Skip to main content

Documentation Index

Fetch the complete documentation index at: https://documentation.onesignal.com/llms.txt

Use this file to discover all available pages before exploring further.

How your domain is configured has a direct impact on whether your emails reach the inbox. These steps are the foundation of a sender identity that email providers trust, recipients recognize, and bad actors can’t impersonate. Getting this right protects your brand, improves your deliverability, and signals to the broader email ecosystem that you’re a legitimate sender worth delivering for.
If your OneSignal email account was denied during verification, work through the self-check below. Most denials trace back to one or more of these areas. After making changes, allow DNS to propagate (up to 24–48 hours), then return to Settings > Set up Email and click Verify Account again. You can retry one week after your initial denial.

Self-check

Work through each item. Click any link to jump to the relevant section. If everything in this checklist passes, see the FAQ for additional considerations before retrying verification.

Email authentication (SPF, DKIM, and DMARC)

Authentication records are very important for your domain’s sending reputation. They tell receiving mail servers that your emails are genuinely coming from you and give them clear instructions for what to do when they’re not. All three records (SPF, DKIM, and DMARC) need to be present and consistent with each other. A gap in any one of them weakens your overall authentication posture and reduces inbox providers’ confidence in your mail.

Email DNS configuration

Set up SPF, DKIM, and DMARC records for your sending domain.
A policy of p=none with no reporting address is a starting point, not a finished configuration. To get the full benefit of DMARC:
  • Set your policy to quarantine or reject to actively protect your domain rather than just observing it.
  • Include an active aggregate reporting address (rua tag) so you can monitor authentication results and catch problems early.
Industry organizations including M3AAWG recommend moving from monitoring to enforcement as quickly as your sending configuration allows. See the M3AAWG Email Authentication Recommended Best Practices.

Alignment matters

The domain in your From: address should align with your DKIM signing domain or your SPF return-path. Misalignment (where these don’t match) causes authentication failures even when all three records are correctly configured, which directly hurts deliverability. For example, if your From: address is team@onesignal.com but your DKIM signature is configured for mail.example.com, inbox providers will see that mismatch and treat the authentication as failed. Even though both records may be valid on their own, the domains need to match for authentication to pass.

DNS configuration and health

A healthy DNS setup is the infrastructure your authentication records depend on. Issues here can undermine everything else. For step-by-step DNS record setup, see the Email DNS configuration guide. Beyond your authentication records, there are a few things worth checking:
  • A and AAAA records connect your domain to a web server. Domains that don’t resolve to anything have no web presence, which affects how inbox providers and spam filters evaluate them.
  • Nameservers need to be active and responding. If DNS lookups against your domain are failing, your authentication records can’t be verified, and unverifiable authentication is treated the same as no authentication.
Free tools like MXToolbox and DNSChecker let you inspect all of your DNS records quickly and spot configuration gaps before they affect your sending.

Check your blocklist status

Your domain — and any IP addresses associated with it — may appear on one or more public reputation blocklists for reasons that have nothing to do with you. Common causes include previous owners of the domain, shared hosting or IP history, or a single past spam complaint. Inbox providers and verification systems treat listed domains as higher risk, which means a blocklist entry can be the deciding factor in a denial even when every other part of your configuration is correct. Check your domain and IPs against the major lists: If you’re listed, each blocklist publishes its own delisting process. Delisting is free and usually completes within a few days. Re-check the lists before retrying verification.

SSL/TLS and site security

A valid SSL/TLS certificate is a basic signal of legitimacy that inbox providers, spam filters, and recipients all look for. An expired, missing, or misconfigured certificate undermines confidence in your domain even before a single email is evaluated. Your site should load over HTTPS without a browser security warning. Your certificate should be current, correctly configured, and issued for the right domain. Free certificates from providers like Let’s Encrypt are completely fine as long as they’re valid and properly in place.
Audit your SSL configuration using SSL Labs.

Domain and web presence

Your technical configuration tells inbox providers how your domain is set up. Your web presence tells them, and your recipients, who’s behind it. A domain with a real, accessible website that clearly represents your organization is a stronger sender than one with placeholder content, a default hosting page, or no reachable site. A consistent web presence also makes it harder for bad actors to impersonate your brand, since there’s an established reference point for what legitimate communication from you looks like. Domains that were registered very recently or that show signs of having lapsed and been re-registered carry less inherent trust with inbox providers. If your domain is new, allow time for that trust to build before ramping up sending volume.

Email warm up

Use OneSignal’s Auto Warm Up feature to gradually increase sending volume from a new domain.

Building a stronger trust profile

Beyond the baseline, a few additional steps meaningfully strengthen your domain’s reputation as a sender.

Make your domain registration public

Public registration, with business information that’s consistent across your registration record, your website, and any public business profiles, signals organizational legitimacy. Consistency across those sources matters more than any single one in isolation, and it makes your domain significantly harder to spoof convincingly.

Cover your organizational domain

If you send from a subdomain (for example, mail.yourdomain.com), make sure your organizational domain also has valid SPF, DKIM, and DMARC records in place. A sending subdomain backed by a bare parent domain with no authentication records is an incomplete setup that leaves your brand exposed.

Move DMARC from monitoring to enforcement

If your DMARC policy is currently p=none, you’re collecting data but not acting on it. Moving to p=quarantine or p=reject with an active reporting address protects your recipients from spoofed mail, protects your brand reputation, and signals to inbox providers that you take your domain seriously. This is considered best practice by M3AAWG and major inbox providers alike.

Ongoing maintenance

Domain configuration is not a one-time task. Maintain it as your infrastructure changes:
  • Rotate DKIM keys periodically to limit exposure if a key is compromised.
  • Review DMARC reports regularly to catch unauthorized use of your domain early.
  • Update DNS records whenever you change mail providers, hosting, or subdomains.
  • Renew SSL certificates before expiration; configure auto-renewal where possible.
  • Re-verify after major changes to your sending infrastructure to confirm nothing regressed.

FAQ

Why was my account denied?

OneSignal uses a third-party domain reputation provider to keep verification tamper-resistant and consistent across all customers. To preserve the integrity of that signal, we don’t share the underlying scores or the specific factors evaluated for an individual account. What we can tell you: verification draws on publicly observable signals about your domain — authentication records, DNS health, blocklist status, SSL configuration, web presence, and registration history. The self-check above lets you inspect every one of these signals using the same free tools that downstream inbox providers use. Most denials trace back to one or two items in that checklist.

I worked through the self-check and was denied again. What now?

Contact support@onesignal.com with a summary of:
  • Which items in the self-check you verified, and which tools you used (e.g., “MXToolbox shows all DNS records passing, Spamhaus shows my domain is not listed”).
  • Any changes you made between attempts.
  • Your sending domain.
Support can review your account against general verification categories and give you direction on what to focus on, even though we can’t share the underlying reputation data.

How long do DNS changes take to apply?

DNS changes typically propagate within a few hours but can take up to 24–48 hours to apply globally. Use MXToolbox or DNSChecker to confirm your records are visible before retrying verification.

When can I retry verification?

You can request re-verification one week after an initial denial. Make the changes identified in your self-check first — retrying without changes typically produces the same result.

Do I need a paid SSL certificate?

No. Free certificates from providers like Let’s Encrypt are fully accepted as long as they’re valid, current, and issued for the correct domain.

Can I use a brand-new domain?

Yes, but newly registered domains carry less inherent trust with inbox providers. If your domain is new, complete the configuration steps in this guide and consider using Email warm up to build sending reputation gradually before scaling volume.

Email DNS configuration

Set up SPF, DKIM, and DMARC records for your sending domain.

Email deliverability

Understand key concepts like reputation, bounces, spam traps, and inbox placement.

Email reputation best practices

Actionable steps to build and maintain a healthy sending reputation.

Email warm up

Gradually increase sending volume to build trust with inbox providers.