PingOne

Setting up a trusted email domain

You can configure PingOne to send emails on your organization’s behalf from a trusted domain. Use PingOne to get the email domain trust records and add them to your DNS configuration. You can also set up DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF).

Before you begin

You’ll need:

  • An existing domain

  • Access to your DNS manager

About this task

  • You can configure up to 50 trusted email domains per environment.

  • Learn more about configuring trusted email addresses for a trusted email domain in Configure trusted email addresses.

  • The _pingoneemail text record on the Email Domain Verification modal is optional, but it is a best practice to add this record to your DNS. If it isn’t added, each sender email address you add must be verified separately through a verification email.

Adding the trusted email domain

You’ll add the trusted email domain to your environment and then configure your DNS manager.

Steps

  1. In the PingOne admin console, go to Settings > Domains.

  2. Click Add Email Domain.

  3. Enter the trusted email domain name, such as auth.example.com and click Save. PingOne validates the domain name to ensure that it is not already in use.

Adding the records to your DNS configuration

After you add the trusted email domain, copy the email domain trust records and add them to your DNS configuration. Ensure that you add the records as TXT records, not CNAME records.

Steps

  1. In the PingOne admin console, go to Settings > Domains.

  2. Locate the appropriate email domain name entry and click Verify.

  3. In the Email Domain Verification modal, copy the email domain trust records to a secure location.

  4. Go to your DNS manager and update it with the email domain entries you copied. You can leave the PingOne window open, or close it and return later.

    The specifics of DNS configuration depend on your DNS manager. We recommend that you wait at least 1 hour for the DNS changes to propagate through the internet, although it can take up to 24 hours.

Verifying the trusted email domain

Ensure that you have added the trust records to your DNS configuration before starting this task. You cannot verify a trusted email domain until you update the DNS manager to add the trust records.

Steps

  1. In the PingOne admin console, go to Settings > Domains.

  2. Locate the appropriate email domain name entry and click Verify.

    • A green checkmark indicates that the verification check succeeded.

    • A yellow exclamation point indicates that the verification check did not succeed. We recommend that you wait 1 hour and try again. Complete DNS propagation can take up to 24 hours.

  3. Click Close.

The email domain name should show a green checkmark to confirm that it has been verified, and the DKIM Setup and SPF Setup buttons should be visible. If there is a yellow exclamation point next to the email domain name, click Verify to retry the verification process.

Setting up DKIM

After you’ve verified the trusted email domain, you can set up DKIM. DKIM authenticates email messages and prevents forged sender addresses.

Steps

  1. In the PingOne admin console, go to Settings > Domains.

  2. Locate the appropriate email domain name entry and click DKIM Setup.

  3. Copy the email trust records.

    If you see multiple regions listed, such as EU-WEST-1, US-EAST-1, US-WEST-1, you should copy the CNAME records for all regions. This is required for Simple Email Service (SES) to sign messages, and can also allow messages to be sent from another region if there’s a fault in the primary region.

  4. Go to your DNS manager and update it with the DKIM entries you copied. Ensure that you add the records as CNAME records, not TXT records.

  5. Return to the DKIM Setup modal and click Verify.

    • A green checkmark indicates that the verification check completed successfully.

    • A yellow exclamation point indicates that the verification check did not succeed. We recommend that you wait 1 hour and try again. Complete DNS propagation can take up to 24 hours.

  6. Click Close.

Setting up SPF

You can set up SPF, which helps protect senders and recipients from spam, spoofing, and phishing. By adding an SPF record to your DNS, you can specify a list of senders approved to send email from your domain.

Steps

  1. In the PingOne admin console, go to Settings > Domains.

  2. Locate the appropriate email domain name entry and click SPF Setup.

  3. Copy the email trust records.

  4. Go to your DNS manager and update it with the SPF entries you copied.

  5. Return to the SPF Setup modal and click Verify.

    • A green checkmark indicates that the verification check has completed successfully.

    • A yellow exclamation point indicates that the verification check has not succeeded. We recommend that you wait 1 hour and try again. Complete DNS propagation can take up to 24 hours.

  6. Click Close.