--- title: Setting up a trusted email domain description: "Configure PingOne to send emails on your organization's behalf." component: pingone page_id: pingone:settings:p1_set_up_trusted_email_domain canonical_url: https://docs.pingidentity.com/pingone/settings/p1_set_up_trusted_email_domain.html revdate: February 14, 2025 section_ids: before-you-begin: Before you begin p1-add-trusted-email-domain: Adding the trusted email domain steps: Steps result: Result: p1-add-records-to-dns-config: Adding the TXT records to your DNS configuration steps-2: Steps result-2: Result: p1-verify-trusted-email-domain: Verifying the trusted email domain steps-3: Steps result-3: Result: result-4: Result p1-set-up-dkim: Setting up DKIM steps-4: Steps result-5: Result: result-6: Result p1-define-mail-from-subdomain: Setting up SPF and a custom MAIL FROM domain steps-5: Steps result-7: Result: result-8: Result: --- # Setting up a trusted email domain You can configure PingOne to send emails on your organization's behalf from a trusted domain. Use PingOne to get the email domain trust records and add them to your DNS configuration. You can also set up DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF). ## Before you begin You'll need: * An existing domain * Access to your DNS manager | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | - You can configure up to 50 trusted email domains per environment. Learn more in [PingOne standard platform limits](../getting_started_with_pingone/p1_platform_limits.html). - Learn more about configuring trusted email addresses for a trusted email domain in [Configure trusted email addresses](p1_configure_trusted_email.html). - The `_pingoneemail` text record on the **Email Domain Verification** modal is optional, but it's best to add this record to your DNS. If it isn't added, each sender email address you add must be verified separately through a verification email. | ## Adding the trusted email domain You'll add the trusted email domain to your environment and then configure your DNS manager. ### Steps 1. In the PingOne admin console, go to **Settings > Domains**. ### Result: The **Custom Domain and Email Trust** page opens. 2. Next to **Email Trust**, click the **[icon: plus, set=fa]**icon. 3. In the **Add Email Trust** panel, enter the trusted **Email Domain** name, such as `auth.example.com`, and click **Save**. PingOne validates the domain name to ensure that it isn't already in use. ## Adding the TXT records to your DNS configuration After you add the trusted email domain, copy the email domain trust records and add them to your DNS configuration. Ensure that you add the records as TXT records, not CNAME records. ### Steps 1. In the PingOne admin console, go to **Settings > Domains**. ### Result: The **Custom Domain and Email Trust** page opens. 2. Click the appropriate email domain name entry. 3. On the **Overview** tab, copy the **TXT Records** to a secure location. 4. Go to your DNS manager and update it with the email domain entries you copied. You can leave the PingOne window open, or close it and return later. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | The specifics of DNS configuration depend on your DNS manager. You should wait at least 1 hour for the DNS changes to propagate through the internet, although it can take up to 24 hours. | ## Verifying the trusted email domain Ensure that you have added the trust records to your DNS configuration before starting this task. You can't verify a trusted email domain until you update the DNS manager to add the trust records. ### Steps 1. In the PingOne admin console, go to **Settings > Domains**. ### Result: The **Custom Domain and Email Trust** page opens. 2. Click the appropriate email domain name entry. 3. On the **Overview** tab, click **Verify**. * A green checkmark indicates that the verification check has completed successfully. * A red exclamation point indicates that the verification check failed. You should wait 1 hour and try again. Complete DNS propagation can take up to 24 hours. ### Result The email domain name should show a green checkmark to confirm that it has been verified. If the verification failed a red exclamation appears. Ensure the TXT records are added correctly and try again later. ## Setting up DKIM After you've verified the trusted email domain, you can set up DKIM. DKIM authenticates email messages and prevents forged sender addresses. ### Steps 1. In the PingOne admin console, go to **Settings > Domains**. ### Result: The **Custom Domain and Email Trust** page opens. 2. Click the appropriate email domain name entry. 3. On the **DKIM** tab, copy the CNAME records. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | If you see multiple AWS regions listed, such as EU-WEST-1, US-EAST-1, US-WEST-1, you should copy the CNAME records for all regions. This is required for Simple Email Service (SES) to sign messages, and can also allow messages to be sent from another AWS region if there's a fault in the primary AWS region. | 4. Go to your DNS manager and update it with the CNAME records you copied. Ensure that you add the records as CNAME records, not TXT records. 5. In the PingOne admin console on the **DKIM** tab, click **Verify**. ### Result * A green checkmark indicates that the verification check completed successfully. * A red exclamation point indicates that the verification check failed. You should wait at least 1 hour for the DNS changes to propagate through the internet, although it can take up to 24 hours. ## Setting up SPF and a custom MAIL FROM domain Setting up SPF adds protection against spam, spoofing, and phishing. By adding an SPF record to your DNS, you can specify a list of senders approved to send email from your domain. By setting up a custom MAIL FROM domain, you significantly reduce the likelihood of a PingOne email notification being flagged as spam. Specifying a MAIL FROM domain results in SPF alignment with the FROM header, reducing the chances that the DMARC check will fail. ### Steps 1. In the PingOne admin console, go to **Settings > Domains**. ### Result: The **Custom Domain and Email Trust** page opens. 2. Click the appropriate email domain name entry. 3. Go to the **SPF** tab. 4. In the **Custom MAIL FROM domain** field, enter a subdomain name to use. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | * If the field is grayed out, go to the **Overview** tab and check that all the TXT records appear as verified (green check mark). * Do not use a subdomain that you use to send email from. * Do not use a subdomain that you use to receive email. | 5. Click **Save**. ### Result: An MX record is displayed, and a TXT record for SPF is displayed. 6. Add the MX record to your DNS. 7. Add the TXT record for SPF to your DNS. 8. After adding the MX record and the TXT record, you can return to the **SPF** tab and click **Verify** to verify the records you added. Keep in mind that propagation might take some time.