This document aims to answer some of the most common questions you might have regarding the results of the domain validation of your existing sending, bounce and link domains once service is enabled for them.
General questions
If you add a completely new sending or link domain, you still need to create a support ticket to enable sending - you can provide a screenshot of the successful validation from the Email Domain Onboarding tool in your support ticket to speed up the process.
The Domain Validation tool lists my domain as validation failed - does that mean I can no longer send out campaigns? What do I do?
If the tool fails your domain, you will still be able to send campaigns using this domain. However, we do recommend to update your domain to based on the tool’s recommendations as soon as you can to achieve the highest security standard employed by Emarsys and the ISPs. Once you updated your domain, you can either revalidate the domain or add the new domain to the service and upon successful validation delete your old domain. Please note that if you add a completely new sending or link domain, you still need to create a support ticket to enable sending. You can provide a screenshot of the successful validation from the Email Domain Onboarding tool in your support ticket to speed up the process.
The Domain Validation tool lists my domain as a warning - does that mean I can no longer send out campaigns? What do I do?
If the tool gives you warning for your domain, you will still be able to send campaigns using this domain. We do recommend to update your domain to based on the tool’s recommendations as soon as you can to achieve the highest security standard employed by Emarsys and the ISPs. Once you updated your domain, you can either revalidate the domain or add the new domain to the service and upon successful validation delete your old domain. Please note that if you add a completely new sending or link domain, you still need to create a support ticket to enable sending. You can provide a screenshot of the successful validation from the Email Domain Onboarding tool in your support ticket to speed up the process.
Sender Policy Framework (SPF)
Error message: "SPF no emarsys record"
Reason:
An SPF record on your domain entry was found, however the default recommended entries where not found. This error indicates that either the default recommended settings where either not or badly implemented.
Solution:
A valid SPF record on your domain adds a security layer to your email communications and email delivery.
Error message: "SPF invalid token"
Reason:
An SPF record was found, however it is invalid. It appears that the SPF record has a typo error.
Solution:
Please update the SPF record with the recommended values.
Error message: "SPF record not found"
Reason:
Your domain does not have a SPF record, which leaves it vulnerable to email spoofing and phishing attacks.
Solution:
A SPF record helps to verify the authenticity of emails sent from your domain and protect your recipients from phishing scams. It is strongly recommended to implement a SPF record for your domain as soon as possible. A valid SPF record on your domain adds a security layer to your email communications and email delivery.
Error message: "SPF multiple records"
Reason:
Your domain has multiple SPF records which either need to be merge or deleted. One single SPF record helps to verify the authenticity of emails sent from your domain and protect your recipients from phishing scams.
Solution:
It is strongly recommended to merge or remove SPF records according to your sending sources. A valid SPF record on your domain adds a security layer to your email communications and email delivery.
Error message: "SPF invalid leading space"
Reason:
Your SPF record has a leading space, which can cause incorrect parsing and result in the SPF policy not being enforced. This could potentially leave your domain vulnerable to email spoofing and phishing attacks.
Solution:
Please remove the leading space. A valid SPF record on your domain adds a security layer to your email communications and email delivery.
Error message: "SPF DNS lookup limit"
Reason:
The Information stored in your SPF records causes more than 10 further DNS lookups.
Solution:
Please consolidate your records to remove unnecessary lookups through your SPF records. A valid SPF record on your domain adds a security layer to your email communications and email delivery.
DomainKeys Identified Mail (DKIM)
Error message: "DKIM Legacy Value"
Reason:
On July 2022 we have updated our guidelines to improve existing security standards and to make the onboarding process easier. DKIM records with “DKIM Legacy Value” token indicate that you are using a DKIM record that does not fit the current standard.
Solution:
Your current DKIM record still works fine, but moving forward we recommend to update them with the recommended key5/key6 values. Once you updated your domain, you can either revalidate the domain or add the new domain to the service and upon successful validation delete your old domain. Please note that if you add a completely new sending or link domain, you still need to create a support ticket to enable sending. You can provide a screenshot of the successful validation from the Email Domain Onboarding tool in your support ticket to speed up the process.
Error message: "DKIM Invalid Legacy Value"
Reason:
Our tool was looking for DKIM records with key5 and key6 selectors or any legacy selector, but was not able to find a single valid DKIM record. This may lead to increased email deliverability risks due to failed domain authentication checks. However, this error could also be shown for custom DKIM records that have been agreed for your sending domains in the past.
Solution:
If you are not aware of any custom DKIM records being discussed for your sending domains in the past, we recommend adding key5 and key6 values to your sending domain based on the guidelines provided by the tool as soon as possible.
Error message: "DKIM missing value"
Reason:
On July 2022 we have updated our guidelines to improve existing security standards and to make the onboarding process easier. Including both DKIM records (for key5/key6) enables us to rotate DKIM records for our clients seamlessly, which disables bad actors to use existing public DKIM keys to game mail filters. This error means that at least one entry was not found.
Solution:
We recommend adding key5 and key6 values to your sending domain based on the guidelines provided by the tool as soon as possible. Once you updated your record with your provider, you can re-run the validation and the domain should pass if the settings match the given recommendations.
Canonical Name (CNAME) record
Error message: "CNAME record does not match"
Reason:
Emarsys recently updated its domain setting recommendations to create a global standard across our platform for all domains and further improve security for our customers. Your domain might either include .emarsys.net
or it does not match the setting the tool recommends for this domain.
Solution:
Please update your domain to the recommended setting and add the new domain to the tool. Until you've added the recommended setting to the tool, you will still be able to use your existing domain for the time being. Once you updated your domain, you can either revalidate the domain or add the new domain to the service and upon successful validation delete your old domain.
Mail Exchanger (MX) record
Error message: "MX no value"
Reason:
Emarsys recently updated its domain setting recommendations to create a global standard across our platform for all domains and further improve security for our customers.
Solution:
We recommend adding an MX record for your domain based on the recommendations given by the tool. Once you updated your record with your provider, you can re-run the validation and the domain should pass if the settings match the given recommendations.
If you would like to host the email replies on your mail server, you can add your own MX records and ensure that you have opened the reply management mailboxes and are able to receive incoming emails or requests.
Error message: "MX legacy other entry"
Reason:
This means that you currently have mixed MX records in your domain, which can cause confusion with domain providers.
Solution:
We recommend updating your MX record for your domain based on the recommendations given by the tool. Please note:
- If you are using the Emarsys reply management tool, then you need to use the Emarsys MX record and remove any custom ones.
- If you are using a custom reply management tool (e.g. you receive email replies on your server), then you need to remove the Emarsys MX record and use only the custom record.
Once you updated your record with your DNS provider, you can re-run the validation. Please also ensure that you have opened the reply management mailboxes and are able to receive incoming emails or requests.
Error message: "MX other entry"
Reason:
Emarsys recently updated its domain setting recommendations to create a global standard across our platform for all domains and further improve security for our customers.
Solution:
We recommend updating your MX record for your domain based on the recommendations given by the tool.
- If you are using the Emarsys reply management tool, then we recommend using the Emarsys MX record and removing any custom MX records.
- If you are using a custom reply management tool, then we recommend removing the Emarsys MX record and only using the custom record.
Once you updated your record with your provider, you can re-run the validation and the domain should pass if the settings match the given recommendations. Please also ensure that you have opened the reply management mailboxes and are able to receive incoming emails or requests.
Error message: "MX legacy other entry"
Reason:
This means that your current MX record contains errors or duplications, which result in failed validation and can cause confusion with domain providers.
Solution:
We recommend updating your MX record for your domain based on the recommendations given by the tool.
- If you are using the Emarsys reply management tool, then you need to use the Emarsys MX record and remove any custom ones.
- If you are using a custom reply management tool (e.g. you receive email replies on your server), then you need to remove the Emarsys MX record and use only the custom record.
Once you updated your record with your DNS provider, you can re-run the validation. Please also ensure that you have opened the reply management mailboxes and are able to receive incoming emails or requests.
Error message: "MX legacy PMTA"
Reason:
Emarsys recently updated its domain setting recommendations to create a global standard across our platform for all domains and further improve security for our customers. You are using a very old setup in your MX records which is not supported anymore.
Solution:
We recommend adding the MX records for your domain based on the recommendations given by the tool. Once you updated your record with your provider, you can re-run the validation and the domain should pass if the settings match the given recommendations.
Domain-based Message Authentication, Reporting and Conformance (DMARC)
Error message: "DMARC missing value"
Reason:
Your domain does not have a DMARC record, which leaves it vulnerable to email spoofing and phishing attacks. A DMARC record helps to verify the authenticity of emails sent from your domain and protect your recipients from phishing scams.
Solution:
It is strongly recommended to implement a DMARC record for your domain as soon as possible to enhance the security of your email communications.
Error message: "DMARC nonstandard policy"
Reason:
Your DMARC record's policy is either set to quarantine
or none
, which is not the recommended policy for maximum security. The recommended policy for maximum security against email spoofing and phishing attacks is reject
, which blocks non-authorized email sources that fail DMARC evaluation. Having a DMARC policy set to quarantine
or none
may leave your domain vulnerable to these types of attacks.
Solution:
To enhance the security of your email communications, it is strongly recommended to set the DMARC policy to reject
in your DMARC record.
Error message: "DMARC invalid record"
Reason:
Your DMARC record is invalid and will not be enforced. The DMARC record helps to verify the authenticity of emails sent from your domain and protect your recipients from phishing scams. An invalid DMARC record can result in the failure of DMARC evaluation and leave your domain vulnerable to email spoofing and phishing attacks.
Solution:
Please review and correct the syntax and format of your DMARC record to ensure it is properly implemented and that it can effectively enhance the security of your email communications.
Error message: "DMARC multiple records"
Reason:
Having multiple DMARC records is not possible as only one record is permitted.
Solution:
We recommend updating your DMARC record based on the recommendations given by the tool as soon as possible. Once you updated your record with your provider, you can re-run the validation and the domain should pass if the settings match the given recommendations.
Error message: "DMARC invalid leading space"
Reason:
Your DMARC record contains a leading space, which can cause incorrect parsing and result in the DMARC policy not being enforced. This could potentially leave your domain vulnerable to email spoofing and phishing attacks.
Solution:
Please remove the leading space and verify the DMARC record is correctly formatted to ensure the authenticity and security of your email communications.
Error message: "DMARC ADKIM INVALID"
Reason:
Your DMARC record's adkim
tag is not set to s
(strict mode), which can result in more relaxed DMARC evaluation and increase the risk of email spoofing. The adkim
tag determines how the alignment mode for DMARC evaluation is handled. Setting the adkim
tag to s
ensures that the domain name in the DKIM signature must exactly match the domain being protected.
Solution:
To enhance the security of your email communications, it is recommended to set the adkim
tag to s
in your DMARC record.
Bounce Domain
What is the BOUNCE domain?
The BOUNCE domain refers to the domain name that is added to the return-path header of an email message. This domain is used when the message is undeliverable and needs to be sent back to the sender.
The return-path address is a special email address that tells the system where the bounced messages should be sent. To make sure that bounce management works automatically in the Emarsys platform, you need to ensure that the BOUNCE domain points to Emarsys using a CNAME record.
Why is the error "The DNS value associated with the bounce domain is invalid" shown?
The error message "The DNS value associated with the bounce domain is invalid" is displayed during the validation step when Emarsys is checking your BOUNCE domain and has detected a CNAME record that is pointing to a location that is different from the one that is required. This can happen if the value for the domain CNAME record is not set up correctly or if a wildcard CNAME record has been set up for your domain that directs any non-existent domain to a specific location. To resolve this issue, you need to correct the CNAME record so that it points to the required location before proceeding with the validation process.
Correct: bounces.email.example.com CNAME bounces.emarsys.net.
Wrong: bounces.email.example.com CNAME Example Domain
If your sender domain was configured before July 2022 and does not fit the new SAP Emarsys DNS settings, please see the Domain Validation Service - Mail Exchanger-related errors.
Why is the error "No return path found" shown?
The error "No return path found" is displayed during the validation step when Emarsys is checking your BOUNCE domain and cannot detect a CNAME record that is pointing to the required location. To resolve the issue, you need to add the required CNAME record.
If your sender domain was configured before July 2022 and does not fit the new SAP Emarsys DNS settings, please see Domain Validation Service - Mail Exchanger-related errors.