Authenticate your domain with Brevo (Brevo code, DKIM record, DMARC record)

In compliance with Gmail and Yahoo's new requirements, domain authentication is now mandatory for all email senders. In this article, we'll explain how to authenticate your domain, either automatically or manually.

Before you start

Step 1. Add your domain to Brevo

To authenticate your domain, you first need to add your domain to Brevo:

  1. In Brevo, click the account dropdown and go to Senders, Domains, and Dedicated IPs > Domains.
  2. Click Add a domain. If your domain already appears on the page, click Authenticate below it instead.
  3. In the Enter your email domain field, enter the domain you want to use to sign your emails. Typically, this is the domain associated with your website.
  4. Click Save this email domain.

Step 2. Authenticate your domain (Brevo code, DKIM record, DMARC record)

If your domain host is supported, you can automatically authenticate your domain in less than two minutes by logging into your domain host directly from Brevo. If not, you will need to manually authenticate your domain.

Use the tabs below to view instructions on how to automatically or manually authenticate your domain ⬇️.

Automatically authenticate Manually authenticate

If automatic domain authentication is available, we'll simply ask you to log into your domain host from Brevo. You can watch a short video below to see how it works:

  1. Click Authenticate automatically.
  2. A pop-up window will appear. Click Continue.
  3. Enter your domain host credentials.
  4. Click Continue. The DNS records needed to authenticate your domain will be automatically added to your domain host.
  5. Optional: If you already have a DMARC record on your domain, you'll be asked if you want to replace it with Brevo's DMARC record. Click Okay, continue to replace it.
    💡 Good to know
    If you don't want to replace your DMARC record, you'll need to cancel the action and manually authenticate your domain instead.
  6. From the confirmation page, click Go to Domains page.
  7. Your domain will appear as Authenticated. You're done!

FAQs - Domain authentication

I've authenticated my domain but it still appears as "Unauthenticated" or I get the message " Value mismastched" in Brevo. What should I do?

When you authenticate your domain, it can take up to 48 hours for the changes to be fully applied. Note that Brevo has no control over this process and cannot speed it up.

If it's been less than 48 hours since you authenticated your domain:

  1. In Brevo, click the account dropdown and go to Senders, Domains, and Dedicated IPs > Domains.
  2. Click Check configuration under your domain.
  3. Click Authenticate this email domain at the bottom of the page.
    verify_domain_authentication (1).jpg
  4. You can repeat this process a few times for the next 48 hours.

If your domain is still not authenticated after 48 hours, check our troubleshooting article Troubleshooting - Domain authentication for solutions to common issues or contact our support team for help.

Which domain should I authenticate?

You should authenticate the domain or subdomain that you use for sending emails through Brevo. For example, if you use the email address "" to send your emails, you should authenticate the domain "". If you use multiple domains or subdomains to send emails, you should authenticate each of them.

It says my DMARC record is missing a rua tag. What should I do?

If you already have a DMARC record in place but it is missing a rua tag, you can update your existing DMARC record and add Brevo's rua tag at the end. Your DMARC record should then have the following value:

v=DMARC1; p=none;

Do I need to add an SPF or MX record to authenticate my domain?

The SPF and MX records are not required to authenticate a domain. We only provide these records when setting up a dedicated IP.

Can I use a 2048-bit DKIM key (sib2k)?

The default DKIM key generated when adding your domain is a standard 1024-bit DKIM key. If you want to use a 2048-bit DKIM key to enhance your email security, contact our support team to activate it for your account. Your 2048-bit DKIM key will then appear in your generated DNS records for email authentication with a host name starting with sib2k:


💡 Good to know
The 2048-bit DKIM key is only available with a paid plan.
How to verify if my emails have been signed with DKIM?

Webmail services allow you to check if your email has been signed with your domain by reviewing your email headers and looking for the reference dkim=pass. If you need help finding your email headers, check our dedicated article How do I find email headers?.


In the above example from a Gmail email header, the reference dkim=pass confirms that the email is signed with the domain

Can I modify or delete the DNS records from my domain host once it is authenticated?

To ensure your emails are correctly sent, keep these two DNS records as they are in your domain host as long as you are using Brevo to send emails. Modifying or deleting these DNS records may lead to email delivery problems or your emails being marked as spam.

⏭️ What's next?

🤔 Have a question?

If you have a question, feel free to contact our support team by creating a ticket from your account. If you don't have an account yet, you can contact us here.

If you’re looking for help with a project using Brevo, we can match you with the right certified Brevo expert partner.

💬 Was this article helpful?

755 out of 1232 found this helpful