Skip to main content
All CollectionsValimail SuiteGeneral Settings
Setup your DNS records to use Valimail
Setup your DNS records to use Valimail

Setup your DNS records to use Valimail

Updated over 3 months ago

The instructions below apply only to Valimail Align and Valimail Enforce accounts. If you signed up for a Monitor account, refer to this article.

Full Functionality (Control)

In order to take advantage of Valimail's automated, self-serve DMARC configuration and management capabilities, you'll have to make a few one-time updates in your DNS for three records: DMARC, SPF, and DKIM.

Please follow these steps to create and delegate your DMARC, SPF, and DKIM records.

DMARC

You will need to add a NameServer (NS) record to your DNS zone to manage your domain’s DMARC policy within the Valimail system.

To enable DMARC for a domain, please add the following NS record for the “_dmarc” domain to your DNS:

  • Record Name: _dmarc.yourdomain.com.

  • Record Type: NS

  • Record Value: ns.vali.email.

We recommend a TTL of 300 seconds, although using a longer TTL (up to 3600 seconds) should be fine if you'd like to reduce the load on your DNS server. Please note that because of existing DNS TTLs it may take some time for Valimail to detect that you've updated your DNS with the correct settings.

You can check your current record at any time using Valimail's domain checker.


If your DNS Host does not support custom NS records:

In this case, you will need to point your DMARC record to Valimail, by adding the following CNAME record for the “_dmarc” subdomain to your DNS:

  • Record Name: _dmarc.yourdomain.com.

  • Record Type: CNAME

  • Record Value: yourdomain.com._dmarca.vali.email.

When using this method, only the DMARC record and not the reporting domains are managed by Valimail. For more information about setting up external reporting domains when using a CNAME _dmarc record, click here.

If the above CNAME workaround does not work, you can update your DMARC with a TXT record, but this will require you to manually update your record once you are ready to move to enforcement instead of using the Valimail platform.

Best Practice:

Delete the “_dmarc” TXT record from your DNS zones after you’ve added the NS record (or CNAME record).


SPF

Make sure you back up your existing SPF record before making this change

You will need to add a TEXT record (TXT) to your DNS zone to manage your domain’s Instant SPF® responses from the Valimail system.

To add an SPF record for your domain, please add the following TXT record to your DNS:

"v=spf1 include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all"

We recommend a TTL of 300 seconds, although using a longer TTL (up to 3600 seconds) should be fine if you'd like to reduce load on your DNS server.

Please note that because of existing DNS TTLs it may take some time (up to an hour) for Valimail to detect that you've configured the DNS record correctly.

NOTE: If you already have an SPF record, you will be replacing your existing record with our record. Make sure you back up your existing SPF record in the event that you need to revert your change. This is in order to leverage the patented instant SPF technology from your enabled senders list in Valimail.

If you absolutely need to include anything beyond the Valimail macro, add an additional include before the ~all. For example,

v=spf1 include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email include:spf.protection.outlook.com ~all


DKIM

Make sure you add any existing DKIM keys in your DNS to the Valimail platform before making this change

To enable DKIM for your domain, please add the following NS record for the “_domainkey” record to your DNS:

  • Record Name: _domainkey.yourdomain.com.

  • Record Type: NS

  • Record Value: ns.vali.email.

We recommend a TTL of 300 seconds, although using a longer TTL (up to 3600 seconds) should be fine if you'd like to reduce the load on your DNS server. Please note that because of existing DNS TTLs it may take some time for Valimail to detect that you've updated your DNS with the correct settings.

This is done to allow our platform to respond with the keys you have enabled for your senders in your account for your particular domains. It also allows you to add or remove keys in our platform without needing to make further changes in your DNS related to DKIM.


Did this answer your question?