DNS Authentication

Learn why DNS authentication is paramount when it comes to deliverability and security.

As part of setting up a custom sending domain, you will have to authenticate that you own the domain through your DNS provider.

Email authentication provides verifiable information about the origin of your emails. In order for internet service providers (ISPs) to deliver your email immediately, proper authentication is crucial. Your outreach is considered fraudulent if it lacks authentication.

DNS authentication methods

Sender Policy Framework (SPF)

By using this method, you can verify that the IP address associated with your OneSignal email-sending account is authorized to send mail on your behalf. In the DNS settings, you publish SPF text records that serve as your basic authentication. DNS records will be checked by the receiving server for authenticity. This method is used to validate the sender of an email.

Your SPF record will be set up once OneSignal configures your IPs and domains. No further action is required beyond adding the DNS records we provide to you.

Domain Keys Identified Mail (DKIM)

The DKIM record confirms that your OneSignal email-sending domain is authorized to send mail on your behalf. This is designed to validate the sender’s authenticity and ensure the integrity of the message is preserved.

The DKIM uses an encrypted signature to inform the ISPs that the mail its delivering is the same as the mail that was sent by you. The ISPs will verify the signature against your public key, which is stored in your custom DNS record.

Mail Exchange Records (MX)

These are your receiving records. MX records are recommended for all domains, even if you are only sending messages. Unless you already have MX records for your domain pointing to another email server (e.g. Gmail), you should update the following records for optimal deliverability.

Without these MX records in place, you may see an increase in "Sender Domain Verification" errors, which are errors that the recipient server returns whenever your domain lacks MX records. By configuring your domain with MX records the "Sender Domain Verification" error gets a solution and is prevented from occurring in future cases.

Canonical Name (CNAME)

A Canonical Name or CNAME record is a type of DNS record that maps an alias name to a true or canonical domain name. CNAME records are typically used to map a subdomain such as www or mail to the domain hosting that subdomain's content.

The CNAME record is necessary for tracking opens, clicks, and unsubscribes.

Domain-based Message Authentication, Reporting, and Conformance (DMARC)

DMARC authentication protocols add an additional layer of security to your domain.
This allows you to dictate how the ISPs should handle mail that has failed your DNS authentication checks.

Failures could suggest that others are trying to forge your domain or your emails. You can tell the ISPs to reject or quarantine the mail as well as inform you of this by sending you information about the false mail.

Learn more about DMARC & Sender Email Address.

How do I configure my domain for sending email through OneSignal?

To configure your domain for email, you will need to modify your domain's DNS records with your domain provider according to the directions provided by your ESP. Different email service providers have different requirements for which records need modifying, which likely include MX, CNAME, and TXT record types.


See our example on how to create a subdomain or add DNS records to a DNS provider on our Email Sending Domain Setup guide.

Below are links to how-to guides for some of the most popular domain providers. Please note that these guides are written by the domain providers and are not maintained by OneSignal.

Domain ProviderDocumentation Links
NamecheapDNS Questions
Network SolutionsHow do I manage DNS and advanced DNS records?
RackspaceMX, CNAME
HostGatorMX, CNAME
CloudflareManage DNS Records
DreamhostAdding custom DNS records
Dyn (Oracle DNS)Set up DNS
HoverManaging DNS records
Amazon Route 53Working with records

Can I use the same domain for multiple Email Service Providers?

You can use the same domain for sending emails from multiple ESPs but you can only use one email server to receive messages for a domain name.

If you want to use multiple ESPs for the same domain, then the MX records should be removed from one of your ESPs.
However, without these MX records in place, you might see an increase in "Sender Domain Verification" errors, which are errors that the recipient server returns whenever your domain lacks MX records.

You should configure your domain with MX records (either with OneSignal or an alternate incoming server) so the "Sender Domain Verification" error gets a solution, and is prevented from occurring in future cases.

To merge multiple SPF records, an example would be:

v=spf1 include:spf.mandrillapp.com include:mailgun.org -all