SenderReady

ActiveCampaign SPF, DKIM, and DMARC setup review

ActiveCampaign sender authentication depends on a verified sending domain, DKIM, a Mailserver Domain for SPF alignment, DMARC policy, and the other senders sharing the same From domain. Use this review before changing DNS for campaigns or automations.

Scan the ActiveCampaign sending domain first

Check public DMARC, SPF, DKIM, MX, BIMI, MTA-STS, and TLS-RPT signals before editing ActiveCampaign sending-domain records.

01$0Free scan

Check the public sender-auth records mailbox providers expect.

02$0Shareable action plan

Keep one URL with evidence, owner steps, and decisions.

03$49$49 fix plan

Add human review, provider context, and verification steps.

Optional. Most first scans can run with just the domain.
Checks Gmail, Yahoo, and Microsoft sender requirementsPublic DNS onlyNo mailbox login needed
Example result72/100Needs attention

Review DMARC policy strength before a high-volume send.

Public DNS evidence
DMARC/SPF/DKIM status and caveats are visible before you pay.
Owner-ready next step
The audit adds provider context and a verification checklist.
Get the exact fix plan for your domain.$49 readiness audit: prioritized owner actions, DNS evidence, and verification checks.
Get my $49 fix planView sample
Sender readiness cockpitExample action plan

Public DNS workspace

Overall sender readiness

72/100

Needs attention

Sample output: one warning and one fail mean this domain is not campaign-ready yet.

DMARCPass
SPFPass
DKIMPass
MXPass
BIMIWarning
MTA-STSFail

Fix workspace preview

The scan becomes a focused work surface: evidence, owner action, verification, and the paid context a public lookup cannot infer.

HighDMARC

Review DMARC policy strength before a high-volume send.

Evidence
Evidence: a monitoring-only policy can satisfy visibility needs, but enforcement requires aligned legitimate senders.
Verify after change
Re-scan _dmarc after DNS propagation and confirm aligned SPF or DKIM senders before enforcement.
Paid audit adds
Policy sequence, starter record review, alignment questions, and enforcement caveats.
Get my fix plan

Why ActiveCampaign setup needs alignment context

ActiveCampaign can verify and authenticate a sending domain, but DMARC evaluates aligned SPF or DKIM for the visible From domain. That makes the Mailserver Domain, DKIM status, and message headers more important than a simple provider checklist.

The same business domain may also send through Microsoft 365, Google Workspace, Shopify, Zendesk, Intercom, Salesforce, billing tools, or support tools. Tighten DMARC only after those senders are mapped and authenticated.

Setup areas to review

  • Use an established sending domain: ActiveCampaign recommends using a sending domain you own, with a real website behind it, rather than a brand-new or blank domain. Verify the domain and any subdomains before sending campaigns.
  • Choose Configure Domain or manual setup intentionally: ActiveCampaign can configure supported DNS providers, or show manual DNS records for organizations that manage DNS themselves. In either case, the account-generated records are the source of truth.
  • Publish DKIM for the From domain: ActiveCampaign says DKIM is set up through the sending-domain flow. Strict DMARC policies can cause ActiveCampaign mail to fail unless DKIM is configured for the sending domain.
  • Understand the Mailserver Domain SPF path: ActiveCampaign covers SPF through a Mailserver Domain that points a domain to ActiveCampaign with a CNAME record. The docs say you usually do not need to create or modify the From-domain SPF record when this is set up.
  • Keep tracking CNAMEs separate from authentication: ActiveCampaign custom link tracking can also use a CNAME, but it is separate from the Mailserver Domain and is not the DMARC alignment path. Do not confuse account, tracking, and mailserver hostnames.
  • Stage DMARC before enforcement: ActiveCampaign can help create a basic DMARC record, but moving to quarantine or reject requires DKIM and sender alignment to be correct for every legitimate sender on the domain.

DNS record examples and caveats

These examples show record shapes only. ActiveCampaign account settings and current official docs are the authority for generated hostnames, targets, selectors, and whether a supported DNS-provider integration can configure records automatically.

  • ActiveCampaign Mailserver Domain CNAME shape: provider-generated mailserver host -> provider-generated ActiveCampaign target. Use the Mailserver Domain host and target shown in ActiveCampaign. This handles SPF alignment for the ActiveCampaign path.
  • ActiveCampaign DKIM shape: provider-generated acdkim selector._domainkey host -> provider-generated CNAME target. Copy DKIM CNAME values from the sending-domain setup flow. Do not reuse selectors from another account.
  • Optional manual SPF merge shape: v=spf1 include:existing-provider.example include:emsd1.com -all. ActiveCampaign normally handles SPF through the Mailserver Domain. If manual SPF is needed, merge into the single existing SPF TXT record.
  • DMARC TXT monitoring shape: v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com. Use a monitored reporting address and review all sender streams before moving to quarantine or reject.

Safe verification sequence

  1. List campaign, automation, one-to-one, notification, and support senders.
  2. Verify the domain and any sending subdomains used in From and Reply-to addresses.
  3. Copy DKIM and Mailserver Domain records from ActiveCampaign, not a generic guide.
  4. Check public DNS after propagation and recheck authentication in ActiveCampaign.
  5. Inspect a sent message header for DKIM, Mail-From, SPF, and DMARC alignment.
  6. Review DMARC reports before moving from monitoring to quarantine or reject.

ActiveCampaign authentication FAQ

Do I need to add ActiveCampaign to my root SPF record?

ActiveCampaign says the sending-domain process includes a Mailserver Domain where a CNAME points to ActiveCampaign, allowing ActiveCampaign to serve the needed SPF record. If you manually edit SPF for other reasons, merge ActiveCampaign into the one existing SPF TXT record instead of adding a second record.

Is an ActiveCampaign tracking CNAME the same as authentication?

No. ActiveCampaign link tracking can use a separate custom-domain CNAME, but the Mailserver Domain is the Return-Path/SPF alignment path used for authentication review.

Can I use a Gmail or Yahoo address as my ActiveCampaign From address?

ActiveCampaign recommends using a domain you own instead of freemail From addresses such as Gmail, Yahoo, or Outlook because freemail DMARC policies can block or rewrite third-party sending.

What does ActiveCampaign mean by full domain alignment?

ActiveCampaign describes alignment between the visible From domain, the DKIM signing domain, and the Mail-From or bounce domain used for SPF. Their sending-domain flow sets up DKIM and the Mailserver Domain for stronger alignment.

Can I use DMARC p=reject with ActiveCampaign?

Only after DKIM and sender alignment are verified for ActiveCampaign and every other sender using the domain. ActiveCampaign warns that strict DMARC can send mail to spam or block it when DKIM is not set up correctly.

Can a scanner fully verify ActiveCampaign setup?

A scanner can inspect public DNS and common provider signals, but a complete ActiveCampaign review needs the account sending-domain status and a signed test-message header.

Turn the scan into an ActiveCampaign fix list

SenderReady readiness audits organize public DNS findings, ActiveCampaign-specific review steps, and cautious next actions for the domain owner or DNS admin. The report is a diagnostic aid, not a deliverability guarantee.

View audit options