Adding DMARC, SPF, and DKIM records in Squarespace

Before you start: the Google Domains nameserver surprise

Squarespace bought Google Domains and migrated those domains onto its own DNS. The thing that confuses people: a migrated domain can still show nameservers ending in googledomains.com while Squarespace correctly reports it is “using Squarespace nameservers.” That is normal, and you still edit DNS inside Squarespace. Squarespace default nameservers may end in any of squarespacedns.com, googledomains.com, nsone.net, or systemdns.com:

dig +short NS yourdomain.com

If you see one of those suffixes, or your domain is registered with or connected to Squarespace, follow the steps below. If your nameservers point fully to another provider, edit your records there instead.

Step 1: Open DNS Settings

1. Go to account.squarespace.com/domains and click the domain name.
2. Click DNS, then DNS Settings, and scroll to the Custom Records section.
3. Select Add record. Squarespace asks you to re-enter your password or pass a two-factor check before it will save DNS changes, so keep that handy.

Step 2: Add the Custom Record

Set Type to TXT, put the host in the Name field (@ for the root, or a prefix), and paste the value into the field labeled Text. That label is the one trap here: for a TXT record the value box is called Text, not Data.

DMARC

Type: TXT
Name: _dmarc
Text: v=DMARC1; p=none; rua=mailto:you@yourdomain.com

Start at p=none, then move past p=none once your reports are clean.

SPF

Type: TXT
Name: @
Text: v=spf1 include:_spf.yourprovider.com ~all

Keep a single v=spf1 record. Squarespace will try to merge multiple SPF entries, but the right practice is one combined record.

DKIM

Type: TXT
Name: selector._domainkey
Text: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG... (your full public key)

Paste the whole key as one value. Squarespace supports DKIM keys up to 2048 bits in a single record, so there is no need to split it.

MTA-STS pointer

Type: TXT
Name: _mta-sts
Text: v=STSv1; id=20260623000000

Pointer only. The policy file is served over HTTPS at mta-sts.yourdomain.com, which trustyourinbox can host. TLS-RPT (_smtp._tls) is the same shape.

Squarespace quirks that bite

• The Text label. The value goes in the field called Text. If you put it in the wrong box the record will not work.
• Email presets add MX, not your auth records. Setting up Google Workspace through Squarespace adds the MX records for you, but you still add SPF, DKIM, and DMARC yourself. Check Custom Records for any preset entries before adding more.
• DNS Connect vs Nameserver Connect. If your domain is only DNS-Connected to Squarespace (a few records pointed here, the rest of DNS at another provider), add your email records at that other provider instead.

Step 3: Verify it published

dig +short TXT _dmarc.yourdomain.com
dig +short TXT yourdomain.com | grep spf1
dig +short TXT selector._domainkey.yourdomain.com

Or paste the hostname into dns.google with type TXT. The record is live the moment the lookup returns it.

Tell trustyourinbox to recheck

Each per-domain protocol tab has a Recheck button next to the current record. Click it once the change resolves and we re-run the lookup and refresh the dashboard.