Updated: Oct 15, 2025
Article Contents
Knowledge Base
Setting up DMARC for a custom domain: How to create a record and authenticate
SPF, DKIM, and DMARC are essential email authentication protocols that help protect your domain from email spoofing and phishing attacks. Setting them up correctly improves deliverability and helps build a positive domain reputation.
Over the course of a custom domain setup, beehiiv handles the SPF and DKIM records by creating CNAME records for users to add to the DNS settings of their domain.
This article explains how to set up DMARC authentication for accounts using a custom domain (since beehiiv’s automatic DMARC only applies to beehiiv subdomains).
How SPF, DKIM, and DMARC work together
SPF (Sender Policy Framework): Specifies which servers are allowed to send email on behalf of your domain.
DKIM (DomainKeys Identified Mail): Adds a digital signature to your emails so receiving servers can verify authenticity.
DMARC (Domain-based Message Authentication, Reporting & Conformance): Builds on SPF and DKIM by telling receiving servers how to handle emails that fail authentication. It also provides reports for email authentication results.
What to know about email authentication in beehiiv
- DMARC is required for custom domains: As of February 2024, all beehiiv accounts using a custom domain must have a valid DMARC record configured. This adds an extra layer of protection against spoofing and improves domain reputation.
- You’ll need access to your DNS settings: Setting up SPF, DKIM, or DMARC involves adding records to your domain’s DNS. This typically requires domain ownership or admin access.
- Use our DMARC wizard: DMARC records can be sensitive to misconfiguration. To help, we’ve created a simple DMARC wizard that generates the correct record for your domain. Follow the prompts to create your custom record, then continue with the steps in the How to set up DMARC authentication section below.
- Additional help is available: If you’d like expert support, we recommend services like Dmarcian or Agari, or working with a dedicated email deliverability consultant.
Use our DMARC wizard to create your DMARC record
Start by entering your custom domain below, then follow the prompts to produce a unique DMARC record. After you have your DMARC record, please follow the steps below for How to set up DMARC authentication.
How to set up DMARC authentication
-
Log into your DNS provider. This is usually the service where your domain was originally registered (e.g., GoDaddy, Namecheap, Cloudflare).
-
Access your domain’s DNS settings. Find the section where you manage DNS records. This is where you’ll add your new DMARC TXT record.
-
Create a new TXT record. Use the DMARC record generated by the wizard above.
Type: TXT
Host/Name: _dmarc
Value Ex: v=DMARC1; p=none; rua=mailto:[email protected];
-
Review and save your changes: Double-check the type, host, and value fields. Once confirmed, save the record in your DNS settings.
- Wait for DNS propagation: Your DMARC record will publish immediately, but full propagation may take time depending on your provider; this can be anywhere from a few seconds to 72 hours.
What a DMARC policy does
DMARC policies specify how the receiving server should treat emails that fail SPF and/or DKIM authentication.
DMARC policy options include:
- 'none': Take no action, just collect and send reports.
- 'quarantine': Send unauthenticated and failed emails to spam or junk.
- 'reject': Block unauthenticated and failed messages from being delivered.
Applying policy percentages
A DMARC policy also includes assigning a percentage, which determines the portion of your domain's email traffic to which the policy should apply and how it should be enforced.
- A ‘none’ policy’s percentage should be left blank. This will default to 100%.
- For ‘quarantine’ or ‘reject’ policies, we suggest starting with a low percentage (10% for example), then gradually increase it as you monitor the reports and gain confidence in your email authentication setup.
DMARC policy examples:
Collect reports only (none policy)
If you choose ‘reject’ as the policy with a 50% application rate and report emails as "[email protected]", your DMARC record would look like this:|
v=DMARC1; p=none; rua=mailto:[email protected];
Reject 50% of failing mail and collect reports
If you chose a ‘none’ policy and only wish to collect aggregate reports, your DMARC record would look like this: (click and scroll on it to see more)
v=DMARC1; p=reject; pct=50; rua=mailto:[email protected]; ruf=mailto:[email protected];
Both of these examples provide valid records. The first example just gathers data. The second blocks half of failed messages and sends both aggregate (rua) and forensic (ruf) reports to your chosen email address.
Frequently asked questions about DMARC
- Use a dedicated email address for DMARC reports, like [email protected].
- Set up filters or forwarding rules in your inbox.
- Consider routing reports to a third-party tool like Dmarcian or Postmark's DMARC Digests.
- Adjust the frequency or granularity of reporting (the percentage) in your DMARC record to better suit your needs.
- Protects your domain from spoofing.
- Reduces phishing risks for your subscribers.
- Helps consolidate your email-sending infrastructure.
- Gives you control over how mail failures are handled.
How will I know that my DMARC record is live?
You can use a DMARC lookup tool to check if your record is published. Alternatively, you can use your Terminal to run a dig/nslookup for your domain using:
nslookup _dmarc.yourdomain.com txt
dig _dmarc.yourdomain.com txt
My record is published, but my DKIM shows as Not Found, what does that mean?
Should I include a percentage (pct=) in a ‘none’ policy?
What does ‘enforcement’ mean in DMARC?
Do I need to add an SPF or DKIM record when setting up a custom domain?
What’s the difference between Relaxed and Strict alignment?
Do I need to make two DMARC records if I send from a subdomain [mail.yoursite.com] instead of from my root domain [yoursite.com]?
No, you don't. DMARC is typically set up at the root domain level. Unlike SPF and DKIM, DMARC employs a ‘rolling up’ mechanism. This means that any subdomain you create under yoursite.com will be covered by your chosen policy. If you wish to apply a different policy to your subdomains, you can include the 'sp=' tag in your record and specify a different policy.
This would look like:
v=DMARC1; p=reject; sp=none; rua=mailto:[email protected];
This example would reject failed mail from your root domain but apply no enforcement to subdomains.
Do I need DMARC if I don’t have a custom domain?
Why am I getting so many emails from my DMARC policy?
DMARC generates a lot of report emails, especially from large providers like Gmail, Microsoft, and Yahoo. These reports help you monitor authentication and spot issues.
To reduce inbox clutter you can:
Why is setting up DMARC important?
It also: