Adding DMARC, SPF, and DKIM records in Bluehost

Before you start: confirm Bluehost answers your DNS

Bluehost's default nameservers are ns1.bluehost.com and ns2.bluehost.com (VPS and Dedicated plans can run custom ones). Confirm your domain is on them:

dig +short NS yourdomain.com

If the answers end in bluehost.com, the Portal DNS tab is the right place.

Step 1: Open the DNS tab

1. Log in to the Bluehost Portal.
2. Open Domains and select your domain.
3. Open the DNS tab and find the Manage Advanced DNS Records section.
4. Select + Add Record, then Single record.

The older cPanel Zone Editor still exists if your account surfaces it, but the Portal DNS tab is the current, recommended path.

Step 2: Add the record

Bluehost's form is a little different from most. Set Record Type to TXT, then use the Refers to dropdown to choose where the record sits: pick @ for the root domain, or Other Host and type the prefix into the Host Name field that appears. The record string goes in TXT Value.

DMARC

Record Type: TXT
Refers to:   Other Host
Host Name:   _dmarc
TXT Value:   v=DMARC1; p=none; rua=mailto:you@yourdomain.com
TTL:         4 Hours

Start at p=none, then move past p=none once your reports are clean.

SPF

Record Type: TXT
Refers to:   @
TXT Value:   v=spf1 include:_spf.yourprovider.com ~all
TTL:         4 Hours

Delete Bluehost's default SPF record first. Bluehost adds one SPF record to every domain automatically, and you cannot have two. Remove the existing one before adding yours, and keep a single v=spf1 record.

DKIM

Record Type: TXT
Refers to:   Other Host
Host Name:   selector._domainkey
TXT Value:   v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG... (your full public key)
TTL:         4 Hours

Paste the whole key as one value. If the editor rejects an unusually long key, the underlying zone may need it split into 255-character quoted strings, but most 2048-bit keys go in as one value.

MTA-STS pointer

Record Type: TXT
Refers to:   Other Host
Host Name:   _mta-sts
TXT Value:   v=STSv1; id=20260623000000
TTL:         4 Hours

Pointer only. The policy file is served over HTTPS at mta-sts.yourdomain.com, which trustyourinbox can host. TLS-RPT (_smtp._tls) is the same shape.

Bluehost quirks that bite

• The default SPF record. Bluehost ships one on every domain. Delete it before adding your own, or you end up with two SPF records and authentication fails.
• The Refers to dropdown. It is not a free-text host field. Choose @ for the apex, or Other Host to type a prefix.
• Portal vs cPanel. Use the Portal DNS tab. Editing the same zone in both places is how people end up with duplicate or conflicting records.
• External nameservers. If your domain points its nameservers away from Bluehost, the Portal DNS tab is not authoritative. Edit at the provider your NS records point to.

Step 3: Verify it published

dig +short TXT _dmarc.yourdomain.com
dig +short TXT yourdomain.com | grep spf1
dig +short TXT selector._domainkey.yourdomain.com

Or paste the hostname into dns.google with type TXT. The record is live the moment the lookup returns it; other resolvers catch up as the old TTL expires.

Tell trustyourinbox to recheck

Each per-domain protocol tab has a Recheck button next to the current record. Click it once the change resolves and we re-run the lookup and refresh the dashboard.