PingOne

Setting up a trusted email domain

You can configure PingOne to send emails on your organization’s behalf from a trusted domain. Use PingOne to get the email domain trust records and add them to your DNS configuration. You can also set up DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF).

Before you begin

You’ll need:

  • An existing domain

  • Access to your DNS manager

  • You can configure up to 50 trusted email domains per environment. Learn more in PingOne standard platform limits.

  • Learn more about configuring trusted email addresses for a trusted email domain in Configure trusted email addresses.

  • The _pingoneemail text record on the Email Domain Verification modal is optional, but it’s best to add this record to your DNS. If it isn’t added, each sender email address you add must be verified separately through a verification email.

Adding the trusted email domain

You’ll add the trusted email domain to your environment and then configure your DNS manager.

Steps

  1. In the PingOne admin console, go to Settings > Domains.

    Result:

    The Custom Domain and Email Trust page opens.

  2. Next to Email Trust, click the icon.

  3. In the Add Email Trust panel, enter the trusted Email Domain name, such as auth.example.com, and click Save.

    PingOne validates the domain name to ensure that it isn’t already in use.

Adding the TXT records to your DNS configuration

After you add the trusted email domain, copy the email domain trust records and add them to your DNS configuration. Ensure that you add the records as TXT records, not CNAME records.

Steps

  1. In the PingOne admin console, go to Settings > Domains.

    Result:

    The Custom Domain and Email Trust page opens.

  2. Click the appropriate email domain name entry.

  3. On the Overview tab, copy the TXT Records to a secure location.

  4. Go to your DNS manager and update it with the email domain entries you copied. You can leave the PingOne window open, or close it and return later.

    The specifics of DNS configuration depend on your DNS manager. You should wait at least 1 hour for the DNS changes to propagate through the internet, although it can take up to 24 hours.

Verifying the trusted email domain

Ensure that you have added the trust records to your DNS configuration before starting this task. You can’t verify a trusted email domain until you update the DNS manager to add the trust records.

Steps

  1. In the PingOne admin console, go to Settings > Domains.

    Result:

    The Custom Domain and Email Trust page opens.

  2. Click the appropriate email domain name entry.

  3. On the Overview tab, click Verify.

    • A green checkmark indicates that the verification check has completed successfully.

    • A red exclamation point indicates that the verification check failed. You should wait 1 hour and try again. Complete DNS propagation can take up to 24 hours.

Result

The email domain name should show a green checkmark to confirm that it has been verified. If the verification failed a red exclamation appears. Ensure the TXT records are added correctly and try again later.

Setting up DKIM

After you’ve verified the trusted email domain, you can set up DKIM. DKIM authenticates email messages and prevents forged sender addresses.

Steps

  1. In the PingOne admin console, go to Settings > Domains.

    Result:

    The Custom Domain and Email Trust page opens.

  2. Click the appropriate email domain name entry.

  3. On the DKIM tab, copy the CNAME records.

    If you see multiple regions listed, such as EU-WEST-1, US-EAST-1, US-WEST-1, you should copy the CNAME records for all regions. This is required for Simple Email Service (SES) to sign messages, and can also allow messages to be sent from another region if there’s a fault in the primary region.

  4. Go to your DNS manager and update it with the CNAME records you copied. Ensure that you add the records as CNAME records, not TXT records.

  5. In the PingOne admin console on the DKIM tab, click Verify.

Result

  • A green checkmark indicates that the verification check completed successfully.

  • A red exclamation point indicates that the verification check failed. You should wait at least 1 hour for the DNS changes to propagate through the internet, although it can take up to 24 hours.

Setting up SPF and a custom MAIL FROM domain

Setting up SPF adds protection against spam, spoofing, and phishing. By adding an SPF record to your DNS, you can specify a list of senders approved to send email from your domain.

By setting up a custom MAIL FROM domain, you significantly reduce the likelihood of a PingOne email notification being flagged as spam. Specifying a MAIL FROM domain results in SPF alignment with the FROM header, reducing the chances that the DMARC check will fail.

Steps

  1. In the PingOne admin console, go to Settings > Domains.

    Result:

    The Custom Domain and Email Trust page opens.

  2. Click the appropriate email domain name entry.

  3. Go to the SPF tab.

  4. In the Custom MAIL FROM domain field, enter a subdomain name to use.

    • If the field is grayed out, go to the Overview tab and check that all the TXT records appear as verified (green check mark).

    • Do not use a subdomain that you use to send email from.

    • Do not use a subdomain that you use to receive email.

  5. Click Save.

    Result:

    An MX record is displayed, and a TXT record for SPF is displayed.

  6. Add the MX record to your DNS.

  7. Add the TXT record for SPF to your DNS.

  8. After adding the MX record and the TXT record, you can return to the SPF tab and click Verify to verify the records you added. Keep in mind that propagation might take some time.