Overview

Authenticating your domain is required to allow Userpilot to send emails on your behalf and provides the following benefits:
  • Protects against email spoofing.
  • Meets email clients’ sender requirements.
  • Enables reliable open / click tracking.

Prerequisites

  • A valid registered domain that you own. Email messages will be sent using this domain.
  • Access to your domain’s DNS provider (GoDaddy, Cloudflare, Route 53, etc.).

Authenticate DKIM + MAIL FROM (required)

1

Add your domain in Userpilot

  1. Open Settings → Email → Domains in the Userpilot dashboard.
  2. Click Add domain, enter yourdomain.com, then click Create.
Pending domain authentication status

Domain just added – pending authentication

2

Create the DNS records

Add the generated DNS records in your DNS provider.

Record Description

  • DKIM: DKIM adds a tamper-proof signature to every email your app sends. Receiving mail providers check that signature against public keys in your DNS to confirm the message really came from you and wasn’t altered in transit.
  • SPF: SPF is an allow-list that Internet Service Providers use to check email authorization.
    • TXT Record → Authorizes our mail server to send emails on your behalf.
    • MX Record → A return-path which mail clients use to route bounces. Ensures block spoofing and keeps your main email (e.g., Gmail/Office 365) untouched.
  • DMARC: DMARC helps protect your domain from email spoofing by working alongside SPF and DKIM. It lets you define how email providers should handle messages that fail authentication checks and provides reports so you can monitor and improve your domain’s email security.
Note: You don’t need to add or adjust your DMARC TXT record if you already have one. Simply review it to ensure it meets your needs.
If you use Cloudflare, set all records to DNS Only. Proxying breaks verification.
3

Verify

DNS may take a few minutes (rarely up to 48 h).
Status switches to Authenticated when DKIM and SPF records are valid. You are now ready to send emails.
Domain authenticated status

Authenticated status

If DNS records are not found after 72 hours, the status changes to Failed. Click Retry Verification to restart the lookup process.Domain failed authentication status
Userpilot wraps all of your email links with its own domain to track clicks. It also injects a hidden image by default to track email opens. This tracking mechanism Using your own custom tracking subdomain instead keeps your brand-aligned and significantly improves deliverability. Many email clients will flag your emails as suspicious if link domains aren’t under the sender’s domain.

Option A – Userpilot-Managed (Easiest)

1

Request a tracking subdomain

Email support@userpilot.co with the tracking subdomain you want to use (e.g. tracking.yourdomain.com). Make sure the subdomain is not used for other purposes.Userpilot will then provision the following resources:
  • SSL certificate.
  • CDN Distribution.
  • CNAME Record.
2

Verify the CNAME records

We will reach out to you once the resources are provisioned and ready to use. We will provide you with a set of CNAME records to add in your DNS provider.
3

Confirm the setup

Confirm to the support team that you have added the CNAME records. We will then configure the custom tracking domain for your emails.

Option B – Bring your Own CDN (Advanced)

Origin: r.us-west-2.awstrack.me
If your security policy requires using your own CDN/certificate, you can manage the tracking subdomain yourself.
  1. Create a CDN/edge distribution (e.g. CloudFront) for the tracking subdomain (e.g. tracking.yourdomain.com) pointing to the origin value above.
Make sure your CDN is configured to:
  • Force HTTPS protocol.
  • Forward original Host headers to the origin.
  • Disable caching.
  1. Attach an SSL certificate for the subdomain to your CDN distribution.
  2. Add a CNAME record for your subdomain to point to your CDN distribution. 
    <tracking.yourdomain.com> CNAME  <your-cdn-domain.example.net>
  3. Reach out to support@userpilot.co when you have verified the setup. We will then configure the custom tracking domain for your emails and confirm it with you.
You can find your Userpilot hosting region in the Environment page. If your HTTP endpoint is https://analytex-eu.userpilot.io/, you’re in the EU region.
curl -I https://tracking.yourdomain.com/favicon.ico
A 200 response with headers like below confirms the setup: 
x-amz-ses-region: us-west-2 # or eu-west-3
x-amz-ses-request-protocol: https

Troubleshooting