Customer.io is a comprehensive customer engagement platform. It allows businesses of all sizes and industries to create personalized customer journeys across multiple channels. These channels may include SMS, email, in-app messaging, and push notifications.
While using Customer.io is fairly simple, it recommends domain authentication. This is also a straightforward process if you use the right tools and resources. Let’s find out how you can set up SPF, DKIM, and DMARC for Customer.io with a few quick and easy steps.
You can refer to Customer.io’s authentication document for more information.
The Need for Domain Authentication
You may spend a fortune crafting the perfect copy, but your emails might still not reach the intended recipient. Not only does authentication boost deliverability, but it also enables you to control the appearance of your tracked links in Customer.io. Customer.io confirms that users always need to authenticate their sending domain before they can start using a new sender, except when using a custom SMTP server.
Note: Customer.io leaves your root domain untouched
When it comes to authenticating your domain for sending in Customer.io, the root domain is not necessary. You simply need to include Customer.io’s DNS records in your account-specific subdomain.
Customer.io’s authentication records are stored in a subdomain. This means these records won’t clash with other settings in your DNS host. Please note that you shouldn’t delete records from your domain when adding Customer.io DNS records, as it may affect deliverability.
Note: When it comes to your hosting provider, only include _dmarc as a subdomain on your root domain. Do not add it to your subdomains. It should look like this: _dmarc.root-domain.com.
Adding a Sending Domain in Customer.io
To add a new sending domain in Customer.io, follow these steps:
- Go to Settings > Workspace Settings > Email
- Click “Add Sending Domain”
- Be sure to input the Domain, Display Name, and Email Address that you will use to send messages. Then click “Add Domain.” (Note that you can follow these same steps if you simply want to add new sending domains.)
You will need a “from” address to complete the domain authentication. Even though you’re not required to do it in this step, you will eventually have to do it to finish the setup.
Adding Customer.io DNS Records to Your Hosting Provider
When you are done adding a sending domain and including the From address, you should click Verify domain. This will help you locate the DNS records that Customer.io suggests you to configure.
According to their authentication document, you are required to add four DNS records to your DNS hosting provider for each domain from which you will be sending emails.
Adding Customer.io MX Record
You need to set up a single MX (Mail Exchange) record that includes two hostnames to enable email delivery from your domain. In this context, MX records serve a specific function. They establish a custom return path using your subdomain. This setup is essential for receiving bounce notifications and spam feedback. Implementing this enhances your email deliverability. It also ensures that emails sent through Customer.io comply with DMARC alignment requirements.
Adding Customer.io SPF Record
SPF is an email authentication protocol that helps authorize your senders.
The SPF record for Customer.io is a single TXT record that authorizes Customer.io to send emails on your domain’s behalf. SPF (Sender Policy Framework) records help specify which IP addresses are permitted to send emails on behalf of your domain.
To add Customer.io’s SPF record to your DNS:
- Log in to your DNS management console
- Navigate to your DNS zone editor and add a new SPF record
- Paste the record value and save changes.
Adding Customer.io DKIM Record
DKIM is an email authentication protocol that enables sending servers to append a digital signature to outgoing emails, preventing the chances of message alterations in transit.
By adding the DKIM TXT record to your domain, you allow Customer.io to attach an encrypted DKIM signature to your outgoing emails. This signature helps email providers confirm that the message was sent by you and hasn’t been tampered with along the way.
To add Customer.io’s DKIM record to your DNS:
- Log in to your DNS management console
- Navigate to your DNS zone editor and add a new DKIM record
- Paste the record value and save changes.
Adding Customer.io DMARC Record
- Customer.io checks if your DMARC policy meets Google, Yahoo, and Microsoft’s email sending requirements.
- The DMARC record enables you to determine how you want to deal with emails that do not pass SPF and DKIM checks. Here is the minimum requirement: v=DMARC1; p=none.
- If you already have a different DMARC policy in place with your hosting provider, Customer.io will reflect that record instead.
- Customer.io advises to only add _dmarc as a subdomain on your root domain. Never add it to your subdomains. It should look like this: _dmarc.root-domain.com.
- Finally, click “Verify domain”. It might take up to 72 hours to finish the verification process.
What Is the Use of DMARC Policies?
DMARC is an email authentication protocol that helps email domain owners protect their domains. It helps safeguard domains from spoofing, phishing, and other forms of unauthorized use. DMARC authentication lets domain owners specify their own authentication procedure. When the recipient’s email server receives an email, it checks the authenticity of the message. This is done by checking the alignment of an email against published DMARC policies.
Additionally, DMARC offers comprehensive reporting. It provides domain owners with insights into email authentication results. This, in turn, helps monitor the security of email communications and detect gaps. As a result, domain owners can make informed and smarter decisions to address the issues on time.
Configure Relaxed ASPF and ADKIM Tags
If your domain has a DMARC policy and you’re planning to send emails using Customer.io’s built-in delivery servers, it’s important to make sure the `aspf` and `adkim` tags in your policy are set to **`r` (relaxed alignment)**. This setting ensures your messages pass DMARC checks even if there’s a slight mismatch in domains used for SPF and DKIM.
If your policy doesn’t explicitly mention `aspf` or `adkim`, don’t worry—DMARC defaults both to relaxed. In that case, you don’t need to make any changes.
Domain Verification in Customer.io
Ensure you’ve added the required DNS records and allowed time for them to propagate. Then, return to your domain’s Authentication tab and click “Verify domain” again. If all three records display green checkmarks, your domain is successfully verified. It means the domain is ready to send emails. Repeat this process for any additional domains you wish to use.
Your domain will remain unverified until all three records have correct values. Verification can take a few seconds or even several hours; this depends on DNS propagation. Before retrying, double-check your DNS entries for any typos or extra spaces.
Speaking of verification, you can always use online tools to verify your Customer.io records.
Below is a list of tools that can help you ensure your Customer.io records work effectively at authenticating your emails:
Final Thoughts
When you enable email authentication with DMARC, SPF, and DKIM, you can enjoy a high level of protection against brand impersonation. But if you configure these protocols the wrong way, you might suffer not only from incorrect authentication but also lower email deliverability. PowerDMARC helps automate the setup of these protocols. It generates DNS records from scratch, offers simplified reporting capabilities, and helps adjust to changes in real-time.
With PowerDMARC, you can ensure the highest compliance with industry standards. You will also enjoy safer email communications and benefit from a positive brand reputation. Contact us today to start enjoying the benefits!
- How to Set Up SPF, DKIM, and DMARC for Customer.io - April 22, 2025
- What is QR Phishing? How to Detect and Prevent QR Code Scams - April 15, 2025
- How to Check SPF Records Using nslookup, dig or PowerShell? - April 3, 2025