for as long as email itself, and inbox providers have got strict about who they trust. Authentication is how you prove that **MailMachine has your permission to send on your behalf** - it's the single most important thing you can do for deliverability, and it stops spammers from spoofing your domain. :::warning Providers like Gmail and Yahoo now **require** authentication to accept mail from a domain. Sending from an unauthenticated domain is known to cause significant delivery problems with all major providers - many recipients simply won't get your emails. ::: If your domain isn't authenticated, Gmail and other providers may warn your recipients that the message might not really be from you, or send it straight to spam: ![A Gmail "be careful with this message" warning shown on an unauthenticated email](https://kb-cdn.kualo.com/11/41/1141a139fa19ce09f9e0595c1a700cd6c53e080c.png) ## Before you start You'll need access to your domain's **DNS records** at your hosting or domain provider. If you're not sure who that is, it's whoever manages your website or email address - ask that person or team. If your domain is hosted with Kualo, you can add these records in cPanel. ## Authenticate your domain 1. In MailMachine, click your **company name / email address** in the top-right corner to open the dropdown menu, then click **Senders**. 2. Make sure your sender domain has been entered. An unauthenticated domain shows in a **yellow** bar - if you haven't added a sender yet, choose and enter it now. 3. Click **Authenticate domain**. 4. The instructions appear on the page. You can copy and paste them to share with whoever manages your DNS. 5. You (or your DNS administrator) add the records to the relevant fields at your domain host. This is a delicate step - make sure each record is **exactly** what's shown. 6. Wait for the change to propagate. This usually takes a few hours, but can take up to 24. 7. Come back to **Senders** and verify. Once it's working the bar turns **blue**. If it's still yellow after 24 hours, [open a support ticket](/knowledgebase/getting-started/how-to-create-a-support-ticket-in-mykualo) with a screenshot of the records you entered. :::danger The records must match **exactly**. A single extra space, a stray full stop, or any small change will stop authentication from working. ::: ## What SPF, DKIM and DMARC actually do MailMachine sets up three complementary standards for you. Together they tell receiving servers that your mail is genuine. ### SPF (Sender Policy Framework) SPF has been around since 2003. It publishes a list of the servers authorised to send on behalf of your domain, so a receiving server can check that a message claiming to be from you actually came from one of those servers. ### DKIM (DomainKeys Identified Mail) DKIM adds a cryptographic signature to your mail. It proves two things: that the message content wasn't altered in transit, and that it genuinely came from the domain it claims to be from. ### DMARC (Domain-based Message Authentication, Reporting & Conformance) DMARC's big advantage is that **you** control what happens to mail that fails the checks, not the receiver. You can tell receivers to block mail you didn't send, and you get reports of anyone using your domain without permission. It's the gold standard in use today. ## Troubleshooting **SPF validation fails** - Only one SPF record is allowed per domain - check for duplicates. - It should start with `v=spf1` and end with `-all` or `~all`. - Watch for syntax errors and extra spaces, and don't exceed the 10 DNS-lookup limit. **DKIM doesn't verify** - Make sure the record is published on the correct subdomain and the selector matches the one MailMachine gave you. - Copy the key without introducing line breaks or spaces, and allow 24-48 hours to propagate. **DMARC isn't recognised** - The record belongs at `_dmarc.yourdomain.com`. - Start with `p=none` before moving to `quarantine` or `reject`, and make sure the syntax is right (e.g. `v=DMARC1; p=none; rua=mailto:...`). **Authentication passes but mail still goes to spam** - Authentication is only one factor - content and sending reputation matter too. Review your sending practices and list hygiene, and check whether your domain or IP appears on any blocklists. **DNS changes don't seem to take effect** - Allow up to 48 hours for full propagation, and use a DNS-lookup tool (or a different DNS server) to confirm the records are visible. **You send from more than one domain** - Each sending domain needs its own authentication setup, and subdomains may need separate configuration. --- _Source: Kualo Knowledgebase — https://www.kualo.com/knowledgebase/senders-deliverability/authenticating-my-domain-with-spf-dkim-and-dmarc-protocols · © Kualo Ltd._