How to set up DMARC for ControlShift in Valimail

Updated over a week ago

This article covers the SPF and DKIM authentication processes for ControlShift and how they are managed in Valimail. While only one of the two authentication methods is required for an email to pass DMARC, our recommendation is to configure both whenever possible.

Configuring DKIM authentication for your ControlShift emails

Setting the Contact Email

First you'll need to set your organization's Contact Email. The Contact Email is the email address that platform emails are sent from, both to supporters who to take action and to admins subscribed to notifications. To set your organization's Contact Email, go to the admin homepage -> Settings -> Contact and enter the appropriate email address. Then click to Save. Please note that this email address should be tied to your organization's domain.

Deliverability Settings

Once you've entered the appropriate Contact Email, you can continue configuring your organization's deliverability settings by going to [your-platform-url] /org/settings/deliverability and clicking to Configure.


The Domain listed on this page is based on your organization's Contact Email. If the domain here is not correct, you should update your organization's Contact Email instead of editing the domain from this page. In the Email field, enter an email address for your organization's technical contact. Then click to Save.

Please note: if you're already using a Sendgrid product, you may need to expand the Advanced Settings section and choose a custom selector.

Configuring DNS

After saving, the Deliverability page will update to include information about your organization's new Sendgrid subuser account. Included on this page will be a list of three CNAME records that your organization will need to configure in their DNS manager.


For each of these records, the URL on the left should (through the CNAME record) point to the URL on the right. (If you need help setting up a CNAME records, please see the DNS article in our help center or your DNS manager's help documentation.)

If you're using Cloudflare's proxy service, please make sure that these email deliverability records are not proxied. You can turn the proxy service off by clicking the orange cloud (which will then update to gray).

Once you've created the relevant CNAME records, return to the deliverability settings page and click to Verify. If your DNS records are configured correctly, you'll see two success messages. (Please note: it may take a few minutes for these new records to propagate.)


Custom DKIM Selectors

If you're already using Sendgrid as your email provider (or if another tool you're using uses Sendgrid), you may already have s1._domainkey and s2._domainkey records in your DNS manager. If you do, you can specify a custom DKIM selector instead. If you've already progressed to the step that shows CNAME records, click to Remove and start over. On the first page, click the Advanced link to expand the section.


In this section, check the Use custom DKIM selector box and then enter your DKIM Selector. This selector can be any combination of up to 3 characters. When you've entered your chosen selector, click to Save and the CNAME records will reflect your choice.


Please note: if you removed your previous configuration and started again, the first record will likely have changed too. Please verify that the first record is correct in your DNS manager.

You can also find the instructions on how to set up DKIM and SPF for ControlShift, here.

Add a ControlShift DKIM key in Valimail

You can find more detailed information on how to add a DKIM key in Valimail, here:

Configuring SPF authentication for your ControlShift emails

Once you establish that ControlShift is an authorized sender for your domain, you will need to add the service in your Enabled Senders.

You will find more detailed information on how to add a service for your domain in Valimail, here:

Note: We encourage you to use the comment section for any useful information about your sending service, such as the name of the service owner, change request ticket numbers, etc.

Did this answer your question?