In order to take advantage of Authenticate's automated, self-serve DMARC configuration and management capabilities, you'll have to make a few one-time updates in your DNS for three records: DMARC, SPF and DKIM. 

Please follow these steps to create and delegate your DMARC, SPF, and DKIM records.


If your DNS registrar won't allow you to add NS records, you may not be able to leverage the full functionality of Authenticate. The product requires you delegate the _domainkey record so that Authenticate can manage your DKIM keys and serve them out to receiving servers requesting them via DNS. 


Specific articles for DNS setup for some providers:
Cloudflare DNS setup
Network Solutions DNS setup
Amazon Route 53 DNS setup
DNS Made Easy setup
GoDaddy setup (standard)
GoDaddy setup (quick setup using DomainConnect)


DMARC

You will need to add a NameServer (NS) record to your DNS zone to manage your domain’s DMARC policy within the Valimail system.

To enable DMARC for a domain, please add the following NS record for the “_dmarc” domain to your DNS:

  • Record Name: _dmarc.yourdomain.com.
  • Record Type: NS
  • Record Value: ns.vali.email.

We recommend a TTL of 300 seconds, although using a longer TTL (up to 3600 seconds) should be fine if you'd like to reduce the load on your DNS server. Please note that because of existing DNS TTLs it may take some time for Valimail to detect that you've updated your DNS with the correct settings.


You can check your current record at any time using Valimail's domain checker. 


If your DNS Host does not support custom NS records:

In this case, you will need to point your DMARC record to Valimail, by adding the following CNAME record for the “_dmarc” subdomain to your DNS:

  • Record Name: _dmarc.yourdomain.com.
  • Record Type: CNAME
  • Record Value: yourdomain.com._dmarca.vali.email.

When using this method, only the DMARC record and not the reporting domains are managed by Valimail. For more information about setting up external reporting domains when using a CNAME _dmarc record, click here.


If the above CNAME workaround does not work, you can update your DMARC with a TXT record, but this will require you to manually update your record once you are ready to move to enforcement instead of using the Authenticate platform.
 

Best Practice:

Delete the “_dmarc” TXT record from your DNS zones after you’ve added the NS record (or CNAME record).




SPF

You will need to add a TEXT record (TXT) to your DNS zone to manage your domain’s Instant SPF® responses from the Valimail system.

To add an SPF record for your domain, please add the following TXT record to your DNS:

"v=spf1 include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all"

We recommend a TTL of 300 seconds, although using a longer TTL (up to 3600 seconds) should be fine if you'd like to reduce load on your DNS server.


Please note that because of existing DNS TTLs it may take some time (up to an hour) for Valimail to detect that you've configured the DNS record correctly. 


NOTE: If you already have an SPF record, you will be replacing your existing record with our record. This is in order to leverage the patented instant SPF technology from your enabled senders list in Authenticate. 

For more information on SPF see the links at the bottom of this article.


If you absolutely need to include anything beyond the Valimail macro, add an additional include before the ~all. For example, 

v=spf1 include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email include:spf.protection.outlook.com ~all


Additional Information on SPF:


DKIM

To enable DKIM for your domain, please add the following NS record for the “_domainkey” record to your DNS:

  • Record Name: _domainkey.yourdomain.com.
  • Record Type: NS
  • Record Value: ns.vali.email.

We recommend a TTL of 300 seconds, although using a longer TTL (up to 3600 seconds) should be fine if you'd like to reduce the load on your DNS server. Please note that because of existing DNS TTLs it may take some time for Valimail to detect that you've updated your DNS with the correct settings.

This is done to allow our platform to respond with the keys you have enabled for your senders in your account for your particular domains. It also allows you to add or remove keys in our platform without needing to make further changes in your DNS related to DKIM.

If your DNS registrar won't allow you to add NS record