How to authenticate your domain for your newsletter

How to authenticate your domain for your newsletter

14 minutes read

Table of Contents

Google and Yahoo are rolling out new email rules in February, 2024, in an effort to prevent spam in people’s inboxes. Starting on February 1, Gmail and Yahoo will block incoming emails from senders that don’t meet their new requirements.

That means you will have to make some changes in January to make sure readers will keep receiving your newsletters.

Many authors haven’t heard of those new requirements yet or they have no idea how to meet them. It does seem quite overwhelming and confusing, especially if you’re not very tech-savvy, but don’t despair. It’s doable, and I put together this guide to help you.

Overview of the new requirements for newsletters

  • Your newsletter needs to maintain a low average spam rate. It needs to be below 0.1%, which means fewer than 1 spam report per 1,000 emails sent, and never exceed 0.3%. I’ll blog about how to keep your spam rate low in the near future.
  • You need to send your newsletter from your own domain email, not a third-party email you don’t own such as @gmail.com or @yahoo.com. For example, if your author website is janesmith.com, your domain email might be: jane@janesmith.com. If you have been sending from a third-party email so far, check out my instructions below on how to change that.
  • You need to offer subscribers the option to unsubscribe with one click. I don’t just mean that you need an unsubscribe link at the bottom of your newsletter. The unsubscribe option needs to be in the header of your emails. I’ll tell you how to do that in the instructions below.
  • You need to verify and authenticate your domain so Google & Co will know it’s indeed you sending the newsletter and not someone impersonating you, a scam, or a phishing attempt. This process differs slightly depending on which newsletter service and which domain provider you’re using, but I’ll give you as many pointers as possible below.
  • If you’re using Mailerlite, you also have to align your domain. The process is similar to authenticating your domain. I’ll provide instructions below. Initially, Google said only bulk senders who send more than 5,000 emails on a single day need to do this step, but now it seems everyone will have to align their domain.
  • You need to set up a DMARC record in your domain. Google initially indicated only people who send more than 5,000 emails on a single day need to complete this step, but now it seems everyone will have to have a DMARC record if they are sending newsletters.

Enable one-click unsubscribe

As I said above, this is more than just having an unsubscribe link at the bottom of your newsletter. You need to have an unsubscribe option in the header of your newsletter. When you open a newsletter that has the one-click unsubscribe, the top of the email looks like this:

One-click unsubscribe

Every newsletter service differs in how you can add the one-click unsubscribe option to the header of your email. Here’s how to add it in the three most-used newsletter providers:

 

Mailchimp

Apparently, Mailchimp automatically adds the one-click unsubscribe button to your emails, so if you are sending out your newsletter with Mailchimp, you don’t have to do anything to add it.

 

New Mailerlite

  • Log in to your Mailerlite account and click “account settings” in the left-hand menu.
  • Click “unsubscribe settings.”
  • Click the “edit content” button.
  • Check the “unsubscribe immediately” option.
  • Save the changes.

 

Mailerlite Classic

  • Log in to your Mailerlite account and click on your profile picture in the top right corner.
  • Click “unsubscribe settings.”
  • If you just see a blank/gray field, click “migrate.” Don’t worry; it won’t migrate your entire account to the New Mailerlite. It will just renew the unsubscribe page so you can make the required changes.
  • Click the “edit” button.
  • If you want, you can edit your unsubscribe page—change the color of the button, etc.
  • Check the “unsubscribe immediately” option.
  • Save the changes.

Start sending your newsletter from a domain email

Starting on February 1, you need to send your newsletter from a domain email, e.g., jane@janesmith.com. You should no longer send any newsletters from a third-party email such as @gmail.com, @yahoo.com, @or hotmail.com.

If you have been sending your newsletter from a Gmail or other non-domain email so far, you have to add your website domain to your newsletter service.

To do that in New Mailerlite, go to “account settings,” then click “domains,” then click the green “add domain” button and enter your domain email.

Here’s a video tutorial that shows you every step.

Mailerlite then sends you an email to that email address. Open the email and click the confirmation link to verify that email.

If you are using Mailchimp, here’s an instruction on how to verify your domain email in Mailchimp.

Authenticate your domain

If you have already added a domain to your newsletter service, here’s how to authenticate it:

Domain authentication in the New Mailerlite

Mailerlite has a video tutorial on how to authenticate your domain. You might want to start by watching it.

  • Log in to your Mailerlite account, and go to “account settings” in the left-hand menu.
  • Click on “domains.”
  • Click on the gray “authenticate” button.
  • A window pops up, showing you the name and value for the DKIM and SPF record.
  • Now log in to your domain account. Locate the DNS page. Depending on your domain provider, it could be named DNS zone, DNS settings, or something that says “manage DNS” or similar. There should be a button or link where you can create a new DNS record. Mailerlite provides tutorials for some of the more popular domain hosters: Bluehost, Squarespace, Godaddy, Siteground, Name.com, Ionos, Wix, and Cloudflare.
  • Once you have located the DNS settings in your domain account, you have to create a new TXT record for the DKIM (or sometimes a CNAME record—check the Mailerlite window that tells you which one). If you have a drop-down menu named “type” or something similar that lets you select the type of record, choose TXT here. Copy the name of the DKIM (usually something such as ml._domainkey) from Mailerlite. Paste it into a field that says “name” or “host” or “host name” or “prefix.” Then go back to Mailerlite and copy the value. Go back to your domain account and paste it into a field that says “value” (or, depending on your domain provider, “answer” or “target” or “content” or “points to” or “alias to”). Then click something like “add.”
  • Create another new DNS record in your domain account. This one needs to be a TXT record. You usually leave the field for the host/name empty and just paste the value from Mailerlite into the value field. Then click something like “add.”
  • Head back to Mailerlite. Click “Check DNS record.”
  • Usually, it only takes a few minutes to get a green light, but it can take up to 24 hours for the domain to authenticate, so don’t worry if you get error messages at first.
  • If you still get error messages after 24 hours, go back to your domain account and check if you entered everything correctly. Common error sources: You might have to change the host field. Depending on your provider, you have to add or leave out the domain (ml._domainkey OR ml._domainkey.yourdomain). For SPF, you can only have one SPF record in your DNS zone. If you have a SPF record already, edit it instead of adding one. If it says there are multiple records, remove the old ones (but take screenshots/copy before so you can undo the changes if you do something wrong). Click “Check DNS records” again. Here are some Mailerlite troubleshooting tips. You can also contact your domain provider to see if they can help you.

 

Domain authentication in Mailerlite Classic

Important:

If you are using a free Mailerlite Classic account, I would recommend migrating to the New Mailerlite before you authenticate your domain. Starting in February 2024, there will no longer be a free Mailerlite Classic, so you will either have to switch to a paid Mailerlite Classic account or migrate to a free New Mailerlite account. If you migrate to New Mailerlite, you will have to redo the domain authentication. Here’s my blog post with step-by-step instructions on how to safely migrate from Mailerlite Classic to New Mailerlite.

If you are using a paid Mailerlite Classic account now, you don’t have to migrate right now. But once you do, you will have to redo your domain authentication.

The first thing you might want to do is to watch this Mailerlite Classic tutorial that shows you how to authenticate your domain.

Here are the step-by-step instructions:

  • Log in to your Mailerlite Classic account and click on your profile picture in the top right corner.
  • Click on “domains.”
  • Click on the gray “authenticate” button.
  • A window pops up, showing you the name and value for the DKIM and SPF record.
  • Now log in to your domain account. Locate the DNS page. Depending on your domain provider, it could be named DNS zone, DNS settings, or something that says “manage DNS” or similar. There should be a button or link where you can create a new DNS record. Mailerlite provides tutorials for some of the more popular domain hosters: Bluehost, Squarespace, Godaddy, Siteground, Name.com, Ionos, Wix, and Cloudflare.
  • Once you have located the DNS settings in your domain account, you have to create a new TXT record for the DKIM (or sometimes a CNAME record—check the Mailerlite window that tells you which one). If you have a drop-down menu named “type” or something similar that lets you select the type of record, choose TXT here. Copy the name of the DKIM (usually something such as ml._domainkey) from Mailerlite. Paste it into a field that says “name” or “host” or “host name” or “prefix.” Then go back to Mailerlite and copy the value. Go back to your domain account and paste it into a field that says “value” (or, depending on your domain provider, “answer” or “target” or “content” or “points to” or “alias to”). Then click something like “add.”
  • Create another new DNS record in your domain account. This one needs to be a TXT record. You usually leave the field for the host/name empty and just paste the value from Mailerlite into the value field. Then click something like “add.”
  • Head back to Mailerlite. Click “Check DNS record.”
  • Usually, it only takes a few minutes to get a green light, but it can take up to 24 hours for the domain to authenticate, so don’t worry if you get error messages at first.
  • If you still get error messages after 24 hours, go back to your domain account and check if you entered everything correctly. Common error sources: You might have to change the host field. Depending on your provider, you have to add or leave out the domain (ml._domainkey OR ml._domainkey.yourdomain). For SPF, you can only have one SPF record in your DNS zone. If you have a SPF record already, edit it instead of adding one. If it says there are multiple records, remove the old ones (but take screenshots/copy before so you can undo the changes if you do something wrong). Click “Check DNS records” again. Here are some Mailerlite troubleshooting tips. You can also contact your domain provider to see if they can help you.

 

Domain authentication in Mailchimp

Note: Since I use Mailerlite, I haven’t personally authenticated my domain for Mailchimp, but I watched a few tutorials so I could add instructions for any author who uses Mailchimp.

  • Log in to your Mailchimp account and click on your profile picture.
  • Click “account & billing.”
  • Click “domains.”
  • Click “start authentication.”
  • Choose your domain provider from the drop-down or choose “other” if it isn’t in the list.
  • Log in to your domain provider account.
  • Create the two DNS records Mailchimp asks for. Check out my Mailerlite instructions for more details.
  • Back in Mailchimp, click “next.”
  • Mailchimp will email you once your domain is authenticated.

Align your domain

Once you have authenticated your domain, you also need to align it if you are using Mailerlite. Don’t worry; if you have successfully authenticated it, this is a similar process.

Domain alignment in the New Mailerlite

Here’s a Mailerlite tutorial that shows the process.

  • Log into your Mailerlite account, and go to “account settings” in the left-hand menu.
  • Click on “domains.”
  • Click the gray “add custom domain” button.
  • Where it says “subdomain prefix,” enter a name for the subdomain. My suggestion would be to go with something such as “newsletter.”
  • Click “add.”
  • Click “check DNS record.”
  • A window pops up, showing you the names and values for the A-record, MX-record, and TXT-record.
  • Log into your domain provider account and navigate to the DNS settings, as you did with the authentication (see instructions above).
  • Now here’s something that differs from domain provider to domain provider: For some, you have to create a subdomain, while in others, it works without it. Here’s what I personally did: I created a subdomain named “newsletter” (e.g., newsletter.janesmith.com), but other authors report managing to align their domain without creating a subdomain in their domain account. If you do create a subdomain, the name needs to match the subdomain prefix you entered into Mailerlite.
  • Create an A-record. If there’s a drop-down menu where you can choose the type of record, it needs to be “A.” Into the name field, copy the name of your subdomain, e.g., newsletter.yourdomain.com. Copy the value from Mailerlite and paste it into the field called “IP address.”
  • Create an MX-record. If there’s a drop-down menu where you can choose the type of record, it needs to be “MX.” Copy the name from Mailerlite and paste it into the “name” or “host” field in your domain account. Copy the value from Mailerlite and paste it into the “value” field.
  • Create a TXT-record. If there’s a drop-down menu where you can choose the type of record, it needs to be “TXT.” Copy the name from Mailerlite and paste it into the “name” or “host” field in your domain account. Copy the value from Mailerlite and paste it into the “value” field.
  • Go back into Mailerlite and click “check DNS records.”
  • If it worked, you get an on/off switch beneath “domain alignment” that you then toggle to “on.”

 

Domain alignment in Mailerlite Classic

Here’s a helpful tutorial from Mailerlite on domain alignment.

  • Log into your Mailerlite Classic account and click on your profile picture in the top right corner.
  • Click on “domains.”
  • Click the gray “add custom domain” button for the domain alignment.
  • Where it says “subdomain prefix,” enter a name for the subdomain. My suggestion would be to go with something such as “newsletter.”
  • Click “add.”
  • Click “check DNS record.”
  • A window pops up, showing you the names and values for the A-record, MX-record, and TXT-record.
  • Log into your domain provider account and navigate to the DNS settings, as you did with the authentication (see instructions above).
  • Now here’s something that differs from domain provider to domain provider: For some, you have to create a subdomain, while in others, it works without it. Here’s what I personally did: I created a subdomain named “newsletter” (e.g., newsletter.janesmith.com), but other authors report managing to align their domain without creating a subdomain in their domain account. If you do create a subdomain, the name needs to match the subdomain prefix you entered into Mailerlite.
  • Create an A-record (Type: A). Into the name field, copy the name of your subdomain, e.g., newsletter.yourdomain.com. Copy the value from Mailerlite and paste it into the field called “IP address.”
  • Create an MX-record (Type: MX). Copy the name from Mailerlite and paste it into the “name” or “host” field in your domain account. Copy the value from Mailerlite and paste it into the “value” field.
  • Create a TXT-record (Type TXT). Copy the name from Mailerlite and paste it into the “name” or “host” field in your domain account. Copy the value from Mailerlite and paste it into the “value” field.
  • Go back into Mailerlite and click “check DNS records.”
  • If it worked, you get an on/off switch beneath “domain alignment” that you then have to switch on (click on it so it appears green).

Set up a DMARC record

Mailerlite doesn’t tell you this, but there’s still one step left to do after aligning your domain: you have to add a DMARC record to your domain account.

  • Log in to your domain account and go to the DNS page/settings, as you did when you authenticated your domain.
  • Add a new TXT record.
  • In the name field, enter the following: _dmarc (without a period at the end).
  • In the value field, copy in: v=DMARC1; p=none; rua=mailto:XXX; (replace the “xxx” with your email address and make sure to copy the semicolon at the end). You will get a report sent to that email address any time there’s a problem with the deliverability of your newsletter.

Note: The p= is the DMARC policy tag. Here, you decide what should happen to emails that fail the DMARC verification check. There are basically three options: p=none means nothing will happen; the email will still end up in the recipient’s inbox. That’s a good setting to start with. It allows you to monitor the reports you get for a while and make sure everything runs smoothly. After a while, you can switch to a stricter policy to prevent phishing. For example, you could change p=none to p=quarantine, which means an email that fails verification will end up in the spam folder, or p=reject, which means an email that fails verification won’t be delivered at all.

Once you’ve set up a DMARC record, complete the steps below to double-check if everything works as it should.

Check to make sure everything is working

Once you have authenticated and aligned your domain and added a DMARC record, here are a few steps to take to make sure everything is working as it should:

  • Check to see if your regular domain email is working by sending a test email to that account and from that account.
  • Send a test newsletter to your own Gmail account. To do that, create a group in Mailerlite (or a tag in Mailchimp) that you call “test” or something like that and add just your own Gmail account to that group. If you don’t have a Gmail account, ask a friend who has one if you can use theirs. Then create a test newsletter and send it to that test group consisting just of you. Once you’ve send out the test newsletter, log in to your Gmail account and look for the newsletter. Open it. In the header, click on the three dots on the very right. In the menu that appears, click “show original.” Here, it needs to say SPF: PASS. DKIM: PASS with domain xxx (where xxx is your domain URL). DMARC: PASS.
  • In the test email I described above, you can also see if you set up the one-click unsubscribe correctly. Click on the three dots and then “show original.” In the code beneath the header, look for the line that says “list-unsubscribe.” It should say something such as: List-Unsubscribe=One-Click.
  • Use a free SPF checker to make sure you added the SPF record correctly. All you have to do is to enter your website URL (without a https:// or a www.) and then click “check SPF record.”
  • Use a free DKIM checker to make sure you added the DKIM record correctly. All you have to do is to enter your website URL (without a https:// or a www.) and your selector. Here’s an instruction on how to find your selector. Then click “check DKIM record.”
  • Use a free DMARC checker to make sure you added the DMARC record correctly. All you have to do is to enter your website URL (without a https:// or a www.) and then click “check DMARC record.”
  • If you receive a report in an email by Google, check it to see if there are any problems, but don’t panic if anything says “fail.” It might be your regular email, not your newsletter. As long as you pass all the tests described above, especially that test newsletter sent to a Gmail account, you should be good to go for February 1!
Comment below and let us know how your authentication is going

Have you already authenticated your domain? How is it going? Please comment below if you run into any problems. Or if you managed to do everything successfully, provide helpful tips in the comments for people who might be using the same domain provider. Did you have to set up a subdomain in your domain account? Please provide details to help out your fellow authors!

30 Responses

  1. Only the DKIM shows “PASS” in the header of my test email, but everything passed in the checker sites. So I looked in the code, and it does say spf=pass and dmarc=pass in the code, just not in the header. So if anyone else runs into that issue, maybe check the code for those.

    1. Update: I sent a test email to a different gmail address and all the passes showed in the header.

      Thanks SO much for this! This has been the best explanation I’ve seen!

  2. Sandra, this was so easy to follow!!! thanks so much, I’m all done and authenticated and checked and tested and everything!

    1. Yay! Congratulations! I’m glad my instructions helped! Did you end up creating a subdomain in your domain provider?

  3. This was really stressful trying to work out everything, but with your comprehensive directions I’m pretty sure I’ve got it all up and running smoothly now.
    Thank you so much Jae.

  4. Oof, I had no idea this was coming/how it affected us. Thanks for the heads up and very detailed instructions! I’m waiting for things to process, but that should be the last step. It’s been a hot minute since I had to mess around in cPanel and I forgot how much I don’t like it haha.

  5. Thank you so much for this, Jae. I especially appreciated the “Check to make sure everything is working” section. I haven’t seen that in other instructions. After I went through all the steps it was a wonderful reward to do the checks and get all the right PASS responses and see the Unsubscribe=one click 🙂 Otherwise, I would have second guessed whether I did everything right. I use Bluehost.

    1. Yeah, I hate “flying blind” and just trusting that everything is working, so I think it’s best to check instead of assuming.

  6. This has been super helpful, Jae. It’s taken me over a week, but most things look good.

    Did anyone else run into issues with the SPF Record Checker? Mine says “Warning, we have found some isseus. The SPF record exceeds the 10 DNS query limit, which results in deteriorated email deliverability.” I’d really like to avoid paying to use a service to fix it, as the site is suggesting.

    1. I think it helps to understand what SPF even is. In simple terms, it’s like a list of approved email services that are allowed to send emails for your domain. Every time you send out an email/newsletter, that list is checked to make sure the email is coming from a legitimate source.

      So if your SPF record includes a too-long list of services that can send emails on your domain’s behalf, it will result in too many DNS lookups.

      I would suggest taking a close look at your SPF record.

      For example, if yours is something like this:
      v=spf1 include:_spf.example.com include:spf.messaging-service.com include:spf.email-provider.net include:spf.another-service.com include:_spf.another-provider.com include:_spf.third-party.com mx ~all

      Each of the “include’s” triggers a DNS lookup whenever you send out a newsletter.

      The solution is consolidating the SPF, but that’s above my paygrade. I would suggest contacting your domain provider to see if they can help.

  7. Thanks for this guide, Jae. I’ve followed all the instructions but I’m not getting very far. My domain provider is IONOS and I also have my email with them. They’ve told me I can’t change the SPF record. I added the DKIM record and Mailerlite says it’s okay but when I run my domain through a checker the record isn’t showing. I’ve spent half the day on it. Will have to try again tomorrow.

    1. Your DKIM actually looks good. The record just needed some time to propagate; that’s all.

      However, you do need to add the values Mailerlite gave you to your existing SPF record. You can only have ONE SPF record per domain, so you can’t add a second, but you can change the existing one to include both the information ML gave you plus the values that were already there, so your regular email keeps working. You’ll have to merge those two values. Feel free to email me and I can help.

  8. I appreciate how thorough this is! Unfortunately, it doesn’t appear possible to actually do any of this with free versions of anything. Are there any work arounds at all? I definitely can’t afford the $100s it would cost in account upgrades to actually do this.

    1. Completely free? Probably not. You need your own domain to get authenticated, so you need to pay for that. But that’s relatively affordable. If you have only a small number of subscribers, there are newsletters services that allow you to authenticate without upgrading to a paid version.

  9. Thank you, Jae! After weeks of rereading your blog and “fixing” things, I finally passed everything on the list. You are a gem. Thanks for all you do for the writing community!

Leave a comment

Your email address will not be published. Required fields are marked *