Adding DMARC, SPF, and DKIM records in DigitalOcean
DigitalOcean is infrastructure DNS, so nothing about email is pre-configured: you bring your own sender and add every record yourself. Here is the control-panel path, the long-DKIM split to watch for, and the doctl and Terraform shortcuts for the developer crowd.
Before you start: add the domain and delegate it
DigitalOcean DNS only works once two things are true: the domain is added under Networking, Domains, and your registrar's nameservers point to DigitalOcean's three: ns1.digitalocean.com, ns2.digitalocean.com, and ns3.digitalocean.com. Confirm the delegation:
dig +short NS yourdomain.com
If the answers are the three digitalocean.com nameservers, you are set. If not, records you add here will not resolve until the delegation is in place.
Step 1: Open the domain
- In the DigitalOcean control panel, go to Networking, then Domains.
- Select your domain (or add it first).
- Choose Create a record and select the TXT type.
Step 2: Create the record
A TXT record has a Hostname, a TXT Value, and a TTL. Use @ in Hostname for the root domain, or a prefix for everything else.
DMARC
Hostname: _dmarc TXT Value: v=DMARC1; p=none; rua=mailto:you@yourdomain.com TTL: 1800
Start at p=none, then move past p=noneonce your reports are clean. DigitalOcean's default TTL is 1800 seconds; the minimum is 30.
SPF
Hostname: @ TXT Value: v=spf1 include:_spf.yourprovider.com ~all TTL: 1800
Keep a single v=spf1 record. Since DigitalOcean adds nothing for email, you are starting clean, so just do not create a second one later.
DKIM (mind the length)
A single DNS string maxes out at 255 characters, and DigitalOcean does not split a long DKIM key for you. Break the key into chunks of 255 or fewer, wrap each in double quotes, and put them together in the one TXT Value field:
Hostname: selector._domainkey TXT Value: "v=DKIM1; k=rsa; p=MIIBIjANBgkq...first255" "...rest of the key" TTL: 1800
Keep it as one record, not two. The strings concatenate back together at lookup time. Our DKIM verifier confirms the result parses.
MTA-STS pointer
Hostname: _mta-sts TXT Value: v=STSv1; id=20260623000000 TTL: 1800
Pointer only. The policy file is served over HTTPS at mta-sts.yourdomain.com, which trustyourinbox can host. TLS-RPT (_smtp._tls) is the same shape.
Doing it from doctl or Terraform
DigitalOcean DNS is just as often managed in code. With doctl or the API you give the full record name (for example _dmarc.yourdomain.com), while Terraform's digitalocean_record takes the relative name (_dmarc, or @ for the apex). Whichever you use, the same one-SPF-record and DKIM-length rules apply.
Step 3: Verify it published
dig +short TXT _dmarc.yourdomain.com dig +short TXT yourdomain.com | grep spf1 dig +short TXT selector._domainkey.yourdomain.com
Or paste the hostname into dns.google with type TXT. A split DKIM key shows up as one continuous value once the resolver stitches the strings back together.
Tell trustyourinbox to recheck
Each per-domain protocol tab has a Recheck button next to the current record. Click it once the change resolves and we re-run the lookup and refresh the dashboard.
Keep reading
Run a free DMARC audit
Paste your domain and read your published SPF, DKIM, and DMARC back in plain English.
How we change DNS safely
The safety layers behind an automated fix, and why a hand edit deserves the same care.
DKIM verifier
After you split and publish a long key, confirm it parses and resolves correctly.
Editing DNS at any provider
Not actually on DigitalOcean? The universal walkthrough finds your real DNS host.
Last verified 2026-06-23 against the official DigitalOcean documentation.
Free for one domain. Set up in five minutes. We parse the reports; you read plain-English summaries.