Adding DMARC, SPF, and DKIM records in GoDaddy

Before you start: confirm GoDaddy hosts your DNS

Where you bought a domain and where its DNS is answered are not always the same place, and editing records in the wrong panel is the single most common reason a change “does nothing.” GoDaddy's default nameservers look like nsNN.domaincontrol.com (commonly ns01 and ns02, but the numbers vary by domain). Confirm yours first:

dig +short NS yourdomain.com

If the answer ends in domaincontrol.com, you are in the right place. If it points somewhere else (Cloudflare, Route 53, your web host), edit there instead. Our any-provider guide maps the common nameservers to their owners.

Step 1: Open the DNS editor

1. Sign in to your GoDaddy Domain Portfolio.
2. Select the domain name from the list. This opens its Domain Settings page.
3. Select DNS to see the full table of records for the domain.
4. Select Add New Record, then pick TXT from the Type menu.

If you still see an older “My Products,” “Manage DNS,” layout, GoDaddy is mid-migrating your account to the Domain Portfolio. The field labels are the same once you reach the records table.

Step 2: Add the record

Every record below is a TXT type. GoDaddy's editor has four fields: Type, Name, Value, and TTL. The one rule to burn in: in the Name field, enter only the prefix, never the full domain. GoDaddy appends your domain for you (see the gotchas below).

DMARC

Type:  TXT
Name:  _dmarc
Value: v=DMARC1; p=none; rua=mailto:you@yourdomain.com
TTL:   1 hour

Paste the value exactly as trustyourinbox suggests it. Start at p=none to watch first, then move past p=none to quarantine and reject once your reports are clean. Build the record with our DMARC builder if you are starting from scratch.

SPF

Type:  TXT
Name:  @
Value: v=spf1 include:_spf.yourprovider.com ~all
TTL:   1 hour

Publish only one SPF record. A domain may have exactly one v=spf1 record at the apex; a second one is itself a failure that makes every authorized sender look unauthorized. If GoDaddy already shows a TXT row at @ starting with v=spf1, edit that row rather than adding a new one. Keep an eye on the lookup count too, since SPF allows at most ten DNS lookups: our SPF builder merges senders safely.

DKIM

Type:  TXT
Name:  selector._domainkey
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG... (your full public key)
TTL:   1 hour

Your sending provider gives you the selector (for example google, s1, or k1) and the public key. Paste the whole value as one string. GoDaddy splits long keys into the 255-character chunks DNS requires for you, so do not add your own "part1" "part2" quotes. One ceiling to know: GoDaddy caps a TXT value at 1024 characters, which fits a normal RSA-2048 key comfortably but can be tight for an unusually long RSA-4096 key.

MTA-STS pointer

Type:  TXT
Name:  _mta-sts
Value: v=STSv1; id=20260623000000
TTL:   1 hour

This TXT record is only the pointer. The actual MTA-STS policy is a separate file served over HTTPS at mta-sts.yourdomain.com, which trustyourinbox can host for you. The companion TLS-RPT record (_smtp._tls) follows the same TXT shape.

GoDaddy quirks that bite

• Putting the full domain in the Name field. GoDaddy auto-appends your domain, so typing _dmarc.yourdomain.com creates a record at _dmarc.yourdomain.com.yourdomain.com, which never resolves. Type only _dmarc (or @, or selector._domainkey).
• Non-ASCII characters in the value.GoDaddy accepts ASCII only. Curly “smart” quotes, em-dashes, and non-breaking spaces, which word processors insert silently, get rejected. Paste from a plain-text editor.
• A verification prompt on save. If your domain has Domain Protection turned on, GoDaddy asks for a one-time code (SMS, authenticator, or email) before it saves the change. Expected, not an error.
• Two SPF records. Worth repeating: edit the existing v=spf1 row, never add a second.

Step 3: Verify it published

From a terminal, look the record up directly:

dig +short TXT _dmarc.yourdomain.com
dig +short TXT yourdomain.com | grep spf1
dig +short TXT selector._domainkey.yourdomain.com

No terminal handy? Paste the hostname into dns.google with type TXT. The record is published the moment the lookup returns the new value. Other resolvers may keep serving the old answer until the previous TTL expires, which is normal propagation, not a mistake.

Tell trustyourinbox to recheck

Each per-domain protocol tab has a Recheck button next to the current record. Click it after the GoDaddy edit publishes and we run a fresh lookup against Cloudflare and Google in parallel, then update the dashboard. If dig shows the new value but we have not picked it up yet, give it a minute for resolver caches between us to catch up.