Adding DMARC, SPF, and DKIM records at any provider

Step 1: Find who actually hosts your DNS

This is the step everyone skips, and it is the number one reason a record edit appears to do nothing. Where you bought the domain is not always where its DNS is answered. You might have registered at GoDaddy but moved DNS to Cloudflare, or bought through a reseller whose records live with the web host. The only reliable source of truth is the domain's NS records:

dig +short NS yourdomain.com

No terminal? Use dns.google with type NS, or any “DNS lookup” site. Then match the suffix of the answer (ignore the ns1 / ns01 prefix, which varies) to its owner:

• domaincontrol.com is GoDaddy
• registrar-servers.com is Namecheap (but namecheaphosting.com means your DNS is in cPanel)
• ns.cloudflare.com is Cloudflare
• ns-cloud-*.googledomains.com is Google Cloud DNS
• azure-dns.com / .net / .org / .info is Azure DNS
• awsdns-* (across .com / .net / .org / .co.uk) is AWS Route 53
• squarespacedns.com is Squarespace (where Google Domains moved)
• dns-parking.com is Hostinger
• ui-dns.* is IONOS
• bluehost.com is Bluehost
• ovh.net is OVHcloud
• wixdns.net is Wix
• digitalocean.com is DigitalOcean
• *.ns.porkbun.com is Porkbun

Each provider above has its own step-by-step guide. If yours is not listed, the steps are the same everywhere: the editor, the four record shapes, and the verify step below.

Step 2: Add the record

Every DNS editor, whatever it calls things, gives you the same handful of fields:

• Type is always TXT for DMARC, SPF, DKIM, and the MTA-STS pointer. (Some DKIM setups use a CNAME instead, but your provider tells you which.)
• Name (sometimes Host or Hostname) is the prefix. Enter only the part before your domain; the panel appends the domain for you.
• Value (sometimes Data or Content) holds the record string.
• TTL controls how long resolvers cache the answer. A short value (300 to 3600 seconds) is fine while you set up.

The one thing that genuinely differs by provider is how you write the apex (your root domain, for the SPF record). Most panels (GoDaddy, Namecheap, Cloudflare, and the like) use @. A few cloud providers (AWS Route 53 and Google Cloud DNS) want the name field left blank instead, and reject @. When in doubt, check the provider guide.

DMARC

Type:  TXT
Name:  _dmarc
Value: v=DMARC1; p=none; rua=mailto:you@yourdomain.com

Start at p=none to watch, then move past p=none. The DMARCbis update (RFC 9989, published 2026) keeps the v=DMARC1 string and the _dmarc name unchanged, so existing records keep working.

SPF

Type:  TXT
Name:  @  (or blank on Route 53 / Cloud DNS)
Value: v=spf1 include:_spf.yourprovider.com ~all

Exactly one v=spf1 record per domain. A second one is a failure that makes all your authorized senders look unauthorized, so edit the existing record rather than adding another. Keep it under ten DNS lookups; our SPF builder handles that.

DKIM

Type:  TXT
Name:  selector._domainkey
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG... (your full public key)

Your sending provider supplies the selector and key. A 2048-bit key is longer than the 255-character limit for a single DNS string, so it has to be split into multiple quoted pieces. Providers differ on how: some split it for you (Azure, GoDaddy), some need you to split it by hand (Route 53, Google Cloud DNS). One subtlety: the leading v=DKIM1 tag is recommended rather than strictly required, but if it is present it must come first. And an empty p= value does not mean “no key”; it signals a revoked key, so never publish one by accident.

MTA-STS pointer

Type:  TXT
Name:  _mta-sts
Value: v=STSv1; id=20260623000000

This TXT record is only a pointer. The policy itself is a file served over HTTPS at mta-sts.yourdomain.com, which trustyourinbox can host for you. TLS-RPT (_smtp._tls) is the same TXT shape.

The traps that catch everyone

• Editing DNS at the registrar when it lives elsewhere. Step 1 exists for exactly this. Confirm the NS records first.
• Typing the full domain in the Name field. Almost every panel appends your domain, so _dmarc.yourdomain.com becomes _dmarc.yourdomain.com.yourdomain.com. Type only the prefix.
• Two SPF records. Merge into one v=spf1 record.
• Smart quotes. Copying from a document can turn straight quotes into curly ones, which many panels reject. Paste from a plain-text editor.

Step 3: Verify it published

dig +short TXT _dmarc.yourdomain.com
dig +short TXT yourdomain.com | grep spf1
dig +short TXT selector._domainkey.yourdomain.com

Or paste the hostname into dns.google (type TXT), or use whatsmydns.net to watch it propagate across the world. The record is correct the moment your own lookup returns the new value. Other resolvers may serve the old answer until the previous TTL expires, which is normal, not a mistake.

Tell trustyourinbox to recheck

Each per-domain protocol tab has a Recheck button next to the current record. Click it once your edit resolves and we re-run the lookup against Cloudflare and Google in parallel, then refresh the dashboard.