Troubleshooting issues with domain authentication (Brevo code, DKIM record, DMARC record)

As of February 1, 2024, Gmail and Yahoo require your domain to be authenticated. This reassures recipients that your emails are genuinely from you or your organization, reducing the risk of spam, phishing, and other malicious activities.

In this article, we'll provide explanations for common issues that you may encounter when authenticating your domain with Brevo.

Here's the list of common issues we'll help you with:

Domain/sender not complying or email address replaced when sending an email

❌  One or several of your senders are not compliant with Google and Yahoo's new requirements for senders. For each sender, check their DKIM signature and DMARC status and take the recommended action to be able to use it for email sending.
❌  You have one or more domains not complying with Google and Yahoo’s new sender requirements. We’re here to guide you through the changes. Review your senders and take the necessary actions for compliance.
❌  As your domain is not authenticated, we'll auto-replace your domain with [@brevosend.com]. We're taking this proactive step to maximize your email deliverability to Gmail and Yahoo recipients due to their new sender requirements.

Ideally, your domain should have been authenticated since February 1, 2024, to prevent your emails from being marked as spam or facing delivery issues. 

If you haven’t authenticated your domain yet, Brevo will temporarily help maintain your deliverability by replacing the domain part of your email address with @brevosend.com. This means your email address will appear with a format similar to mycompany@5000001.brevosend.com in your recipients' inboxes.

We strongly recommend authenticating your domain as soon as possible.

➡️ To learn how to authenticate your domain to prevent your sender domain from being automatically replaced, check our dedicated article Authenticate your domain with Brevo.

Domain is invalid

❌  This domain is invalid. Add another domain.
  Invalid domain. The domain name should not include “http”, “https”, “www”, “\” or special characters (except -, . , /).

Expand the accordions below to discover possible reasons why your domain might be invalid:

You are trying to authenticate a free domain

You can only authenticate a domain that you or your business owns and manages. If your email address is from a public email provider (such as gmail.com, yahoo.com, or orange.fr), this is considered a free domain, which cannot be authenticated. To authenticate, you’ll need to purchase a domain that you own and manage through a service such as GoDaddy or OVH.

➡️ To learn more about why you should avoid using a free email address, check our dedicated article Why you need to replace your free email address with a professional one.

You included special characters in your domain name

When entering your domain name in Brevo, use a format like domain.com or sub.domain.com and do not include special characters, except for -, . , and /.

DNS records mismatch or are not detected

❌  The Brevo code values in Brevo and in your domain provider account mismatch. Add this Brevo code value to your domain provider account to authenticate this domain.
❌  The DKIM record values in Brevo and in your domain provider account mismatch. Add this DKIM record value to your domain provider account to authenticate this domain.
❌  We could not detect a DMARC policy in your domain. Add this DMARC record in your domain.

Expand the accordions below to discover possible reasons why your DNS records mismatch or are not detected:

The DNS records have not been added to your domain yet

To authenticate your domain, you need to add the following DNS records to your domain host account:

  • Brevo code
  • DKIM record
  • DMARC record

Brevo will provide the required values for each record. Note that if any of these records are missing, your domain authentication won't be complete.

➡️ To learn how to add these DNS records to your domain host, check our dedicated article Authenticate your domain with Brevo.

It's been less than 48 hours since you added the DNS records

Once you've added the DNS records to your domain host account, it can take up to 48 hours for the changes to take effect and for your domain to be authenticated. This timing is managed by your domain host, and Brevo cannot control or speed up the process.

If it’s been less than 48 hours, you can manually check your domain's authentication status directly in your Brevo account:

  1. In Brevo, click the account dropdown and go to Senders, Domains, and Dedicated IPs > Domains.
  2. Click Authenticate next to the domain you authenticated.
    authenticate_troubleshooting_authenticate-button_en-us.png
  3. Select Authenticate the domain yourself.
  4. Click Continue.
  5. Click Authenticate this email domain at the bottom of the page.
    authenticate_new_verify_faq_en-us.png

You can repeat this process a few times in the next 48 hours. If your domain still does not appear as authenticated after 48 hours, contact our support team for help.

The DNS records added to your domain host are incorrect

Brevo automatically identifies the most popular domain hosts. If your domain host is recognized, we will provide the exact values needed to create the required DNS records. To avoid any typos or formatting errors, we recommend copying and pasting these values directly from Brevo into your domain host.

DNS_records_horiz_EN-US.png

If we can’t identify your domain host, Brevo will provide generic values that might not fully match your host’s specific requirements. Some hosts have unique formatting rules for DNS records that may differ the values provided by Brevo.

Expand the accordions below to discover solutions that might resolve these formatting issues:

Your domain host doesn't support the "@" symbol

When authenticating a domain, some domain hosts may not accept the "@" symbol in the hostname field.

➡️ To fix this, try using your domain name or leaving the field empty.

Your domain host requires a dot (.) at the end of the value

Some domain hosts may require a dot at the end of the value. Without this dot, they consider the entire value as a subdomain and automatically add the root domain at the end.

For example, if you enter mail._domainkey.domain without a dot, it might turn it into mail._domainkey.domain.com.domain.com, instead of just mail._domainkey.domain.com.

➡️ To fix this, add a dot at the end of the hostname, like mail._domainkey.domain..

Your domain host only expects the subdomain prefix in the hostname

When authenticating a subdomain, some domain hosts may expect only your subdomain prefix in the hostname field and automatically append the root domain.

For example, if you enter send.domain.com, it might turn into send.domain.com.domain.com.

➡️ To fix this, only include your subdomain prefix in the hostname field, like send.

Your domain host doesn't support the ":" symbol

When authenticating a domain, some domain hosts, such as Alfahosting, may not accept the ":" symbol in the value fields.

➡️ To fix this, contact your domain host's support team and request their assistance in adding the necessary DNS records on your behalf.

Your DNS host doesn't support values longer than 255 characters

Most domain hosts set a maximum limit of 255 characters for their TXT record field. This isn’t a problem when you use the default 1024-bit DKIM key since it can fit within the allowed character limit easily. However, if you use a 2048-bit DKIM key, it can be a problem as it is longer than 255 characters.

To check if you’re using the default 1024-bit DKIM key or the 2048-bit key, look at the value in the second field of your DKIM record in Brevo:

1024-bit DKIM key (default) 2048-bit DKIM key
authenticate_troubleshooting_1024_en-us.png authenticate_troubleshooting_2048_en-us.png

➡️ To fix this, split your DKIM value into multiple chunks of 255 characters. To make this easy, you can use a DNS record splitter tool:

  1. Go to DNS record splitter.
  2. Insert your DKIM value into the textbox. It will then split your record into two lines.
    authenticate_split_dkim-value_en-us.jpg
  3. Copy and paste the results into a document.
  4. Enclose the two text strings in double quotes.
    authenticate_enclose_dkim-value_en-us.jpg
  5. Copy the enclosed text strings to your domain host as a TXT record.
You haven't verified if your domain is authenticated
After you're done adding the DNS records to your domain host, make sure to click Authenticate this email domain at the bottom of the page. This will allow Brevo to verify if your domain is authenticated.  authenticate_troubleshooting_verify_en-us.png
You modified or deleted the DNS records after your domain was authenticated

If your domain was authenticated successfully but its status later changes to "Not authenticated" after a day or a few days, it's possible that the DNS records you added were modified or deleted.

Once you add the DNS records for domain authentication to your domain host, you need to keep them unchanged for as long as you are using Brevo to send emails. Modifying or deleting these records can result in email delivery issues or cause your emails to be delivered to the spam folder.

➡️ To re-authenticate your domain, check our dedicated article Authenticate your domain with Brevo.

Existing DKIM record with same value

If a DKIM record with the same value as the one provided by Brevo already exists on your domain host, you have two options:

  • Replace your existing DKIM record with the value provided by Brevo. This is only recommended if you're no longer using the other service that required the previous DKIM record.
  • Contact our support team to request an update to your DKIM record with a new value. If you have multiple domains in your Brevo account, you’ll need to update the DKIM records for all of them with the new value.

2048-bit DKIM key instead of 1024-bit

By default, DKIM records of TXT type use a 1024-bit DKIM key. If you want to use a 2048-bit DKIM key to enhance your email security, contact our support team to activate it for your account. Your 2048-bit DKIM key will then appear in your DNS records with a value starting with sib2k.

1024-bit DKIM key (default) 2048-bit DKIM key
authenticate_troubleshooting_1024_en-us.png authenticate_troubleshooting_2048_en-us.png
❗️ Important

If you previously used the 1024-bit DKIM key to authenticate your domain, update your DKIM record in your domain host with the new value.

Multiple DMARC records

❌  We have detected multiple DMARC records in your domain. For optimal deliverability, keep only one DMARC.

To comply with Gmail and Yahoo's requirements for email senders, your domain should have a single DMARC record with a rua tag. Having more than one DMARC record can interfere with domain authentication.

Expand the accordions below to explore the three options for resolving this issue:

Keep only one valid DMARC record and delete any others on your domain

To keep only one valid DMARC record and delete any others on your domain:

  1. Open a new tab in your web browser and log in to your domain host account.
  2. Navigate to the section where you can manage the DNS records for the domain you want to authenticate.
  3. Locate your existing DMARC records.
  4. Choose which DMARC records you want to keep and delete all others. We recommend you keep Brevo's DMARC record, which looks like this: v=DMARC1; p=none; rua=mailto:rua@dmarc.brevo.com.
Create different subdomains for each DMARC record

If you need multiple DMARC records because you use several email providers and cannot delete the other records, you'll need to create different subdomains for each provider. This will allow you to configure separate DMARC records.

Merge your DMARC records to use a single record and receive reports at multiple email addresses

If you want to receive DMARC reports at multiple email addresses, you can merge the email addresses of your rua tags into a single DMARC record, like:

v=DMARC1; p=none; rua=mailto:rua@dmarc.brevo.com, mailto:dmarcreports@mydomain.com.

Missing rua tag for DMARC record

❌  Please note that your sender domain's DMARC record lacks a rua tag. To improve your deliverability, we recommend you set up a rua tag for your DMARC record.

To comply with Gmail and Yahoo's requirements for email senders, your domain should have a single DMARC record with a rua tag. If your domain already has a DMARC record but lacks a rua tag, you’ll need to update the record by adding Brevo's rua tag at the end.

  1. Open a new tab in your web browser and log in to your domain host account.
  2. Navigate to the section where you can manage the DNS records for the domain you want to authenticate.
  3. Locate and edit your existing DMARC record.
  4. In the DMARC record’s value field, add Brevo's rua tag at the end:
    ; rua=mailto:rua@dmarc.brevo.com.
  5. Save your DMARC record.

Your DMARC record should now look like this:

v=DMARC1; p=none; rua=mailto:rua@dmarc.brevo.com

DMARC policy requires authentication

❌  Your DMARC policy requires for your domain to be authenticated. Learn more about how to authenticate your domain. If you have authenticated your domain and still have issues, contact our support team.

If your sender domain has a DMARC policy of p=quarantine or p=reject, you need to authenticate your domain before creating a sender. Authenticate your domain and try creating the sender again.

➡️ To learn more, check our dedicated article Authenticate your domain with Brevo.

Domain host doesn't accept the new DNS records

Expand the accordions below to discover possible reasons why your domain host doesn't accept the new DNS records:

Domain host doesn’t allow duplicate records of the same type and name

Some domain hosts do not allow adding a record with the same type and name twice. This means that if you already have a TXT record on your domain, your domain host may not allow you to add the records provided by Brevo.

➡️ To fix this, add the extra TXT records on your domain below the first one. Expand the accordions below to discover examples of how to do it in Amazon Route 53 and Google Domains:

Amazon Route 53

Enter the value of the extra record on a separate line below the first TXT record.

account_authenticate_aws_extra_record_en-us.jpg

Google Domains
  1. Click + Add more to this record below the first TXT record.
  2. Paste the data of the extra record in the new field.

authenticate_google_add_more_en-us.jpg

Your domain host doesn't allow you to create or modify your DNS records

Some domain hosts, such as Jimdo, do not allow you to add certain DNS records yourself. If you encounter this issue, we recommend contacting your domain host's support team and requesting their assistance in adding the necessary DNS records on your behalf. You can use a message like the following:

"I am looking to authenticate my domain domain.com hosted with you in Brevo, and I need your assistance in setting up the following DNS records:

  • Brevo code
  • DKIM record
  • DMARC record"

Make sure to replace domain.com with your actual domain name and include the required DNS records and their corresponding values. You can find these values by following our dedicated article Authenticate your domain with Brevo and selecting the option to authenticate the domain yourself.

Emails still end up in spam after authenticating

If you've authenticated your domain but your emails still end up in the spam folder, keep in mind that spam filters consider multiple factors when deciding if an email should reach the inbox. While domain authentication improves your sending reputation, it’s not a complete solution or a guaranteed fix.

➡️ To learn more, check our dedicated article Why are emails being delivered to the spam folder?.

⏭️ What's next?

If you've followed our troubleshooting tips and are still having issues authenticating your domain, contact our support team and include a screenshot of the DNS records you have added to your domain host.

For domain host-specific requirements, we recommend you reach out to your domain host's support team.

🤔 Have a question?

If you have a question, feel free to contact our support team by creating a ticket from your account. If you don't have an account yet, you can contact us here.

If you’re looking for help with a project using Brevo, we can match you with the right certified Brevo expert partner.

💬 Was this article helpful?

29 out of 161 found this helpful