User Guide

Email Domain Authentication

This article explains how to authenticate your email sending domain in Reteno using SPF and DKIM DNS records. Domain authentication helps mailbox providers verify that Reteno is allowed to send emails on behalf of your domain and reduces the risk of sender forgery.

You will learn how to choose one of the available configuration methods ā€” Full, Full +, or Subdomain ā€” add the required DNS records, configure forwarding when needed, and verify the domain status in Reteno.

Before You Start

Make sure you have:

  • Access to the DNS settings of the domain or subdomain you want to authenticate.
  • A domain or subdomain that will be used in the sender address.
  • Access to mailbox or forwarding settings if you use the Full method and need to configure forwarding for bounce+* addresses.
  • Enough time for DNS changes to propagate. Some DNS servers may need up to 48 hours to apply changes.
šŸ“˜

Note

How Email Domain Authentication Works

Reteno uses two main mechanisms to authenticate your sending domain:

  • DKIM (DomainKeys Identified Mail) allows Reteno to sign emails with a private key. Recipient mail servers verify the signature using a public key stored in your domain's DNS records.
  • SPF (Sender Policy Framework) checks whether an email was sent from a server authorized in the domain's DNS records.

Together, these mechanisms increase mailbox providers' trust in your messages and reduce the likelihood that legitimate emails are identified as spam.

Set Up a Configuration Method

Reteno supports three domain configuration methods.

MethodUse whenWhat it covers
FullYou want to authenticate emails sent from the main domain, for example @yourdomain.com.Emails sent from mailboxes on the main domain. Requires forwarding for bounce+* addresses.
Full +You want the most complete setup for the main domain and subdomains.Emails sent from the main domain and selected subdomains. Recommended when available.
SubdomainYou want to send campaigns from a dedicated subdomain or separate marketing email reputation from other email streams.Emails sent from a specific subdomain, for example @promo.yourdomain.com. Reteno handles spam complaints and errors automatically for the selected subdomain.

We recommend using Full + when possible. If this method is not available because of DNS, mailbox, or infrastructure restrictions, use Subdomain.

Method 1: Full

Use the Full method to authenticate emails sent from mailboxes on the main domain, for example @yourdomain.com.

  1. Go to Settings ā†’ Domain verification and click New domain.
  1. Click Complex server configuration.

The Full configuration method is selected by default.

  1. Click Next.
  1. Enter your domain and click Start verification.
šŸ“˜

Note

Use your domain name instead of yourdomain.com.

Reteno checks your domain's DNS records and shows which records need to be created or updated.

  1. Copy each value from the Name and Data fields and add it to the corresponding DNS record type for your domain.
  1. Set up automatic forwarding for all emails sent to bounce+* addresses on your domain to [email protected].

In bounce+*, the asterisk means that any number of valid characters can appear after bounce+.

If your domain mail is hosted on Google servers, the setup is usually simpler because Google ignores the suffix after the plus sign in the email address. In this case, create a bounce mailbox and configure forwarding of all incoming emails to [email protected].

If your mail service does not support plus addressing, set up a mailbox that receives messages sent to non-existent addresses. In this mailbox, create a filter:

  • If an email is sent to an address starting with bounce+, forward it to [email protected].
  • If an email is sent to any other non-existent mailbox, delete it.

Reteno checks whether forwarding works during domain verification.

šŸ“˜

Note

We also recommend forwarding copies of emails sent to the abuse address on your domain to [email protected]. This helps us respond to complaints promptly.

  1. Return to Reteno and click Verify domain.

After successful verification, the domain status changes to Domain verified.

šŸ“˜

Note

Some DNS servers need up to 48 hours to apply all changes.

Example of email headers in Gmail after domain verification:

Gmail email headers showing DKIM signatures after Full domain verification

The email is signed using DKIM for both the Reteno domain and your domain.

Method 2: Full +

Use the Full + method to authenticate emails sent from the main domain and subdomains. This method provides the highest level of protection and is recommended when available.

  1. Go to Settings ā†’ Domain verification and click New domain.
  1. Enter the domain name.
  2. Enter an unused name for the technical domain. For example, use email, promo, support, or another name. In the example below, sub is used.
  3. Click Start verification.

Reteno checks your domain's DNS records and shows which records need to be created or updated.

  1. Copy each value from the Name and Data fields and add it to the corresponding DNS record type for your domain.
  1. Return to Reteno and click Verify domain.

After successful verification, the domain status changes to Domain verified.

Example of email headers in Gmail after domain verification:

Gmail email headers showing DKIM signatures after Full plus domain verification

The email is signed using DKIM for both the Reteno domain and your domain.

Method 3: Subdomain

Use the Subdomain method to authenticate emails sent from a dedicated subdomain, for example @promo.yourdomain.com.

This method is useful when you want to separate the reputation of marketing campaigns from transactional or other email streams. With this method, spam complaints and errors are handled automatically for the selected subdomain.

  1. Go to Settings ā†’ Domain verification and click New domain.
  1. Click Complex server configuration.
  1. Select Subdomain and click Next.
  1. Enter the subdomain and click Start configuration.

Reteno checks your subdomain's DNS records and shows which records need to be created or updated.

  1. Copy each value from the Name and Data fields and add it to the corresponding DNS record type for your subdomain.
  1. Return to Reteno and click Verify domain.

After successful verification, the domain status changes to Domain verified.

Example of email headers in Gmail after domain verification:

Gmail email headers showing DKIM signatures after Subdomain verification

The email is signed using DKIM for the Reteno domain and your subdomain.

šŸ“˜

Note

  • With the Subdomain method, all mail for the selected subdomain arrives at Reteno mail servers and is forwarded to the address specified in the reply field.
  • The reply address must be valid. Review this mailbox regularly and respond to incoming emails.
  • Recipients can reply to your emails or request to unsubscribe from campaigns. Such requests must be processed promptly.

You can also follow the dedicated guide to set up email domain authentication on Cloudflare.

Verify Domain Settings

After you add or update the required DNS records, return to Settings ā†’ Domain verification in Reteno and click Verify domain.

If the setup is correct, the domain status changes to Domain verified.

If Reteno detects issues with the DNS records, a warning appears next to the verification status.

Click the warning to view the recommended changes.

Make the recommended changes in your DNS provider, and then click Refresh in Reteno.

You can also use external DNS tools to check whether your records are available to mail servers:

Additional DNS settings

If necessary, you can grant Reteno access to Google Postmaster Tools analytics. To do this, add the TXT or CNAME record provided by Reteno to your DNS settings.

Read Google's documentation to learn more about Google Postmaster Tools DNS verification.

Troubleshooting

Domain Verification Fails

Check that each DNS record was added with the exact Name and Data values shown in Reteno. Also make sure the record type is correct.

If you added the records recently, wait until DNS propagation is complete. Some DNS servers may need up to 48 hours to apply changes.

SPF Record Is Invalid

Use an SPF validation tool to check whether the SPF record is generated correctly and does not exceed standard SPF limitations.

Forwarding for bounce+* Does Not Work

For the Full method, make sure all emails sent to bounce+* addresses in your domain are forwarded to [email protected].

  • If your mail provider supports plus addressing, create a bounce mailbox and forward all incoming emails from this mailbox to [email protected].
  • If your mail provider does not support plus addressing, create a mailbox that receives messages sent to non-existent addresses in your domain. In this mailbox, set up a filter: if an email is sent to an address that starts with bounce+, forward it to [email protected]; otherwise, delete it.

The forwarding mechanism is checked during domain verification.

Subdomain Replies Are Not Handled Correctly

For the Subdomain method, make sure the reply address is valid and regularly monitored. Recipients can reply to your campaigns or request to unsubscribe, and such requests must be processed promptly.

Reteno Reports Issues After the Domain Was Verified

Reteno regularly checks domain settings. If the settings become invalid, Reteno notifies you by email, and key signing for your domain may be suspended until the issue is fixed.

How Reteno Monitors Domain Settings

Reteno regularly checks whether your DNS settings remain valid.

If the settings break, we will notify you by email. Until the issue is resolved, key signing for your domain will be suspended.

Carefully read automated emails generated by Reteno. If you receive a message about a problem, contact our support team for help.

Deleting a Domain

Click the trash can icon in the right column to delete a domain and confirm the action.