Intercom SPF and DKIM setup

What you are setting up

Intercom sends customer messages from your domain, so it has to sign that mail as you. Intercom is one of the cleaner setups for DMARC because it aligns both legs: one CNAME sets up DKIM signed with your domain, and a second CNAME sets a custom return-path so SPF aligns too. You will not add an SPF include at all. The one thing to know going in: verifying an email address and authenticating the domain are two different steps, and only the second one publishes DKIM.

Verify an address, then authenticate the domain

In Intercom, go to Settings > Channels > Email > Domains & addresses. First add and verify an email address on your domain (click the link in the verification email). That proves you own the mailbox; it does not set up DKIM. Then click Authenticate your domain, and Intercom shows you the records:

Type:  CNAME   (DKIM)
Host:  intercom._domainkey.yourdomain.com
Value: (copy the exact target Intercom shows)

Type:  CNAME   (custom return-path, for SPF alignment)
Host:  (copy the exact host Intercom shows)
Value: (copy the exact target Intercom shows)

Type:  TXT     (DMARC)
Host:  _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

The DKIM selector is intercom, so the record lives at intercom._domainkey.yourdomain.com; the targets are specific to your workspace, so copy them from the console. DKIM is a CNAME (not a TXT) so Intercom can rotate the signing key without you editing DNS again. The return-path CNAME is what makes SPF align to your domain, which is why there is no SPF include to add.

About the DMARC record

Intercom includes a _dmarc record in the flow and flags domains as unauthenticated in your workspace if DMARC is missing. Start in monitor-only mode (v=DMARC1; p=none), then build it out with our DMARC builder and progress past p=none to quarantine and reject as your reports come back clean.

The Intercom gotcha

Verifying an address is not authenticating the domain.People add their address, see it turn green, and stop, leaving DKIM unpublished and their mail unauthenticated. The “Authenticate your domain” step with the two CNAMEs is separate, and it is the one that matters for DMARC. One more Intercom-specific quirk: you still have to click “Verify authentication” in Intercom even after the DKIM record is live in DNS, or Intercom will not start signing. And the usual DNS trap applies: if your host appends your domain automatically, do not type it into the record name (or you get intercom._domainkey.yourdomain.com.yourdomain.com); on Cloudflare, leave the CNAMEs unproxied (grey cloud).

Confirm it worked

• Click Verify authentication. In Intercom, the domain should move to authenticated once it confirms the records.
• Send a test and read the headers. Send a message from your Intercom address, open the original, and confirm the DKIM signature shows d=yourdomain.com and dmarc=pass. Our header analyzer reads it back in plain English.
• Watch the reports. Intercom should appear as an aligned, passing source in your DMARC aggregate reports, labeled as a known sender in trustyourinbox.