Domain authentication
Domain authentication enables recipient email servers to confirm that the from-address shown on each of your email messages belongs to your organization. A method called DomainKeys Identified Mail (DKIM) helps make email authentication possible.
Domain authentication is important for many reasons:
For marketing email messages, domain authentication enables recipient email servers to confirm that the from-address shown on each of your messages actually belongs to your organization. Authentication also confirms that your organization has approved Dynamics 365 Customer Insights - Journeys to send messages on its behalf. Messages that fail this test are increasingly likely to get filtered away as spam, which can dramatically impact your deliverability.
For externally hosted forms, domain authentication confirms that you own the domain and establishing an enhanced trust relationship with your domain. The enhanced trust relationship enables embedded marketing forms to be prefilled with data for known contacts.
Domain authentication will also enable DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF) protection for your emails and ensure your From and Return-Path addresses align, improving your brand representation in the email.
The primary purpose of email-domain authentication is to protect both the send and the recipient from any potentially fraudulent activities using email like spam, phishing, or scams by enabling SPF and SKIM.
DomainKeys Identified Mail (DKIM) is a method that helps to protect email content and headers. It's based on public/private key encryption and signatures verified using published DNS records for sender domain. This type of encryption provides valuable feedback to the recipient, that the email is sent from a verified sender. And its content hasn't been modified during the transfer phase.
SPF is another type of protection and authentication that ensures that an email was sent from a trusted source (IP address) set up by a sender domain owner.
When you error check or go live with a marketing email message, the verification system makes sure the message uses a from-address that specifies an authenticated domain registered and confirmed for your organization. You get a warning if you try to send a message that has a from-address that has an unregistered domain.
For more information, see Authenticate your domains.
The default authenticated domain
By default, all new Dynamics 365 Customer Insights - Journeys installations come with a preauthenticated sending domain ending in -dyn365mktg.com. This preauthenticated domain means you can begin sending authenticated emails right away. This domain is designed only for initial feature testing or demo purposes as it doesn’t have an email reputation and isn't connected to your organization. It's required that you authenticate your own actual sending domains right away so your authenticated messages show a from address that recipients will recognize as coming from your organization. Authenticating your own domain allows you to manage your sending reputation and will improve brand recognition and deliverability results.
When a user creates a new email, the From address is automatically set to the email address registered for that user's Dynamics 365 user account. If that email address uses a domain, however, that is not yet authenticated using DKIM, then the initial From address will be modified to use an authenticated domain (email addresses use the form account-name@domain-name). The resulting From address will still show the account-name of the user creating the message. But it will now show a DKIM-authenticated domain-name that's registered for your Customer Insights - Journeys instance (for example, MyName@contoso.s01.dyn365mktg.com), which will provide the deliverability benefit, but probably isn't a valid return address.
Which domains to authenticate
Set up as many authenticated domains as you need to cover all the from-addresses you use in your marketing emails, plus all domains and subdomains where you want to support embedded forms with prefill enabled.
When you're authenticating a domain for email, use the full domain name as it appears in your email return addresses. Email addresses take the form
<MailAccount>@<domain>, so if your email address is lamar.ferrari@contoso.com, then the domain you need to authenticate is contoso.com (not www.contoso.com or any other subdomain).When you're authenticating a domain to support prefilled forms, you must authenticate each subdomain individually. So if you have forms on contoso.com, www.contoso.com, and events.contoso.com, then you must set up a separate domain-authentication record for each of them and specify the full subdomain each time.
Note
All new instances and trials automatically authenticate their instance domain with DKIM and set that domain as the default sending domain for your instance. Therefore, you'll usually see at least one authenticated domain already set up for all new instances. It shouldn't be used for production email sending purposes, as it is designed only for initial testing purposes. Make sure to authenticate your own domain before you go live.
Authenticate a domain
Dynamics 365 Customer Insights - Journeys includes a guided domain authentication wizard, allowing you to authenticate domains for use with real-time journeys.
To learn more, see Authenticate a domain.
Prevent sending emails from unauthorized domains
To benefit from domain authentication, the from-address for each message you send must show a domain that you've authenticated. Microsoft is dedicated to helping customers achieve maximum email deliverability, so we've added a few features to help make sure you don't overlook or inadvertently work around your setup:
The error check for email messages will show an error if you try to go live with an email message that has a from-address not associated with any of your domains.
Microsoft recommends that you set a default sending domain that is authenticated for DKIM. When this is set, then the from-address for all email messages will automatically be adjusted to show your selected default domain (if it initially uses a non-authenticated domain) each time you create a new email message or change the user shown in the From field. For more information, see Set sender and receiver options.
All new instances and trials automatically authenticate the instance domain with DKIM and set that domain as the default sending domain for your instance.