trustyourinbox

SMTP2GO SPF and DKIM setup

The three CNAMEs SMTP2GO asks you to publish, why there is no SPF include to add, and why sending from an unverified domain is now blocked outright.

What you are setting up

SMTP2GO is an SMTP relay for your application and transactional mail. You verify your sender domain by publishing three CNAME records, and SMTP2GO handles the rest behind them. There is no SPF record or DKIM key to paste, it is entirely CNAME-based, and the three CNAMEs cover SPF (via a return-path), DKIM, and link tracking. Since 2025, verifying your domain is not optional: SMTP2GO blocks mail sent from an unverified domain.

Add the sender domain and publish the CNAMEs

In SMTP2GO, go to Sending > Verified Senders > Sender domains and click Add sender domain. SMTP2GO generates three CNAME records, all pointing at smtp2go.net hosts:

Type:  CNAME   (return-path / SPF; host starts with em...)
Host:  (copy the exact host SMTP2GO shows you)
Value: (copy the exact target SMTP2GO shows you)

Type:  CNAME   (DKIM)
Host:  (copy the exact host SMTP2GO shows you)
Value: (copy the exact target SMTP2GO shows you)

Type:  CNAME   (open / click / unsubscribe tracking)
Host:  (copy the exact host SMTP2GO shows you)
Value: (copy the exact target SMTP2GO shows you)

Copy all three exactly from the console, they are specific to your account. The first CNAME sets a return-path on a subdomain of yours (so SPF aligns), the second delegates DKIM (so SMTP2GO signs as d=yourdomain.com), and the third serves tracked links over your domain. Together they align both SPF and DKIM, so DMARC passes. SMTP2GO can also add the records for you automatically through Entri.

Do you need an SPF include? No.

SMTP2GO moved to CNAME-only authentication years ago, so the old advice to add include:...smtp2go.com to your SPF record is out of date. The return-path CNAME handles SPF for you, do not add a manual SPF include.

Add DMARC

SMTP2GO does not publish DMARC for you; add your own standard _dmarc TXT. Start in monitor-only mode and ramp up:

Type:  TXT
Host:  _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Build it with our DMARC builder and progress past p=none once your reports are clean.

The SMTP2GO gotcha

The big one now: sending from a domain you have not verified is blocked. Since April 2025, mail whose from domain is not a verified sender is rejected (it shows as “Rejected” on your Activity page), and those rejected attempts still count against your monthly quota. The fix is always to verify the exact domain in your from address. As general DNS advice, also make sure your host has not appended your domain to the CNAME (doubling it), and that the records are not proxied (set them to DNS-only on Cloudflare).

Confirm it worked

  • Verify in SMTP2GO. The sender domain should show as verified once the three CNAMEs resolve.
  • Send a test and read the headers. Send through SMTP2GO, open the message, and confirm the DKIM signature shows d=yourdomain.com and dmarc=pass (and no “via smtp2go” notice). Our header analyzer reads it back plainly.
  • Watch the reports. SMTP2GO should appear as an aligned, passing source in your DMARC aggregate reports, labeled as a known sender in trustyourinbox.
Let trustyourinbox publish SMTP2GO for you

Connect your DNS once and we publish the SMTP2GO records above in a single click, with a five-minute window to undo. Then we keep watching this sender in your DMARC reports and tell you the moment SMTP2GO mail starts failing, so a typo in a record never quietly costs you the inbox.

Run a free auditOr start free

Keep reading

Last verified 2026-06-23 against the official SMTP2GO documentation.

Stop guessing. Start monitoring.

Free for one domain. Set up in five minutes. We parse the reports; you read plain-English summaries.

Start freeOr run the free audit first