How to set up DKIM, DMARC, and SPF for GoHighLevel email the right way

You write the email. You hit send. It goes to spam.

And the frustrating part is that GoHighLevel shows it as delivered. As far as the platform is concerned, the message left. What happened after that is between your DNS records and the receiving mail server.

DKIM, DMARC, and SPF are the 3 authentication records that tell email providers like Gmail and Outlook that your messages are legitimate. Without them, or with them set up wrong, your emails get filtered before a human ever sees them.

This isn't complicated once you understand what each record does. But it does require touching your domain's DNS settings, and the order matters. Get this right once and you won't have to touch it again.

If you'd rather have someone handle it for you, a GoHighLevel developer can configure all 3 records correctly in about an hour. But if you want to do it yourself, here's the full process.

What these records actually do

Before touching anything, it helps to understand what you're setting up and why it matters.

SPF (Sender Policy Framework) tells receiving mail servers which IP addresses are allowed to send email on behalf of your domain. If an email claiming to be from yourdomain.com comes from an IP that isn't on your SPF list, it gets flagged as suspicious.

DKIM (DomainKeys Identified Mail) adds a digital signature to every email you send. The receiving server checks that signature against a public key stored in your DNS. If the signature matches, the email is verified as coming from you and hasn't been tampered with in transit.

DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together and tells mail servers what to do if either check fails. It also gives you a reporting address where you can receive data about authentication failures.

All 3 work together. Having SPF without DKIM is better than nothing, but you need all 3 to pass Google and Outlook's deliverability requirements properly. Since Google tightened its requirements for bulk senders in 2024, this isn't optional if you're sending more than a few hundred emails a month.

Step 1: connect your sending domain in GoHighLevel

Before you can add authentication records, you need a dedicated sending domain connected to your GoHighLevel account. Don't use your main business domain for sending email if you can avoid it. Use a subdomain like mail.yourdomain.com or send.yourdomain.com.

The reason is simple: if something goes wrong with your sending reputation (which can happen to anyone running campaigns), your main domain stays clean. The subdomain takes the hit.

To set up your sending domain:

• Go to Settings in your GoHighLevel sub-account
• Click Email Services
• Select Dedicated Sending Domain
• Enter the subdomain you want to use (e.g. mail.yourdomain.com)
• GoHighLevel will generate the DNS records you need to add

Keep that screen open. You'll be copying values from it into your DNS settings in the next steps. For a broader walkthrough of the full email setup process inside GoHighLevel, this guide on GoHighLevel email setup covers the surrounding context.

Step 2: add your SPF record

Log into wherever your domain's DNS is managed. That's usually the registrar where you bought the domain (GoDaddy, Namecheap, Cloudflare, Google Domains) or a separate DNS host if you've moved it.

SPF is a TXT record. You're adding it to either your root domain or your subdomain depending on how GoHighLevel generates it. The record looks something like this:

v=spf1 include:sendgrid.net include:_spf.google.com ~all

The exact value GoHighLevel gives you may differ, but the structure is the same. The include: statements tell receiving servers to also trust the IP ranges of the services listed. The ~all at the end means "soft fail" for anything not on the list, which is the standard setting for most business senders.

One thing to be careful about: you can only have 1 SPF record per domain or subdomain. If you already have an SPF record from a previous email tool, don't add a new one. Merge the new include: statement into your existing record. Two SPF records on the same domain breaks SPF and causes failures.

Step 3: add your DKIM records

GoHighLevel generates 2 DKIM records when you set up a dedicated sending domain. Both need to be added to your DNS. They're also TXT records, and they'll look something like this:

Name: s1._domainkey.mail.yourdomain.com
Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...

The value is a long string of characters. Copy it exactly from GoHighLevel. A single wrong character breaks the signature and the verification fails silently, meaning your emails still send but the DKIM check doesn't pass.

After you've added both DKIM records, give DNS propagation 15 to 30 minutes (sometimes longer depending on your provider) before trying to verify them inside GoHighLevel.

Step 4: add your DMARC record

DMARC is also a TXT record, but it goes on a specific subdomain of your root domain. The name is always _dmarc.yourdomain.com.

A basic DMARC record that works for most businesses starting out:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

The p=none means "monitor only." Emails that fail DMARC still deliver, but you receive reports showing what's failing and where. This is the right starting point because jumping straight to p=quarantine or p=reject without knowing your sending setup can accidentally block legitimate email.

The rua= address is where DMARC reports get sent. These are XML files and not particularly readable, but tools like Google Postmaster Tools or a free service like MXToolbox DMARC Analyzer can parse them into something useful. After 2 to 4 weeks of monitoring, move to p=quarantine, then eventually to p=reject as you confirm your authentication is clean.

Step 5: verify everything inside GoHighLevel

Once you've added all the DNS records, go back to your GoHighLevel email settings and click the verify button for your sending domain.

GoHighLevel checks whether the records are live and correct. If all pass, your sending domain shows as verified and you're good to go.

If any fail, the most common causes are:

• DNS propagation hasn't finished yet. Wait another 30 minutes and try again
• A typo in one of the values. Go back to your DNS provider and compare the record character by character against what GoHighLevel shows
• You added a duplicate SPF record instead of merging. Check that only 1 SPF TXT record exists on the sending subdomain
• Your DNS provider added extra quotes or spaces when you pasted the value. Some providers do this automatically and it breaks the record

You can also verify your records independently using MXToolbox (mxtoolbox.com). Run an SPF lookup, DKIM lookup, and DMARC lookup for your domain and it'll show exactly what's live and whether each record is valid.

What happens to your deliverability after setup

You won't see an overnight transformation the day you add these records. Sender reputation builds over time, and these records are the foundation, not the complete picture.

But you will notice a difference, usually within 2 to 3 weeks of clean sending. Fewer emails landing in Promotions or Spam. Higher open rates. Less bouncing around at the inbox provider level.

The other piece that matters is your sending behavior. Authentication tells mail servers you are who you say you are. What you do with that trust (engagement rates, unsubscribe handling, bounce management) builds or erodes your reputation from there. Authentication buys you the right to be judged on merit. The emails still have to be worth opening.

If your open rates are still low after getting authentication right, the issues to look at next are list quality, subject lines, and sending frequency. The detailed breakdown of why GoHighLevel emails go to spam and how to fix each cause is covered in this guide on GoHighLevel email deliverability fixes.

How this connects to your campaigns and automations

Authentication affects every email GoHighLevel sends on your behalf: broadcast campaigns, workflow automations, drip sequences, appointment confirmations, follow-up emails. All of it goes through your sending domain.

So getting this right first matters more than it might seem. If you're building a drip sequence and the authentication isn't clean, the first email in the sequence might deliver fine, but by email 4 or 5, inbox providers have started filtering you based on low engagement with the earlier sends. The whole sequence underperforms because the foundation was shaky.

If you're building out email drip campaigns in GoHighLevel, this guide on how to create an email drip campaign in GoHighLevel walks through the campaign setup side once your authentication is sorted.

And if you're connecting GoHighLevel to external tools or managing data flows between systems, understanding how data moves through the platform matters for more than just email. The comparison of webhooks vs API v2 in GoHighLevel covers how to think about data architecture when your setup gets more complex.

Do this once, do it right

DKIM, DMARC, and SPF aren't something you revisit constantly. Set them up correctly and they run in the background, doing their job on every send without you thinking about them.

The time investment is maybe 45 minutes if you've never touched DNS before. If you're comfortable with it, closer to 20. Either way, it's one of the highest-return technical tasks in your entire GoHighLevel setup. Every email you send after this works harder than it did before.

If DNS isn't your thing and you'd rather just have it done, reach out to a GoHighLevel developer who's configured these records dozens of times and can get it verified in a single session.

Author Bio