Editing your DNS manually for any provider

Step 1 — Confirm which provider hosts your DNS

On the per-domain page in trustyourinbox, scroll to the Current DMARC recordsection. Just above it (or in your domain's DNS detail panel), you'll see the list of nameservers we detected. The hostname pattern usually tells you the provider:

• *.ns.cloudflare.com — Cloudflare
• ns<n>.domaincontrol.com — GoDaddy
• (p)dns<n>.registrar-servers.com — Namecheap
• ns-<n>.awsdns-<n>.<tld> — AWS Route 53
• ns-cloud-*.googledomains.com — Google Cloud DNS
• ns<n>-<n>.azure-dns.<tld> — Azure DNS
• dns<n>.name-services.com — eNom (Tucows)

Don't recognize the pattern? Run dig +short NS yourdomain.com from a terminal, or paste the domain into a public lookup like https://dnschecker.org. The provider is whoever owns the nameserver hostnames. If you registered the domain through one company but later pointed nameservers at another (this happens with Cloudflare-as-DNS-but-not-registrar), the DNS provider is whoever runs the nameservers, not the registrar.

Step 2 — Open your provider's DNS panel

Every provider has a DNS-records page. Where to find it:

• GoDaddy — My Products → DNS → Manage DNS. Look for the "Records" table.
• Namecheap — Domain List → Manage → Advanced DNS tab.
• AWS Route 53 — Hosted zones → click your domain → Records.
• Google Cloud DNS — Cloud DNS → Zones → click your zone.
• Azure DNS — DNS zones → click your zone → Recordsets.
• eNom / Tucows — My Domains → click domain → Host Records.
• Custom / self-hosted (BIND, PowerDNS, etc.) — edit the zone file or use whatever admin tool ships with your DNS server. The TXT-record syntax in zone files is name IN TXT "value" — same value, different chrome.

Step 3 — Publish the TXT record

Every fix trustyourinbox suggests is a TXT record at a specific hostname. The hostname is usually a sub-record of your apex (e.g., _dmarc.yourdomain.com rather than yourdomain.com itself). Most DNS panels accept either the full hostname (_dmarc.yourdomain.com) or the relative name (_dmarc) — they're equivalent and the panel auto-completes the apex.

DMARC

Hostname: _dmarc (relative) or _dmarc.yourdomain.com (absolute).
Type: TXT.
Value: paste the record exactly as we suggest (e.g., v=DMARC1; p=quarantine; pct=100; rua=mailto:<your-rua>@rua.trustyourinbox.com). Keep the quotes if your panel asks for them; some panels add quotes automatically. Don't edit anything else — every tag is required for the record to parse.

SPF

Hostname: @ or your apex (yourdomain.com).
Type: TXT.
Value: v=spf1 …mechanisms… ~all. Critical: a domain MUST have only ONE v=spf1TXT record at the apex. If you already have one, edit the existing one — don't add a second. (RFC 7208 §3.2 — multiple SPF records is a permerror, treats every authorized sender as unauthorized.)

DKIM

Hostname: <selector>._domainkey (where <selector> is your sender's pinned selector — e.g., google._domainkey, k1._domainkey, mail._domainkey).
Type: TXT.
Value: the public-key string, including v=DKIM1; k=rsa; p=…. RSA-2048 keys are ~390 chars — most DNS panels handle that automatically by splitting into multi-string TXT segments. If your panel rejects long strings, paste in 255-char chunks separated by quote-space-quote: "part1" "part2".

MTA-STS DNS pointer

Hostname: _mta-sts.
Type: TXT.
Value: v=STSv1; id=<numeric-id>. Note: this TXT record is the pointer; the actual MTA-STS policy is a .well-known/mta-sts.txt file served over HTTPS at mta-sts.yourdomain.com — that's a separate web-side step. trustyourinbox can host the policy for you (separate setup); the TXT pointer at _mta-sts is how receivers find it.

Step 4 — Save the change

Most providers apply DNS edits within seconds, but caches at receivers update on the record's TTL (300s = 5min, 3600s = 1h, etc.). If your provider lets you set a low TTL (60s) for the new record, do it — easier rollback if something goes wrong. The trustyourinbox-managed flow defaults to 60s on every record we publish on your behalf.

Step 5 — Verify the record published

From a terminal, run the matching dig:

• DMARC — dig +short TXT _dmarc.yourdomain.com
• SPF — dig +short TXT yourdomain.com | grep spf1
• DKIM — dig +short TXT <selector>._domainkey.yourdomain.com
• MTA-STS pointer — dig +short TXT _mta-sts.yourdomain.com

Or paste the hostname into https://dns.google/query?type=TXT&name=<hostname>for a browser-based check. If the value matches what trustyourinbox suggested, you're done — the dashboard will catch up on its next scan (usually within an hour) and the relevant tab will flip to OK.

Step 6 — Tell trustyourinbox to recheck

Want immediate feedback instead of waiting for the daily scan? Each per-domain protocol tab has a Recheck button at the top of the "Current record" section. It triggers a fresh DoH lookup against Cloudflare 1.1.1.1 and Google 8.8.8.8 in parallel and updates the dashboard in real time. If the record looks correct via digbut trustyourinbox doesn't see it, give it a few minutes — DoH caches between you and the resolver can lag.

If you get stuck

The two most common manual-edit failure modes:

1. Wrong hostname. Pasting the value at yourdomain.com instead of _dmarc.yourdomain.com means receivers will never find it. Always check the hostname column of your DNS panel.
2. Two records where there should be one. Particularly for SPF (v=spf1 at apex). Adding a new SPF record next to an existing one creates a permerror. Edit the existing one, don't add a second.

Once you've published, come back to the per-domain tab in trustyourinbox and click Recheck. If the dashboard still shows the issue, paste the dig output and we can help narrow down what's different from what we expected.