For the Max Classic/Ultimate editions of Keap, please refer to this article: Email Authentication (DKIM, DMARC, and SPF)

Table of contents

• Why Domain Authentication is Required
• What are DKIM and DMARC?
• Step-by-Step Process for Authenticating Your Domain in Keap
• Additional help/FAQs
   

Why Domain Authentication is Required

Major mailbox providers including Google, Yahoo, and Microsoft now require authenticated sending domains to strengthen ecosystem security and reduce spam, phishing, and spoofing. These requirements ensure that only verified senders can deliver mail at scale and that users are protected from impersonation attacks.

Keap aligns with these industry standards to maximize your deliverability and safeguard your sending reputation. To comply, you must send from a custom domain that is fully authenticated with DKIM and aligned with DMARC. These protocols verify that your messages are legitimate, improve inbox placement, and prevent bad actors from sending mail that appears to come from your domain.

Following the steps below (or watching the setup video) will ensure your domain meets current provider requirements and is eligible for reliable delivery.

If you'd like to see Greg Jenkins from our partner Monkeypod walk you through the process, simply click the link below.

What are DKIM and DMARC?

• DKIM (DomainKeys Identified Mail): Adds a digital signature to your emails, verifying they were sent from your domain.
• DMARC (Domain-based Message Authentication, Reporting & Conformance): Specifies how email providers should handle unauthorized emails.

Step-by-Step Process for Authenticating Your Domain in Keap

1. Access Email Authentication Settings
   1. Pro/Max Edition: Click on your profile picture in the bottom left corner, select Settings, and navigate to the Domains page.
      
      
   2. Ultimate/Classic Edition: Click on the hamburger menu dropdown, select Marketing > Settings, and click on Email Authentication.
      
2. Add Your Domain
   1. Click on the + Connect Email Domain button
   2. Enter your domain
   3. Select your domain host from the dropdown list. If unsure of your domain host, use this tool.
      
3. Verify Your DMARC Record
   1. Before creating a new DMARC record, it’s important to check if one already exists for your domain—you should only have one DMARC record.
   2. If you already have a DMARC record, leave the “Create or Update DMARC Record” checkbox unchecked.
   3. Not sure if you have a DMARC record? Use the free tool from Dmarcian: Just enter your domain and click “Inspect the Domain” to see if a DMARC record is already in place.
   4. You can also check directly by logging into your DNS provider and reviewing your DNS records for an existing DMARC entry
4. Create Your DMARC Record:
   1. If you do not have a DMARC record, or you want Keap to generate one for you:
   2. Check the “Create or Update DMARC Record” box.
   3. Keap recommends the following settings:
      1. Policy: Quarantine
      2. Quarantine Percentage: 5%
   4. Enter an email address you have access to. This address will receive DMARC aggregate reports from providers to help you monitor for unauthorized use of your domain.
      
5. Generate and Add DKIM & DMARC Records:
   1. For your DKIM records Keap will generate 3 CNAME records that will look like:
      1. appname.yourdomain.com
      2. appname1._domainkey.yourdomain.com
      3. appname2._domainkey.yourdomain.com
   2. Click on the record to copy it (do not highlight manually to avoid copying extra text).
   3. In your domain’s DNS settings, add these as CNAME records:
      1. Depending on your DNS provider, the fields for entering these keys may be labeled as "Host" and "Points to" or "Name" and "Value." Enter the keys in the provided order, from left to right, regardless of the labeling.
   4. For adding your DMARC record
      1. In your domain's DNS settings, add a TXT record for DMARC:
         1. Host: _dmarc.yourdomain.com
         2. Value: v=DMARC1; p=quarantine; pct=5; rua=mailto:your-email@yourdomain.com
            
6. Domain Verification:
   1. Add all of the keys provided to your DNS provider
   2. Once all records are added to your DNS provider, click Finish in Keap.
   3. You’ll return to the Domains or Email Authentication page, where your domain status will show as Pending or Connected.
   4. It may take 24-48 hours for your domain to connect. If it remains pending for longer, verify your DNS entries using the DIG tool mentioned earlier.
7. Start Sending From Your Authenticated Domain
   1. Once the domain you are wanting to send email from shows as “Connected”
   2. For Pro/Max navigate to the profile settings page by clicking on the profile icon button in the lower left corner and then click on the top selection to open profile settings
      
      
   3. Once you’ve update the email address to use a connected domain, click update
      
   4. For Classic to update the email associated with your profile, you will need to click on the profile icon → Edit my profile
      

Additional help/FAQs

DNS Guides:You'll need to create CNAME and TXT entries in your DNS records. If you're unsure how, contact your DNS provider for assistance, as steps may vary. Here are links to help articles for common DNS providers:

• GoDaddy
• Cloudflare
• BlueHost
• Host Gator
• DreamHost
• Liquid Web
• In-Motion
• Amazon CloudFront
• Google Cloud

Handling Domain Conflicts:

• If the CNAME keys are already in use, click on the "Conflict with your domain?" dropdown to enter a custom subdomain prefix.
• If your domain authentication is stuck in "Pending": If you previously had your domain authenticated within Keap and it is stuck in the Pending status for more than 48 hours, you will need to click on the edit button (pictured below) and go through the steps above, if you have already copied over the appropriate records just click confirm when you get to the records page. If your records have been verified it will move into Connected and if it is still verifying it will remain in the Pending status until verification is completed.