PingOne

Setting up a trusted email domain

You can configure PingOne to send emails on your organization’s behalf from a trusted domain. Use PingOne to get the email domain trust records and add them to your DNS configuration. You can also set up DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF).

Before you begin

You’ll need:

  • An existing domain

  • Access to your DNS manager

  • You can configure up to 50 trusted email domains per environment. Learn more in PingOne standard platform limits.

  • Learn more about configuring trusted email addresses for a trusted email domain in Configure trusted email addresses.

  • The _pingoneemail text record on the Email Domain Verification modal is optional, but it’s best to add this record to your DNS. If it isn’t added, each sender email address you add must be verified separately through a verification email.

Adding the trusted email domain

You’ll add the trusted email domain to your environment and then configure your DNS manager.

Steps

  1. In the PingOne admin console, go to Settings > Domains.

    Result:

    The Custom Domain and Email Trust page opens.

  2. Next to Email Trust, click the icon.

  3. In the Add Email Trust panel, enter the trusted Email Domain name, such as auth.example.com, and click Save.

    PingOne validates the domain name to ensure that it isn’t already in use.

Adding the TXT records to your DNS configuration

After you add the trusted email domain, copy the email domain trust records and add them to your DNS configuration. Ensure that you add the records as TXT records, not CNAME records.

Steps

  1. In the PingOne admin console, go to Settings > Domains.

    Result:

    The Custom Domain and Email Trust page opens.

  2. Click the appropriate email domain name entry.

  3. On the Overview tab, copy the TXT Records to a secure location.

  4. Go to your DNS manager and update it with the email domain entries you copied. You can leave the PingOne window open, or close it and return later.

    The specifics of DNS configuration depend on your DNS manager. You should wait at least 1 hour for the DNS changes to propagate through the internet, although it can take up to 24 hours.

Verifying the trusted email domain

Ensure that you have added the trust records to your DNS configuration before starting this task. You can’t verify a trusted email domain until you update the DNS manager to add the trust records.

Steps

  1. In the PingOne admin console, go to Settings > Domains.

    Result:

    The Custom Domain and Email Trust page opens.

  2. Click the appropriate email domain name entry.

  3. On the Overview tab, click Verify.

    • A green checkmark indicates that the verification check has completed successfully.

    • A red exclamation point indicates that the verification check failed. You should wait 1 hour and try again. Complete DNS propagation can take up to 24 hours.

Result

The email domain name should show a green checkmark to confirm that it has been verified. If the verification failed a red exclamation appears. Ensure the TXT records are added correctly and try again later.

Setting up DKIM

After you’ve verified the trusted email domain, you can set up DKIM. DKIM authenticates email messages and prevents forged sender addresses.

Steps

  1. In the PingOne admin console, go to Settings > Domains.

    Result:

    The Custom Domain and Email Trust page opens.

  2. Click the appropriate email domain name entry.

  3. On the DKIM tab, copy the CNAME records.

    If you see multiple regions listed, such as EU-WEST-1, US-EAST-1, US-WEST-1, you should copy the CNAME records for all regions. This is required for Simple Email Service (SES) to sign messages, and can also allow messages to be sent from another region if there’s a fault in the primary region.

  4. Go to your DNS manager and update it with the CNAME records you copied. Ensure that you add the records as CNAME records, not TXT records.

  5. In the PingOne admin console on the DKIM tab, click Verify.

Result

  • A green checkmark indicates that the verification check completed successfully.

  • A red exclamation point indicates that the verification check failed. You should wait at least 1 hour for the DNS changes to propagate through the internet, although it can take up to 24 hours.

Setting up SPF

You can set up SPF, which helps protect senders and recipients from spam, spoofing, and phishing. By adding an SPF record to your DNS, you can specify a list of senders approved to send email from your domain.

Steps

  1. In the PingOne admin console, go to Settings > Domains.

    Result:

    The Custom Domain and Email Trust page opens.

  2. Click the appropriate email domain name entry.

  3. On the SPF tab, copy the SPF records.

  4. Copy the email trust records.

  5. Go to your DNS manager and update it with the SPF records you copied.

  6. In the PingOne admin console on the SPF tab, click Verify.

Result

  • A green checkmark indicates that the verification check has completed successfully.

  • A red exclamation point indicates that the verification check failed. You should wait 1 hour and try again. Complete DNS propagation can take up to 24 hours.