Configure DKIM, SPF, and DMARC for Your Domain

Before using your own mail server with Mojo Helpdesk, configure DKIM, SPF, and DMARC records for your domain. These DNS-based settings authenticate outgoing emails and prevent them from being flagged as spam or spoofed.

Set up DKIM

DKIM adds a digital signature to outgoing emails so receiving servers can verify they were sent from your domain.

Log in to Your DNS Provider's Management Console:

This is where DNS settings for your domain are managed (e.g., AWS Route 53, GoDaddy, Cloudflare).

Gmail

Sign in to the Google Admin Console.
Go to Apps > Google Workspace > Gmail > Authenticate email.
Select your domain if you manage multiple domains.
Click Generate new record. Google provides a DKIM key in this format:
1. Name: google._domainkey
2. Type: TXT
3. Value: v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY
Add this TXT record in your DNS provider's management console.
Return to the Admin Console and click Start authentication to enable DKIM signing.

Microsoft 365

Sign in to the Microsoft 365 Defender portal.
Go to Email & collaboration > Policies & rules > Threat policies > Email authentication settings.
Select the DKIM tab and choose your domain.
Click Enable. Microsoft generates and publishes the DKIM keys automatically.
If prompted, add the CNAME records shown to your DNS provider and wait for propagation before enabling.

DNS changes can take up to 48 hours to propagate before DKIM signing becomes active.

Enable DKIM Signing:

After saving the record in your DNS and waiting for propagation, return to the Admin Console.
Click Start Authentication or Turn On to enable DKIM signing for your domain.

Check SPF

Gmail

Verify Your SPF Record:

SPF ensures authorized servers can send emails on behalf of your domain.
Check your existing DNS records for an SPF TXT record. It might look like:

v=spf1 include:_spf.google.com ~all

Update the SPF Record if Missing or Incorrect:

If no SPF record exists, create a new TXT record with the following:

Name: @ (or leave it blank, depending on your DNS provider).
Type: TXT.
Value: v=spf1 include:_spf.google.com ~all.

If an SPF record exists but doesn't include Google's servers, update the value to ensure it contains include:_spf.google.com.

Microsoft 365

In your DNS provider, check for an existing SPF TXT record at the root domain (@).

If a record exists, confirm it includes include:spf.protection.outlook.com. If not, add it.

If no SPF record exists, create a new TXT record:

Name: @ (or leave it blank, depending on your DNS provider).
Type: TXT
Value: v=spf1 include:_spf.protection.outlool.com ~all.

Verify Propagation:

Use a tool like dig or MXToolbox SPF Checker to confirm the SPF record is correctly configured.

SPF specifies which servers are authorized to send email on behalf of your domain. Only one SPF record is allowed per domain. If a record already exists, update it rather than creating a second one.

Configure DMARC

DMARC tells receiving servers how to handle emails that fail DKIM or SPF checks. The setup is the same regardless of mail provider.

Add a DMARC Record:

DMARC ensures that SPF and DKIM align and specifies how to handle unauthorized emails.
Add a TXT record with the following:
- Name: _dmarc (or _dmarc.metadot.com if your provider requires the full domain).
- Type: TXT.
- Value:v=DMARC1; p=quarantine; rua=mailto:postmaster@metadot.com

Customize Policy and Reporting:

Replace postmaster@metadot.com with your desired email address for DMARC reports.
You can adjust the p= policy:
- none: Monitor emails without enforcement.
- quarantine: Flag unauthorized emails as spam.
- reject: Block unauthorized emails.

Test the DMARC Record:

Use a tool like DMARC Analyzer to confirm correct setup.

Verify the configuration

Use the following tools to confirm DKIM, SPF, and DMARC are configured correctly:

For mail server configuration options, see Bring Your Own Mail Server to Mojo Helpdesk.