SPF(supported) (dedicated subdomain)

This article covers the SPF and DKIM authentication processes for DocuSign and how they are managed in Valimail Enforce. While only one of the two authentication methods is required for an email to pass DMARC, our recommendation is to configure both whenever possible.


Configuring DKIM authentication for your DocuSign emails

Before you begin:

  • Log in as a DocuSign Administrator.
  • Claim and verify a top-level domain - Domains
  • Have access to edit DNS records in your organization's domain registrar. This is done through a 3rd party site and may require IT assistance from within your organization.
  • After claiming a domain, create a subdomain and update your DNS records to verify and configure for CED.

Note: This process does not use an existing subdomain. A new subdomain is created through the verification process. Subdomains already used for SSO cannot be used for custom email addresses.

1. In DocuSign Admin, select Features.

2. Scroll down to Custom Email Domain, and select Manage.

3. Select Actions -> Enable.

The Custom Email Domain menu item is added to DocuSign Admin.

4. In DocuSign Admin, select Custom Email Domain.

5. Select ADD DOMAIN.

6. Enter a name for the new subdomain.

Note: The subdomain name appears in front of the verified top-level domain. For example, if the top-level domain is ‘example.com’ and the subdomain is ‘docusign’, your DocuSign custom email addresses will be [username]@docusign.example.com.

7. Select an available verified top-level domain, then select NEXT.

8. Using the DocuSign-provided values, create two CNAME/DKIM records, one TXT/SPF record, and one MX record in your DNS.

Important: If you manage DKIM in Valimail for your domain, you will need to add the 2 CNAME DKIM keys on your domain's Configuration page in Valimail Enforce and add the TXT and MX records in your DNS.


Note: It may take up to 24 hours for changes to your DNS to be published by your domain registrar. If you are unable to verify the domain shortly after updating the DNS records, select SAVE DOMAIN AND VERIFY DNS LATER.

You can also find the instructions on how to set up DKIM and SPF for DocuSign, here.

Add a DocuSign DKIM key in Enforce

1. Go to your domain's Configuration page in Valimail Enforce and publish the newly created DKIM key.

    a. Scroll down and add the two DKIM keys in your configuration, by clicking on Add a DKIM key

    b. Enter the selector name, CNAME target value, associate the key/s with DocuSign and then click Add.

You can find more detailed information on how to add a DKIM key in Valimail Enforce here. 

Configuring SPF authentication for your DocuSign emails

Once you establish that DocuSign is an authorized sender for your domain, you will need to add the service in your Enabled Senders list in Enforce.

1. Please go to your domain's Configuration page in Enforce.

2. Click on the + sign from the Enabled Senders section:

3. Choose DocuSign from the list of configurable senders and then click Enable:

We encourage you to use the comment section for any useful information about your sending service, such as the name of the service owner, change request ticket numbers, etc.

As always, if you have any questions, please don't hesitate to submit a ticket.