How to Authenticate Your Domain in Keap to Protect Email Deliverability – Keap Max Classic

Why Domain Authentication Is Required to Send Email

Major inbox providers — including Google, Yahoo, and Microsoft — now require all senders to authenticate their sending domain with DKIM and align it with DMARC before email can be delivered at scale. These requirements exist to reduce spam, phishing, and spoofing, and to ensure that only verified senders can reach the inbox. Keap aligns with these industry standards to protect your deliverability and sender reputation.

Authenticating your domain produces three concrete business benefits:

Higher inbox placement — Authenticated domains are recognized as trustworthy by inbox providers, which significantly reduces the chance of your emails, invoices, and quotes being routed to spam.
Protected brand reputation — Authentication prevents bad actors from spoofing your email address and sending fraudulent messages that appear to come from your business.
Uninterrupted email delivery — Staying compliant with the latest requirements from Google and Yahoo keeps your marketing sequences, automations, and transactional emails running without interruption.

The video above walks through the full domain authentication setup process in Keap. The written steps below cover the same process in detail.

What DKIM and DMARC Are

DKIM (DomainKeys Identified Mail) is a technical standard that attaches a hidden digital signature to every email you send. When an inbox provider like Gmail or Outlook receives your message, it checks the signature against your domain's DNS settings to verify the email came from you and was not modified in transit. DKIM tells inbox providers that your business is the verified sender of the message, which prevents your emails from being flagged as suspicious or spoofed.

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a policy you publish in your domain's DNS records that tells inbox providers how to handle any email that claims to come from your domain but fails the DKIM verification check. A DMARC policy can instruct providers to deliver the email anyway, route it to spam, or reject it entirely. DMARC also sends aggregate reports to an email address you designate so you can monitor for unauthorized use of your domain.

How to Authenticate Your Domain in Keap

Step 1: Access Email Authentication Settings

The location of the authentication settings depends on your Keap edition.

Pro and Max editions:

Click your profile icon in the bottom-left corner of the app, select Settings, and navigate to the Domains page.

The Keap app showing the profile icon in the bottom-left corner of the navigation bar with a menu open. The Settings option is highlighted in the menu.

The Settings page in Keap showing the Domains option in the left-hand navigation of the settings panel. The Domains page displays a list of connected domains and a Connect Email Domain button.

For full step-by-step guidance on connecting your domain from the Pro/Max Domains page, see Authenticate Your Domain in Keap to Protect Email Deliverability.

Ultimate and Classic editions:

Click the hamburger menu in the top-left corner, select Marketing, then click Settings, and click Email Authentication.

The Keap Classic navigation showing the hamburger menu open with the Marketing option highlighted.

The Marketing Settings page in Keap Classic showing the Email Authentication option highlighted in the settings menu.

Step 2: Add Your Domain

Click the + Connect Email Domain button. Enter your domain name in the field provided and select your domain host from the drop-down list.

The Connect Email Domain button on the Domains page.

The domain setup form showing a text field for entering the domain name and a drop-down for selecting the domain host provider.

If you are not sure who your domain host is, use the Google Dig DNS lookup tool to look up the name servers for your domain. The name server provider is typically your domain host.

Step 3: Verify or Create Your DMARC Record

Before creating a new DMARC record, check whether your domain already has one — each domain should have only one DMARC record. To check, use the free Dmarcian DMARC Inspector tool: enter your domain and click Inspect the Domain. You can also log in to your DNS provider and check your DNS records directly for an existing DMARC TXT record.

If your domain already has a DMARC record, leave the Create or Update DMARC Record checkbox unchecked in Keap. Your existing record will be used.

If your domain does not have a DMARC record, check the Create or Update DMARC Record checkbox. Keap recommends the following settings for new DMARC records:

Policy: Quarantine
Quarantine Percentage: 5%
Reporting email address: Enter an email address you have access to. This address will receive DMARC aggregate reports from inbox providers so you can monitor for unauthorized use of your domain.

The DMARC configuration section of the domain setup form showing the Create or Update DMARC Record checkbox checked. Below it are fields for the DMARC policy set to Quarantine, the quarantine percentage set to 5%, and an email address field for aggregate reports.

Step 4: Add the DKIM and DMARC Records to Your DNS Provider

Keap will generate three CNAME records for DKIM authentication. The records will follow this format, using your actual domain name:

appname.yourdomain.com
appname1._domainkey.yourdomain.com
appname2._domainkey.yourdomain.com

Click each record in Keap to copy it to your clipboard — do not highlight and copy manually, as this may copy extra whitespace that will cause the record to fail verification. Log in to your DNS provider and add each of the three records as CNAME records. Depending on your DNS provider, the fields may be labeled "Host" and "Points to" or "Name" and "Value" — enter the key values in the order provided, left to right, regardless of the field labels used by your provider.

If Keap is creating your DMARC record, also add a TXT record in your DNS provider with the following values:

Host: _dmarc.yourdomain.com
Value: v=DMARC1; p=quarantine; pct=5; rua=mailto:your-email@yourdomain.com

A DNS provider records table showing a TXT record added for _dmarc.yourdomain.com with the DMARC policy value in the record content field.

If the CNAME keys conflict with existing records in your DNS provider, click the Conflict with your domain? dropdown in Keap and enter a custom subdomain prefix to resolve the conflict.

Step 5: Complete Verification in Keap

After all records have been added to your DNS provider, return to Keap and click Finish. You will be returned to the Domains or Email Authentication page, where your domain status will display as either Pending or Connected.

DNS changes typically take 24–48 hours to propagate across the internet. During this time your domain status will show as Pending — this is expected. If the status remains Pending for more than 48 hours, log in to your DNS provider and verify that each record matches exactly the keys provided in Keap.

If your domain was previously authenticated in Keap and is stuck in Pending for more than 48 hours, click the edit button next to the domain and go through the setup steps again. If the records are already in place at your DNS provider, click Confirm when you reach the records page — Keap will recheck the records and update the status.

The Domains page showing a domain entry in the list with a Pending status and an edit button to the right of the domain name.

Step 6: Update Your Sending Email Address to Your Authenticated Domain

Once your domain shows a Connected status, update your profile email address to an address on that authenticated domain so your emails are sent from the verified domain.

Pro and Max editions:

Click the profile icon in the bottom-left corner and click the top option to open your profile settings.

The profile menu open in Keap Pro showing the profile settings option highlighted at the top of the menu.

The profile settings page showing the email address field with a domain address entered.

Update the email address field to an address on your connected domain and click Update to save the change.

The profile settings page showing the Update button highlighted after the email address field has been updated to the authenticated domain address.

Classic edition:

Click the profile icon in the top-right corner and select Edit My Profile to open your profile settings. Update the email address to an address on your connected domain and save.

The Classic edition profile menu showing the Edit My Profile option highlighted.

DNS Provider Help Guides

Adding CNAME and TXT records requires logging in to your domain's DNS provider. Steps vary by provider — if you are unsure how to add DNS records, contact your DNS provider's support team. Here are direct links to DNS record management guides for common providers:

Frequently Asked Questions

When did Keap begin requiring DKIM authentication?

Keap implemented the DKIM authentication requirement in 2024, in response to Google and Yahoo enforcing stricter authentication standards for bulk senders. The requirement was rolled out in phases to existing accounts and applied immediately to all new accounts created after the rollout.

How long does it take for my domain to show as Connected?

After you add the DNS records and click Finish in Keap, it typically takes 24–48 hours for the changes to propagate across the internet. During this time your domain status will show as Pending. If the status remains Pending for more than 48 hours, log in to your DNS provider and verify that every record exactly matches the keys provided in your Keap account.

Can I authenticate more than one domain?

Yes. If your business uses multiple domains to send email — for example, a main domain and a subdomain — complete the authentication process for each domain separately. Every domain used in a From address should be authenticated to ensure all your emails are recognized as legitimate by your customers' inbox providers.