How to set up DMARC on Zoho Mail (step by step)
Zoho Mail sends your mail, but SPF, DKIM, and DMARC are DNS records you have to publish yourself. Here is the full setup in four steps — in plain English.
Check what your domain has today — free, no signupStep 1: verify your SPF record
One TXT record on your root domain authorizing Zoho's servers:
Type: TXT
Host: @ (yourdomain.com)
Value: v=spf1 include:zohomail.com ~all
Accounts hosted in other Zoho regions use that region's include (for example zohomail.eu) — copy the exact value from your Admin Console rather than trusting a blog post. If other services also send as your domain, add their include: to the same record — you may have only one v=spf1 record, and it must stay under 10 DNS lookups.
Step 2: generate DKIM in the Admin Console
- In the Zoho Mail Admin Console, open Domains, select your domain, and go to Email Configuration > DKIM.
- Add a selector (any short name — many admins use
zmail) and Zoho generates the key pair. - Publish the TXT record it shows you on the host
yourselector._domainkey.yourdomain.com. Not sure what a selector is? See what is a DKIM selector. - Wait for DNS to propagate, come back, click Verify, and make sure the selector is enabled so outgoing mail is actually signed.
Until the selector is verified and enabled, your mail goes out unsigned by your domain — and unsigned mail can never pass DKIM alignment for DMARC.
Step 3: publish the DMARC record
A TXT record at the _dmarc host:
Type: TXT
Host: _dmarc (_dmarc.yourdomain.com)
Value: v=DMARC1; p=none; rua=mailto:reports@yourdomain.com
p=none changes nothing about delivery yet — it switches on the daily aggregate reports that show which sources pass and fail. Point rua at a mailbox you'll actually process, or at a monitoring service. You can assemble the record with our free DMARC generator.
Step 4: verify, monitor, then tighten
Confirm all three records exist:
dig +short TXT yourdomain.com
dig +short TXT yourselector._domainkey.yourdomain.com
dig +short TXT _dmarc.yourdomain.com
Send a test message to a Gmail address you control and open Show original: you want spf=pass, dkim=pass with header.d=yourdomain.com, and dmarc=pass. If DMARC fails anyway, it's an alignment issue — see why DMARC fails and how to fix it. If no reports show up within 48 hours, see not receiving DMARC reports.
Then watch your reports for a few weeks. When every legitimate source passes aligned, move to p=quarantine, and finish at p=reject — the only setting that actually stops spoofing. The trade-offs at each level are covered in p=none vs quarantine vs reject.
Common Zoho-specific mistakes
- Publishing the DKIM record but never clicking Verify / enabling the selector. The key sits in DNS while Zoho keeps sending unsigned mail.
- Using the wrong region's SPF include. An account on zoho.eu authorized with the .com include (or vice versa) can fail SPF from some sending IPs — copy the value your own Admin Console shows.
- Forgetting non-Zoho senders. Zoho being clean doesn't cover your newsletter or invoicing tools — each needs its own DKIM alignment, which your aggregate reports will surface.
On a different provider? The same walkthrough exists for Google Workspace, Microsoft 365, Amazon SES, and Mailgun.
Step 3 asks where to send reports — send them somewhere useful. Point rua at PlainDMARC and get a plain-English weekly verdict instead of zipped XML: which sources pass, which fail, and when you're ready to tighten the policy.