GoHighLevel doesn't handle email authentication — your SMTP provider does. Configure SPF, DKIM, and DMARC on your sending domain through your SMTP provider (Mailgun, SendGrid, or AWS SES), not through GHL. For Mailgun: add include:mailgun.org to SPF, configure DKIM via Mailgun dashboard, publish DMARC record. For SendGrid: add include:sendgrid.net to SPF, verify domain in SendGrid. For AWS SES: add include:amazonses.com to SPF, verify domain in SES console.
GoHighLevel Email Authentication: SPF, DKIM, DMARC Setup
Authentication Is Not Optional
Since 2024, Gmail and Yahoo require SPF, DKIM, and DMARC for bulk senders. Since May 2025, Microsoft enforces the same. Without authentication, your GHL emails go to spam or get rejected entirely.
GHL doesn't configure this for you. Your SMTP provider doesn't configure your DNS for you. You must add the DNS records yourself. For a deep dive on authentication, see our email authentication guide and DNS configuration guide.
By SMTP Provider
Mailgun Authentication
SPF: Add to your domain's existing SPF record:
v=spf1 include:mailgun.org [other includes] -all
DKIM: In Mailgun dashboard → Sending → Domain Settings → DNS Records. Mailgun provides DKIM TXT or CNAME records. Add them to your DNS exactly as shown.
Tracking Domain: Add the CNAME record Mailgun provides for click/open tracking.
Verify: Mailgun dashboard → Domain → Verify DNS Settings. All should show green.
Full walkthrough: GoHighLevel + Mailgun Setup
SendGrid Authentication
SPF: SendGrid's domain authentication handles SPF automatically via CNAME records.
DKIM: In SendGrid → Settings → Sender Authentication → Authenticate Your Domain. Add the 3 CNAME records SendGrid provides.
Verify: SendGrid dashboard → Sender Authentication → check all records verified.
Full walkthrough: GoHighLevel + SendGrid Setup
AWS SES Authentication
SPF: Add to SPF record:
v=spf1 include:amazonses.com [other includes] -all
DKIM: SES provides 3 CNAME records for DKIM when you verify a domain. Add all three.
Verify: SES Console → Verified Identities → your domain → check all records verified.
Full walkthrough: GoHighLevel + AWS SES Setup
DMARC (Required for All Providers)
Regardless of which SMTP provider you use, publish a DMARC record:
_dmarc.yourdomain.com TXT v=DMARC1; p=none; rua=mailto:[email protected]
Start at p=none (monitor). Advance to p=quarantine then p=reject over 6-12 weeks. See our DMARC setup guide.
Verification Checklist
After configuring all records:
- SPF includes your SMTP provider
- DKIM records published and verified in provider dashboard
- DMARC record published on
_dmarc.yourdomain.com - Custom tracking domain configured (optional but recommended)
- Test email sent from GHL shows
spf=pass,dkim=pass,dmarc=passin headers - Google Postmaster Tools set up for monitoring
Per-Client Authentication for Agencies
If you manage multiple GHL sub-accounts for clients:
- Each client gets their own sending domain
- Each domain gets its own SPF, DKIM, DMARC
- Each sub-account uses its own SMTP credentials pointing to its domain
- Monitor each domain's reputation independently
Never share SMTP credentials or sending domains across clients. One client's bad list poisons everyone's reputation.
Practitioner note: The most common authentication failure I see in GHL setups: the agency configures SMTP credentials correctly but forgets to add the DKIM DNS records. SMTP connects fine (emails send), but DKIM silently fails. The emails "work" but authentication is broken, leading to gradual reputation damage over weeks.
Practitioner note: Always verify authentication by sending a test email and checking the raw headers. Don't assume it's working because emails are sending. "Sending" and "authenticated" are different things. Unauthenticated emails still send — they just go to spam.
If you need authentication configured correctly across your GHL agency's client domains, schedule a consultation — I handle multi-domain authentication for agencies daily.
Sources
- Google: Email Authentication Requirements
- Mailgun: Domain Verification
- SendGrid: Domain Authentication
v1.0 · March 2026
Frequently Asked Questions
Does GoHighLevel set up email authentication automatically?
No. GHL is a campaign platform, not an email infrastructure tool. Authentication (SPF, DKIM, DMARC) is configured through your DNS and SMTP provider. GHL sends through your SMTP — it doesn't manage your domain's authentication.
Do I need authentication for LC Email?
LC Email uses Mailgun's shared infrastructure which has basic authentication. But you get shared reputation, not your own. For custom SMTP, authentication is mandatory — without it, your emails fail authentication checks and go to spam.
Which DNS records do I need for GHL email?
Depends on your SMTP provider: SPF include for your provider, DKIM records from your provider, DMARC TXT record on _dmarc.yourdomain.com, and optionally a custom tracking domain CNAME. See the provider-specific sections below.
Can I use authentication with multiple GHL sub-accounts?
Yes. Each sub-account should have its own sending domain with its own authentication. Don't share one domain across multiple client sub-accounts — isolate domains per client for reputation protection.
How do I verify authentication is working?
Send a test email from GHL to a personal Gmail. Open the email → three dots → Show Original. Check for spf=pass, dkim=pass, dmarc=pass in the Authentication-Results header.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.