Setting up DMARC for a custom domain: How to create a record and authenticate

SPF, DKIM, and DMARC are essential email authentication protocols that help protect your domain from email spoofing and phishing attacks. Setting them up correctly improves deliverability and helps build a positive domain reputation.

Over the course of a custom domain setup, beehiiv handles the SPF and DKIM records by creating CNAME records for users to add to the DNS settings of their domain.

This article explains how to set up DMARC authentication for accounts using a custom domain (since beehiiv’s automatic DMARC only applies to beehiiv subdomains).

SPF (Sender Policy Framework): Specifies which servers are allowed to send email on behalf of your domain. 

DKIM (DomainKeys Identified Mail): Adds a digital signature to your emails so receiving servers can verify authenticity. 

DMARC (Domain-based Message Authentication, Reporting & Conformance): Builds on SPF and DKIM by telling receiving servers how to handle emails that fail authentication. It also provides reports for email authentication results.

• DMARC is required for custom domains: As of February 2024, all beehiiv accounts using a custom domain must have a valid DMARC record configured. This adds an extra layer of protection against spoofing and improves domain reputation.
• You’ll need access to your DNS settings: Setting up SPF, DKIM, or DMARC involves adding records to your domain’s DNS. This typically requires domain ownership or admin access.
• Use our DMARC wizard: DMARC records can be sensitive to misconfiguration. To help, we’ve created a simple DMARC wizard that generates the correct record for your domain. Follow the prompts to create your custom record, then continue with the steps in the How to set up DMARC authentication section below.
• Additional help is available: If you’d like expert support, we recommend services like Dmarcian or Agari, or working with a dedicated email deliverability consultant.

Start by entering your custom domain below, then follow the prompts to produce a unique DMARC record. After you have your DMARC record, please follow the steps below for How to set up DMARC authentication.

1. Log into your DNS provider. This is usually the service where your domain was originally registered (e.g., GoDaddy, Namecheap, Cloudflare).
    
2. Access your domain’s DNS settings. Find the section where you manage DNS records. This is where you’ll add your new DMARC TXT record.
    
3. Create a new TXT record. Use the DMARC record generated by the wizard above.
   Type: TXT
   Host/Name: _dmarc
   Value Ex: v=DMARC1; p=none; rua=mailto:[email protected];

4. Review and save your changes: Double-check the type, host, and value fields. Once confirmed, save the record in your DNS settings.
    
5. Wait for DNS propagation: Your DMARC record will publish immediately, but full propagation may take time depending on your provider; this can be anywhere from a few seconds to 72 hours.

DMARC policies specify how the receiving server should treat emails that fail SPF and/or DKIM authentication. 

DMARC policy options include:

• 'none': Take no action, just collect and send reports.
• 'quarantine': Send unauthenticated and failed emails to spam or junk.
• 'reject': Block unauthenticated and failed messages from being delivered.

A DMARC policy also includes assigning a percentage, which determines the portion of your domain's email traffic to which the policy should apply and how it should be enforced.

• A ‘none’ policy’s percentage should be left blank. This will default to 100%. 
• For ‘quarantine’ or ‘reject’ policies, we suggest starting with a low percentage (10% for example), then gradually increase it as you monitor the reports and gain confidence in your email authentication setup.

Collect reports only (none policy)

If you choose ‘reject’ as the policy with a 50% application rate and report emails as "[email protected]", your DMARC record would look like this:|

v=DMARC1; p=none; rua=mailto:[email protected];

Reject 50% of failing mail and collect reports

If you chose a ‘none’ policy and only wish to collect aggregate reports, your DMARC record would look like this: (click and scroll on it to see more)

v=DMARC1; p=reject; pct=50; rua=mailto:[email protected]; ruf=mailto:[email protected];

Both of these examples provide valid records. The first example just gathers data. The second blocks half of failed messages and sends both aggregate (rua) and forensic (ruf) reports to your chosen email address.

How will I know that my DMARC record is live?

You can use a DMARC lookup tool to check if your record is published. Alternatively, you can use your Terminal to run a dig/nslookup for your domain using:

nslookup _dmarc.yourdomain.com txt
dig _dmarc.yourdomain.com txt

My record is published, but my DKIM shows as Not Found, what does that mean?
SPF and DMARC records are static and easy to check. DKIM, however, is tied to actual mail traffic. To verify it, you’ll need to send a few emails from your domain so the receiving mail server can observe and evaluate the signature in order for your DKIM to show as Found.
Should I include a percentage (pct=) in a ‘none’ policy?
No. When using a ‘none’ policy, you should keep the percentage blank, especially if you are using our wizard to create your record. If you are entering the record by hand, you should leave the pct= field off of your record, and use the percentage field for enforcement policies.
What does ‘enforcement’ mean in DMARC?
Enforcement refers to the use of ‘quarantine’ or ‘reject’ as your policy. These tell receiving servers what to do with messages that fail DMARC checks; either move them to spam or block them entirely.
Do I need to add an SPF or DKIM record when setting up a custom domain?
Yes, when connecting a custom domain to beehiiv, you’ll add three CNAME records, one for SPF and two for DKIM. Once your domain is verified, beehiiv handles SPF and DKIM automatically moving forward.
What’s the difference between Relaxed and Strict alignment?
Choose Relaxed. There’s currently no practical benefit to using Strict alignment for SPF or DKIM in most cases.
Do I need to make two DMARC records if I send from a subdomain [mail.yoursite.com] instead of from my root domain [yoursite.com]?

No, you don't. DMARC is typically set up at the root domain level. Unlike SPF and DKIM, DMARC employs a ‘rolling up’ mechanism. This means that any subdomain you create under yoursite.com will be covered by your chosen policy. If you wish to apply a different policy to your subdomains, you can include the 'sp=' tag in your record and specify a different policy.

This would look like:

v=DMARC1; p=reject; sp=none; rua=mailto:[email protected];

Note: Do not copy and paste examples in this article, always replace details with your own.

This example would reject failed mail from your root domain but apply no enforcement to subdomains.

Do I need DMARC if I don’t have a custom domain?
Technically yes, but you don’t need to do anything. We’ve taken care of it all. This is because beehiiv automatically manages SPF, DKIM, and DMARC for anyone sending from a beehiiv-provided subdomain.
Why am I getting so many emails from my DMARC policy?
DMARC generates a lot of report emails, especially from large providers like Gmail, Microsoft, and Yahoo. These reports help you monitor authentication and spot issues.
To reduce inbox clutter you can:
• Use a dedicated email address for DMARC reports, like [email protected].
• Set up filters or forwarding rules in your inbox.
• Consider routing reports to a third-party tool like Dmarcian or Postmark's DMARC Digests.
• Adjust the frequency or granularity of reporting (the percentage) in your DMARC record to better suit your needs.
Why is setting up DMARC important?
DMARC has become essential for ensuring email delivery with major providers like Gmail and Yahoo, among others. 
It also:
• Protects your domain from spoofing.
• Reduces phishing risks for your subscribers.
• Helps consolidate your email-sending infrastructure.
• Gives you control over how mail failures are handled.