Adding SPF & DKIM Records To Help Emails Get To Recipients

Problem: Receipts Sent to SPAM/Junk Folder

This page aims to provide assistance to merchants who are having trouble with customer receipts being blocked as spam. The most common cause of this issue is the ability for merchants to change the Email From address that is used by the gateway when sending emails. By default, receipts are sent with a from address of “noreply@usaepay.com”. Since usaepay.com designates its own servers as being allowed to send “@usaepay.com” email, these messages are not blocked. Once the merchant changes the from address on the settings screen in the console, the receipts are sent with the merchants email, for example: john@adams.com. When the customer's mail server receives the email, it checks that “adams.com” allows usaepay.com to send email on behalf of john@adams.com. If they do not, the message may be tagged as spam. Whether the message is blocked or not depends on whether adams.com has configured a “SPF” dns record and whether that record lists USAePay.

What is SPF?

Sender Policy Framework (SPF) is an open standard that allows mail servers to verify that an email was sent by a source that has been permitted by the owner of the domain. Configuring SPF for your domain is a matter of adding a TXT record to your DNS. If you are not sure how to modify the DNS for your domain, consult your domain provider.

Adding an SPF Record

If a merchant is going to list their own email in the Email From setting, they will need to add usaepay to their SPF record. If the merchant does not control their domain and the domain owner is not willing to make the change, the merchant should either use a different email address or leave the from address blank.

The easiest way to list the usaepay mail servers is to add include:spf.usaepay.com somewhere before the ~all or -all. For example, if your SPF record is currently:

acme.org  TXT  "v=spf1 a mx ~all"

you would change it to:

acme.org  TXT  "v=spf1 a mx include:spf.usaepay.com ~all"

If you prefer not to use our include, you can also list the mail server IPs directly. This approach is not recommended as your record will be out of date when our network expands/changes.

acme.org  TXT  "v=spf1 a mx ip4:209.239.233.124 ip4:209.239.233.125  ip4:64.0.146.124 ip4:64.0.146.125  ip4:209.220.191.124 ~all""

What is DKIM?

DomainKeys Identified Mail (DKIM) is an email authentication method that allows recipients to verify an email's legitimacy. DKIM works by attaching a digital signature to outgoing emails, which recipients' mail servers can verify using a public key published in the DNS (Domain Name Service).

A DKIM record is a DNS TXT record containing this public key. When an email is sent, the sending server signs it with a private key. The recipient's server uses the public key from the DKIM record to verify the signature. If the signature matches, it confirms the email is authentic and untampered, improving the chances of your messages reaching your customers' inboxes.

Adding a DKIM Record

To allow us to sign e-mails on your behalf, please work with your IT department or DNS provider to create the following CNAME records in all sending domains you or your merchants have configured to be used by our system. Please ensure example.com in the table below is updated to reference your specific sending domain.

Type Host Value
CNAME gps1._domainkey.example.com gps1._default.dkim.safewebservices.com
CNAME gps2._domainkey.example.com gps2._default.dkim.safewebservices.com
CNAME gps3._domainkey.example.com gps3._default.dkim.safewebservices.com

How to Test

Our portal will provide some information about the status of your SPF and DKIM records. You can learn about that validation here:

Validating an SPF Record

Once you have your rules setup correctly in DNS, there are a variety of web based tools that you can use to verify. For example, to test with the Kitterman SPF Validation test tool, enter 209.239.233.124 in the Sending IP Address field, the Email From address you are using in the console should go in the Sender Email Address field, and andmx-ca4-01.usaepay.com should go in the Senders Computer Name field. If all is configured correctly, you should see a Pass and Sender Permitted.

Validating a DKIM Record

  1. Go to DKIM Check- DomainKeys Identified Mail (DKIM) Record Lookup - MxToolBoxDKIM Check- DomainKeys Identified Mail (DKIM) Record Lookup - MxToolBox
  2. Enter your Domain name, enter gps1 in the selector field, and click DKIM Lookup
  3. The CNAME you entered should be traversed and verified from NMI’s servers.
  4. Repeat this process using your domain name along with gps2 and gps3 in the selector field.

Note: USAePAY has left the gps2 and gps3 keys empty to allow us to rotate keys in the future. Any DKIM correctness validators you execute against our records for these selectors will fail, due to intentionally having left the public keys blank. You should proceed to add CNAME records to your domains anyway so that rotations in the future will require no action by your staff.

Using a Webmail Based Email Address

USAePay does not recommend using a public webmail based address (@google.com, @hotmail.com, etc.) in the Email From setting. There is no way to correctly configure these email addresses to be sent from the USAePay gateway and merchants will experience a number of customers who are not able to to receive receipts. The merchant should either leave the "From" setting blank or get their own domain for email.


Frequently Asked Questions

What if we do not implement these changes?

If these changes are not implemented, USAePay will fallback to using @safewebservices.com as the sending domain for mail on your behalf. These changes are only required to retain custom branded sending domains

What should I do if I need help with these settings?

If you need assistance, contact your IT department or DNS provider. They can help you add the necessary SPF and DKIM records to your domain. If they require any assistance, you can always reach us at support@usaepay.com, or using an option from our Contact Us page.

Where can I learn about major email providers' requirements for SPF and DKIM?




Google and Yahoo have recently updated their email security policies to require DKIM and SPF for improved email authentication. These changes are aimed at reducing email spoofing and ensuring that emails are sent from verified sources. While these changes only currently apply to Bulk Senders, we are now requiring this configuration for all custom sending domains.

Where can I find more information on setting up SPF for common providers?




The following table includes links to documentation for common providers.

Provider SPF DKIM
Google Ensure mail delivery & prevent spoofing (SPF) Turn on DKIM for Your Domain
Outlook Set up SPF to help prevent spoofing Set up DKIM to help prevent spoofing
Yandex SPF record Configure DNS Settings
Yahoo How to Set Up SPF for Yahoo Mail How to Set Up DKIM for Yahoo Mail
GoDaddy EAdd an SPF record Turn on DKIM for Your Domain
Bluehost How To Setup a DNS SPF Record What is a DKIM Record?
Amazon SES Authenticating Email with SPF in Amazon SES Authenticating Email with DKIM in Amazon SES

These are external links and may be broken if the provider makes an update. Please let us know about any broken links by sending an email to support@usaepay.com.