GetResponse SPF and DKIM setup

What you are setting up

GetResponse sends your newsletters and automations. Authenticating your domain publishes a DKIM key so GetResponse signs as you and your mail aligns. Two things set GetResponse apart from the CNAME-based tools: DKIM here is a TXT record (a public key you publish, not a CNAME pointing back to GetResponse), and SPF is recommended but not required, DKIM is what carries DMARC.

Set up DKIM

In GetResponse, go to Profile > Emails and Domains, open the Email addresses tab, click the Actions menu (the three dots) next to your domain, and choose Authenticate your domain with DKIM. GetResponse generates a key and shows you a DKIM identifier and value to publish as a TXT record:

Type:  TXT
Host:  <identifier>._domainkey       (the identifier GetResponse shows you)
Value: (the long DKIM key GetResponse shows you)

Copy the identifier and key exactly from the pop-up. The identifier is a short hash unique to your account, so do not hardcode it, and a one-character typo in the selector will silently fail validation. There is a slider to generate a 2048-bit key for stronger protection; if you use it, publish the new value (it replaces the old key). GetResponse can also authenticate the domain for you automatically across many common DNS hosts.

What about SPF?

SPF is recommended but not required, because DKIM alignment is what makes GetResponse mail pass DMARC. If you want to add it, the record is:

Type:  TXT
Host:  @
Value: v=spf1 include:_spf.getresponse.com ~all

Merge that include into your existing SPF record rather than publishing a second one. Note the branded (tracking) domain CNAME GetResponse also offers is a separate feature for link tracking; it is not part of authentication and does nothing for DMARC.

Add DMARC

Standard _dmarcTXT record. GetResponse's advice is to set up DKIM first, then DMARC, starting in monitor-only mode:

Type:  TXT
Host:  _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Build it with our DMARC builder and progress past p=none once your reports are clean.

The GetResponse gotcha

The status to watch is “No DKIM authentication.” GetResponse does not stop you from sending without DKIM, it just sends your mail with a via GetResponse-mailor “on behalf of” note, which means it is not signing as you and your DMARC will not pass on your domain. People add their from-address, see it accepted, and assume they are authenticated, but the address and the DKIM record are different things. The other usual issue is the DNS host appending your domain to the selector, turning abc123._domainkey into abc123._domainkey.yourdomain.com.yourdomain.com; enter only the selector portion. And remember a free from-address (gmail.com, yahoo.com) can never be authenticated, use a domain you control.

Confirm it worked

• Check the DKIM record. Our DKIM checker confirms the TXT record resolves and a key is published.
• Send a test and read the headers. Send yourself a message, open the original, and confirm the DKIM signature shows d=yourdomain.com and dmarc=pass (and no “via GetResponse” note). Our header analyzer reads it back plainly.
• Watch the reports. GetResponse should appear as an aligned, passing source in your DMARC aggregate reports, labeled as a known sender in trustyourinbox.