Compliance Guide
How to Set Up a Dedicated Sending Domain with SPF, DKIM, and DMARC in GoHighLevel
By Marnix Geerkens. Published 2026-05-28. Updated 2026-05-28.
In short
SPF, DKIM, and DMARC are three DNS records that prove your email is really from your domain and not forged. Without them, Gmail and Outlook move your messages to spam or block them outright. GoHighLevel lets you add a dedicated sending domain in Settings under Email Services (LC Email). Once you verify it and publish the three DNS records, your emails come from your own domain and hit the inbox far more reliably.
- SPF tells receivers which mail servers can send on your behalf.
- DKIM adds a cryptographic signature that receivers verify before delivering.
- DMARC tells receivers what to do with messages that fail SPF or DKIM, and sends you reports.
Before you start
- A GoHighLevel account with LC Email enabled (Settings > Email Services).
- A domain you own and can add DNS records to (not a free subdomain).
- Access to your domain registrar or DNS host (Cloudflare, GoDaddy, Namecheap, Route 53, etc.).
- Basic comfort with adding DNS records (TXT and CNAME entries).
Step by step
Step 1. Add your dedicated sending domain in GoHighLevel
In your GoHighLevel agency account, go to Settings, then Email Services (LC Email). Look for the Sending Domains section and click Add Domain.
Enter the domain you want to use as your sending domain. This is typically a subdomain of your main domain, for example mail.yourdomain.com or send.yourdomain.com. Using a subdomain keeps your root domain reputation separate from your sending reputation, which protects your main website email.
Click Add or Verify. GoHighLevel will generate a set of DNS records you need to publish. Keep this page open.
Step 2. Publish the SPF record
SPF (Sender Policy Framework) is a TXT record at your sending subdomain that lists the mail servers allowed to send email from it. GoHighLevel will show you the exact TXT record value to add.
Log in to your DNS host and navigate to your domain's DNS management panel. Add a new TXT record. Set the host or name field to the subdomain you entered (for example: mail or send, depending on your setup). Paste the SPF value from GoHighLevel into the content or value field.
If you already have an SPF record on this subdomain, do not add a second one. Merge the includes. An SPF record starting with v=spf1 can only appear once per host. A domain with two SPF records fails SPF checks.
Save the record. SPF propagates quickly, usually within a few minutes, but full global propagation can take up to 48 hours.
Step 3. Publish the DKIM records
DKIM (DomainKeys Identified Mail) uses a public/private key pair. GoHighLevel holds the private key and signs your outgoing messages. You publish the public key in DNS so receiving servers can verify the signature.
GoHighLevel will show you one or more CNAME records to add. Each has a specific host name (like s1._domainkey.mail.yourdomain.com) and a value pointing to GoHighLevel's key server. Add each CNAME record exactly as shown. Case and punctuation matter.
Do not change the CNAME values or wrap them. Copy and paste directly from the GoHighLevel UI.
Step 4. Publish a DMARC record
DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receiving mail servers what to do if an email fails SPF or DKIM. It also sends you reports of who is sending email using your domain.
Add a TXT record at _dmarc.mail.yourdomain.com (replace with your actual subdomain). A good starting value is: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
The p=none policy means "monitor but do not block." This is the safest starting point. Once you confirm your legitimate email is passing authentication, you can move to p=quarantine (spam folder for failures) and eventually p=reject (block failures). Most deliverability guides recommend staying at p=none for at least 30 days while reviewing reports.
The rua tag is your reporting address. Replace dmarc@yourdomain.com with a real email you monitor. You will receive aggregate XML reports from major mail providers showing pass and fail counts.
Step 5. Verify the domain inside GoHighLevel
Return to Settings > Email Services > Sending Domains in GoHighLevel. Click Verify or Check Records next to your domain. GoHighLevel will query DNS and confirm each record is present and correct.
If verification fails, check that you added records to the right subdomain (not the root domain, unless that is what you entered). Wait a few more minutes if DNS has not propagated yet.
Once all records show a green check, your sending domain is active. GoHighLevel will now use this domain for all outbound emails from this account.
Step 6. Update your From address to match the sending domain
The From address in your emails should match the authenticated domain. If your sending domain is mail.yourdomain.com, your From address should be something@yourdomain.com. Gmail and Outlook check that the From domain aligns with the DKIM signing domain.
In GoHighLevel, go to your email workflow actions or campaign settings and update the From name and From email to use an address on your verified domain. Using a Gmail or Outlook address as the From while sending through GoHighLevel breaks DMARC alignment.
How to verify SPF, DKIM, and DMARC are working
Send a test email from GoHighLevel to a Gmail address you control. In Gmail, open the email and click the three-dot menu, then "Show original." Look for the Authentication-Results header. It should show spf=pass, dkim=pass, and dmarc=pass.
You can also use a free tool like mail-tester.com or MXToolbox (mxtoolbox.com/EmailHeaders.aspx) to check your authentication results. Send a test email to the address mail-tester.com gives you, then view your score and the pass/fail results for each record.
Check the GoHighLevel email stats after your next send. Bounce rates should drop and open rates should improve once authentication is in place. Give it one full campaign cycle to see the difference.
Common problems and fixes
DKIM CNAME not resolving: Make sure you added the CNAME without any trailing dot or extra space. Some DNS editors auto-append the root domain; if GoHighLevel gives you s1._domainkey.mail.yourdomain.com but your DNS editor appends .yourdomain.com again, the record will be wrong. Use MXToolbox to check what is actually in DNS.
SPF record too long or with too many lookups: The SPF spec allows a maximum of 10 DNS lookups. If you send through multiple services, you may hit this limit. Use an SPF flattening tool to combine lookups.
DMARC reports arriving but showing failures: This usually means some emails are going through a path that is not authenticated (for example, a team member forwarding through Gmail). Identify the source in the report and either add it to SPF or route it through GoHighLevel.
GoHighLevel still showing "Unverified" after 48 hours: Open a support ticket with your domain name and the DNS records you added. Include a screenshot of the MXToolbox lookup for your domain. The GoHighLevel support team can check from their side.
Emails going to spam even after authentication: Authentication is one factor, but sender reputation, list quality, and engagement rates also affect deliverability. See the email warm-up guide for next steps.
Frequently asked questions
What is a dedicated sending domain and why does it matter?
A dedicated sending domain is a domain or subdomain you own that GoHighLevel uses as the envelope sender for your outgoing emails. Without it, GoHighLevel sends on behalf of a shared domain. Shared domains accumulate reputation from thousands of senders. Your own domain starts with a clean slate and builds its own sending reputation based on your campaigns.
Can I use my main domain (yourdomain.com) as the sending domain?
Technically yes, but using a subdomain like mail.yourdomain.com is safer. A bad sending reputation on a subdomain does not hurt deliverability for your root domain (and vice versa). Most deliverability professionals recommend separating transactional, marketing, and cold outreach onto different subdomains.
Do I need DMARC to get good deliverability?
Google and Yahoo both published requirements in 2024 that bulk senders must have a DMARC record in place. Without DMARC, you are more likely to land in spam with those providers. DMARC also protects your domain from being spoofed by phishers.
How long does SPF/DKIM/DMARC take to work?
DNS records propagate globally within a few minutes to 48 hours depending on TTL settings and your DNS provider. Most changes are visible within 15 to 60 minutes. You can use dig or MXToolbox to check propagation without waiting.
Does setting up a dedicated sending domain guarantee inbox placement?
No. Authentication (SPF, DKIM, DMARC) is necessary but not sufficient. Inbox placement also depends on your sender reputation, your list quality, engagement rates, and content. Authentication proves the email is from you; your reputation determines whether receivers trust you.
What is LC Email and do I need it?
LC Email is GoHighLevel's built-in email sending infrastructure, which replaced the older Mailgun-required setup. It is available on all current GoHighLevel plans. If your account still shows Mailgun as the provider, contact GoHighLevel support to confirm your migration path.