Build your reputation as a trusted, legitimate sender
Over 300 billion emails are sent and received every day. As you can imagine, many of those messages are sent from bad actors impersonating businesses, or even just careless senders who don’t pay attention to communication consent status. Email inbox providers (like Gmail and Yahoo) have a responsibility to protect their users by setting standards around how they vet senders. This process is known as email authentication. In order to pass authentication checks, your messages must be sent from a sending domain that can be traced back to your business.
This guide will walk you through the steps of setting up a branded sending domain. In order to do this successfully, you will need access to your DNS (Domain Name System) hosting provider in order to update your DNS records. You might need to consult your IT team to gain access to your specific DNS hosting platform.
Set up a branded sending domain
The first and most critical step in becoming a trusted email sender is to set up a branded sending domain that aligns with your website domain. Watch the video below for a step-by-step walkthrough of how to set up your branded sending domain in Klaviyo.
Key terms to know:
- Sending domain: the domain that is used to indicate who an email is from
- Branded sending domain: a sending domain where the root domain matches the domain of your website
- Domain name system (DNS): a database that locates and translates domain names into IP addresses
- DNS record: a rule listed in the DNS that maps a domain name to something else, or that verifies the ownership of a domain
- DNS hosting provider: the service that maintains accessibility to your DNS records (like GoDaddy, Cloudfare, AWS, Squarespace, Google Domains, etc)
Note: Only certain user roles in Klaviyo are allowed to make changes to sending domain settings. Those roles are Owner, Admin, Manager, and Campaign Coordinator.
Understand DNS record types
If this is your first time editing your DNS records, you may not be very familiar with what DNS records are and what they do.
A DNS record is a rule listed in your DNS that associates a domain name with another item, like another domain name, or an IP address. There are many different types of DNS records, but let's dive into the 4 record types you may come across during your sending domain configuration process.
A record
An A record maps a domain name to the IP address of the computer that is hosting the website.
This helps people find you online by going to an easy-to-remember address (like klaviyo.com), as opposed to typing in an IP address (like 185.27.134.201).
TXT record
These records are simply strings of text that are stored in your DNS. You can store specific syntax as a TXT record that other systems can look for as a reference for verification.
When you set up your branded sending domain, you will place a TXT record in your DNS that contains your Klaviyo account ID. This will ensure that only your Klaviyo account is able to use your sending domain for sending emails.
NS record
An NS record allows for different DNS providers to be used as the authoritative servers.
NS records are only necessary for sending domain setup if you choose to use the Dynamic method.
CNAME record
A CNAME maps a domain to another domain. This allows you to make use of multiple domains for activities like sending emails.
CNAME records are only necessary for sending domain setup if you choose to use the Static method.
Understand the 3 main email authentication methods
Your branded sending domain sets the foundation for passing key authentication checks. If you’ve set up your branded sending domain correctly, then SPF, DKIM, and DMARC will be taken care of. There are also additional steps you can take to be visually recognized through BIMI. Click the dropdowns below to learn more.
SPF
Sender Policy Framework
What it is: This method detects forged sender addresses during the delivery of an email by checking to see if the IP address the message was sent from matches what is listed in the DNS records.
How it works: During the branded sending domain setup process, Klaviyo generated a set of DNS records for you, and prompted you to add those records into your DNS hosting provider. The CNAME or NS record that you added to your DNS is the record that SPF looks at in order to validate the IP.
Action item: If you have set up your branded sending domain successfully, and you are using a from-address that matches your domain name, your emails should pass SPF checks.
DKIM
DomainKeys Identified Mail
What it is: This method checks for an invisible “digital signature” in the header of each message to make sure that it matches the name of the sending domain. This header remains in the email even when it is forwarded to someone else.
How it works: The DNS records that you generated and added into your DNS provider also allow for DKIM signatures to be placed into your messages.
Action item: If you have set up your branded sending domain successfully, and you are using a from-address that matches your domain name, your emails should pass DKIM checks.
DMARC
Domain-based Message Authentication, Reporting, and Conformance
What it is: DMARC is a policy (or a rule) placed into your DNS as a TXT record that protects your domain from unauthorized use. Essentially, it allows you to specify how inbox providers should handle your emails if they fail SPF or DKIM authentication checks.
How it works: The DMARC policy record will contain a tag called “p” that tells inbox providers how to handle messages that don’t pass authentication checks. When setting up a branded sending domain, Klaviyo will add a DMARC record with p=none. This indicates you are in a state of monitoring your sending domain, and nothing will happen to your emails if they do not pass authentication checks.
Starting with p=none when you first establish DMARC gives you a chance to monitor mail streams and ensure that the DMARC policy and branded sending domain are functioning properly. After monitoring and validating the activity, you can change the “p” tag to p=quarantine, meaning messages that fail DMARC will be moved to the spam folder, or p=reject, meaning messages that fail DMARC will block or bounce and not be accepted at all.
Action item: When setting up your branded sending domain, toggle on the option to add a DMARC record. If you are configuring your domain automatically, this setting will automatically add the DMARC record to your DNS. If you are configuring your domain manually, this setting will generate a TXT record that you will need to add to your DNS provider along with your other DNS records.
BONUS: BIMI*
Brand Indicators for Message Identification
What it is: This is an optional additional visual authentication method that helps build trust with recipients. BIMI displays your brand logo in Gmail, Yahoo, and certain versions of Apple Mail. Gmail will also append a blue check icon on your messages if you set up BIMI.
How it works: Once you’ve met all of the prerequisites, you can add a TXT record to your DNS that contains your brand logo, plus the required trademark verification. This logo will then populate next to your messages for participating inbox providers.
Action item: In order to set up BIMI, you must have already implemented DMARC, and the “p” tag must be set to enforcement (either quarantine or reject). Therefore, you cannot set up BIMI until you decide to change your “p”tag value from none to reject or quarantine. If you need help configuring your DMARC record, you can use a free tool like DMARC Record Wizard.
For more information on how to implement BIMI, check out this step-by-step guide by Validity.