SPF for ActiveCampaign: Setup and Configuration Guide

ActiveCampaign is a popular email marketing and automation platform used by thousands of small businesses. When you send emails through ActiveCampaign using your own domain, you need to set up email authentication—including SPF—so those emails are recognized as legitimate by receiving mail servers.

Without proper authentication, your marketing emails and automated sequences are more likely to land in spam folders. For a comprehensive overview of SPF, see our complete SPF guide. This guide walks you through the entire setup process.

How ActiveCampaign Sends Email

When you send a campaign or automation email through ActiveCampaign, the email goes out from ActiveCampaign's mail servers—not from your own server. The email might show your domain in the "From" field, but it's physically sent from ActiveCampaign's infrastructure.

This means receiving mail servers need a way to confirm that ActiveCampaign is authorized to send on your behalf. That's what SPF does: it tells the world which servers are allowed to send email for your domain.

The ActiveCampaign SPF Include

To authorize ActiveCampaign's sending servers, add this include statement to your SPF record (ActiveCampaign Help):

include:emsd1.com

The domain emsd1.com is ActiveCampaign's SPF domain. It contains the IP addresses of all the servers ActiveCampaign uses to send email. By including it in your SPF record, you're saying "ActiveCampaign's servers are authorized to send email for my domain."

Setting Up SPF for ActiveCampaign

If you don't have an existing SPF record

If your domain doesn't have an SPF record yet, create a new TXT record with this value:

v=spf1 include:emsd1.com ~all

If you already have an SPF record

Most businesses already have an SPF record for their regular email provider (like Google Workspace or Microsoft 365). In that case, you need to add ActiveCampaign's include to your existing record—not create a second one.

Example: Adding ActiveCampaign to a Google Workspace SPF record

If your current record is:

v=spf1 include:_spf.google.com ~all

Update it to:

v=spf1 include:_spf.google.com include:emsd1.com ~all

Example: Adding ActiveCampaign alongside multiple services

v=spf1 include:_spf.google.com include:emsd1.com include:sendgrid.net ~all

The order of include statements doesn't matter. Just keep v=spf1 at the beginning and ~all (or -all) at the end.

Setting Up Authentication in ActiveCampaign

ActiveCampaign has a built-in sender authentication process that guides you through setting up both SPF and DKIM. Here's how to access it:

ActiveCampaign's CNAME-Based Authentication

In addition to SPF, ActiveCampaign offers a CNAME-based authentication method. This involves adding CNAME records to your DNS that point specific subdomains to ActiveCampaign's servers. These CNAME records handle DKIM signing and can help with deliverability.

ActiveCampaign typically asks you to add two or three CNAME records during the sender authentication process. These handle DKIM signing and can customize the return-path domain for better SPF alignment.

Common Mistakes

Creating a second SPF record

The most frequent mistake is adding a new SPF record instead of editing the existing one. Your domain can only have one SPF record. Two records cause a PermError, which means every SPF check fails.

If you're not sure whether you already have an SPF record, use the checker tool above to find out before making changes.

Using the wrong include domain

Make sure you use emsd1.com—not activecampaign.com or any other variation. The include domain is specific and using the wrong one means ActiveCampaign's servers won't be authorized.

Forgetting to update SPF when adding ActiveCampaign to an existing setup

If you've been using email for a while and then add ActiveCampaign, it's easy to forget the SPF step. ActiveCampaign's setup wizard will remind you, but if you skip through it or handle DNS separately, make sure the SPF record gets updated.

Exceeding the DNS lookup limit

Each include in your SPF record costs at least one DNS lookup, and you're limited to 10 total. If you use Google Workspace (3-4 lookups), ActiveCampaign (1-2 lookups), and a couple of other services, you can approach the limit quickly.

Check your total lookup count with the tool above. If you're close to 10, read our guide on the SPF 10 DNS lookup limit for strategies to optimize, or explore SPF flattening to reduce lookup counts.

Verifying Your Setup

After adding the SPF record and completing ActiveCampaign's sender authentication:

Check your DNS. Use the lookup tool above to confirm your SPF record includes emsd1.com and that the record has valid syntax.

Send a test campaign. Create a small test campaign in ActiveCampaign and send it to your own email address. Check the email headers for the SPF result:

spf=pass

If you see spf=pass, ActiveCampaign is properly authorized.

Review authentication status in ActiveCampaign. Go back to Settings, Advanced, and check that the authentication status shows as verified. ActiveCampaign displays a green checkmark or "Verified" status when everything is configured correctly.

Complete Your Email Authentication

SPF is one piece of the puzzle. For the best email deliverability from ActiveCampaign, make sure all three authentication protocols are in place:

• SPF — Authorizes ActiveCampaign's servers (the include:emsd1.com you just set up)
• DKIM — Adds a cryptographic signature to your emails (configured through ActiveCampaign's CNAME records)
• DMARC — Tells receiving servers how to handle emails that fail SPF or DKIM checks

You can verify your DKIM setup with a DKIM test and check your DMARC policy with a DMARC checker. For a complete view of your domain's email authentication health, use the Email Deliverability Suite.

References

• RFC 7208: Sender Policy Framework (SPF) — The current SPF specification
• ActiveCampaign: Setting Up Email Authentication — Official ActiveCampaign SPF and authentication guide