# Senders Authorization
The **Senders Authorization** tab is the central hub for authenticating sending domains and addresses. Correct configuration of this area is an absolute requirement before running your first bulk campaign. This process unambiguously confirms sender identity to mail service providers (such as Gmail, Outlook, and Yahoo) and actively protects your brand against impersonation attempts (phishing).
{% hint style="info" %}
This configuration applies to all email sends carried out via MessageFlow, regardless of the channel used (e-mail campaigns or API/SMTP integration).
If you are just getting started with the platform, however, the system allows you to carry out your first sends in a production environment using an automatically generated domain. Learn more: [Sandbox Domain](/email/sender-security/senders-authorization/sandbox-domain.md)
{% endhint %}
Authorization mechanisms (SPF, DKIM, DMARC)
To ensure the highest level of security and deliverability for your emails, MessageFlow supports and recommends using standard authorization mechanisms:
* **SPF (Sender Policy Framework):** This is a DNS record that precisely specifies which servers (IP addresses) are authorised to send emails on behalf of your domain. It allows the recipient's mail server to verify if an email it has received actually originated from a trusted and authorised source.
* **DKIM (DomainKeys Identified Mail):** This method involves digitally "signing" the emails you send. This signature, unique to each message, is verified by the recipient's server using a public key that you publish in your domain's DNS records. DKIM ensures that the message content has not been altered during transit and confirms that the message originated from your domain.
* **DMARC (Domain-based Message Authentication, Reporting, and Conformance):** This mechanism builds upon the results of SPF and DKIM verification. DMARC is a policy you publish in a special DNS record. It informs recipients' mail servers what to do with messages that claim to be from your domain but fail SPF and/or DKIM checks (e.g., reject them, move them to the spam folder, or deliver them unchanged – depending on the policy you define). Furthermore, DMARC enables you to receive detailed reports on attempts to impersonate your domain (phishing, spoofing) and on the verification status of your legitimate emails.
In MessageFlow, the process of generating the appropriate values for the records needed for DKIM and DMARC configuration is automated to make their implementation as easy as possible for you.
#### Two Pillars of Sender Configuration
In the MessageFlow system, the authorization process is divided into two distinct stages, each serving a different purpose:
* **Domain authorization**: Securing your sending domain by implementing the appropriate DNS records (including DKIM). This is a foundational step that improves deliverability and the technical credibility of your sends.
* **Email address authorization**: A process that confirms ownership of a specific mailbox (for example, ). These addresses then become available for selection in the "From" field when you design campaigns in the panel. This step requires prior and correct authorization of the domain under which the address operates.
#### Step-by-step domain authorization process
1\. **Adding a domain**
Go to the **E-mail -> Sender Security -> Senders Authorizatio**n tab and click the **+ Add Domain** button. Enter the full domain name. To keep the reputation of your marketing sends separate from your corporate communications, we recommend using a dedicated subdomain (for example, newsletter.yourcompany.com).
2. **Advanced configuration and DMARC policy (Optional)**
{% hint style="info" %}
Before you generate your DNS records, you can fine-tune your infrastructure parameters. Expand the Advanced Settings section to configure the following options:
* **Use a dedicated Return Path**: Define your own subdomain to use as the return address for your messages. Simply enter a suggested phrase (for example, "mailing") and the system will automatically create the full address (for example, mailing.yourcompany.com). A dedicated Return Path actively helps build a consistent and positive reputation for your sending domain.
* **Use a dedicated subdomain link (for tracking)**: This feature allows you to use your own subdomain in links that track clicks and email opens instead of the default MessageFlow domain. Enter a short phrase (for example, "click") and the system will generate an address in the format click.yourcompany.com. This improves visual brand consistency and positively influences how spam filters evaluate your links.
* **Use a dedicated DKIM selector**: A selector is a special label used to look up the appropriate DKIM key in DNS records. You can define your own string here (between 3 and 7 characters required).
* **Define custom DMARC settings**: Configure an advanced security policy directly in the panel. The system will provide a ready-to-use CNAME record to add to your DNS settings. The configuration covers three key elements:
* **DMARC policy**: Defines how receiving servers should handle messages claiming to originate from your domain that fail SPF or DKIM verification. Options include none (monitor and deliver with a report), quarantine (treat the message as suspicious and move it to the spam folder), or reject (have the server block the message entirely).
* **RUA (Reporting URI for Aggregate Data)**: Specify the email address to which you want to receive aggregate DMARC reports. These provide valuable insight into message volume and authorization status.
* **PCT (Percentage)**: Set the percentage of messages (1 to 100) subject to the selected DMARC policy (quarantine or reject). This setting does not apply when you select the "none" option. The recommended practice is to gradually increase this value over time.
{% endhint %}
3\. **Generating DNS records**
After confirming your settings by clicking **Next**, the system will generate a set of CNAME records. Each record consists of a Host, Record Type, and Value. You must copy and implement these in the admin panel of your domain hosting provider. The method for adding records varies depending on the technical specifications of your DNS provider. Learn more: [Authorizing domains with web hosts](/email/e-mail-campaigns/campaigns/authorization-of-domain-and-senders/authorizing-domains-with-web-hosts.md)
4\. **Verifying propagation**
DNS changes require time to propagate globally (typically between 15 minutes and 24 hours). Once this time has passed, return to the MessageFlow panel, locate the domain in the list, click **Preview**, and then click Verify. A successful verification changes the domain status to **Verified** and unlocks the ability to carry out sends.
{% hint style="success" %}
From this point on, you will be able to send emails using any email address configured under this authorized domain (for example, , ).
{% endhint %}
#### Access management (Optional)
The system allows you to precisely restrict authorization to selected SMTP accounts only. In the details view of a verified domain (under the Status section), you will find a list of available SMTP sub-accounts. Use the checkboxes to grant or revoke permission to use the given domain for individual accounts within your organization's structure.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.messageflow.com/email/sender-security/senders-authorization.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.