Skip to main content

DKIM & DMARC: what they are, and what you need to do

DKIM is automatic with HostBible; DMARC is your policy. Add a _dmarc TXT record (v=DMARC1) with rua reports, then move from none → quarantine → reject.

C
Written by Christopher Handscomb
Updated over 3 months ago

TL;DR

  • DKIM adds a cryptographic signature to your outgoing emails.
    At HostBible, we handle DKIM automatically for our Web Hosting customers — we sign your mail and publish/rotate the public keys. No action needed on your side for DKIM when you use our standard setup.

  • DMARC is a policy you (the domain owner) publish in DNS to tell receivers how to handle mail that fails SPF/DKIM alignment and where to send reports.
    DMARC policy is your responsibility. We don’t set it by default because enforcement depends on your business needs and all the services that send on your behalf.

  • To start, add a DNS TXT record at _dmarc.yourdomain.com with a monitoring policy, then move to enforcement as you gain confidence (examples below).

What is DKIM?

DomainKeys Identified Mail (DKIM) attaches a digital signature to each message. Receivers verify the signature using a public key published in your DNS. If the signature checks out, the message is proven to be authorized by your domain.

How HostBible handles DKIM

  • For HostBible Web Hosting customers using our standard mail routing, we automatically sign outgoing mail and publish/rotate the required DKIM DNS records for your domain.

  • If your DNS is hosted elsewhere or you’ve made custom changes, contact Support and we’ll confirm DKIM is active for your domain (and provide any record details if needed).

  • If you add other email platforms (e.g., Microsoft 365, Google Workspace, a marketing tool), enable DKIM in those platforms as well so their messages pass DMARC through DKIM alignment.

What is DMARC?

Domain-based Message Authentication, Reporting & Conformance (DMARC) lets you publish a policy telling receivers:

  1. How to treat mail that fails SPF or DKIM alignment with your From: domain (p=none | quarantine | reject).

  2. Where to send reports so you can see who is sending using your domain (rua= for aggregate, optional ruf= for forensic).

Alignment means the SPF/DKIM domain matches (or is within) the domain shown to users in the From: header. A message can pass DMARC if either aligned SPF or aligned DKIM passes (both is even better).

How to create your DMARC record (you own this)

Record type: TXT
Name/Host: _dmarc (this makes _dmarc.yourdomain.com)
TTL: ~1 hour (3600) is a good default
Value: one of the examples below

Step 1 — Start in monitor mode (collect data)

Create a TXT record on _dmarc.yourdomain.com:

v=DMARC1; p=none; rua=mailto:[email protected]

  • p=none asks receivers to deliver normally but send aggregate reports to rua.

  • Use a monitored mailbox (or a DMARC report service). Reports are XML and can be large.

Step 2 — Move to partial enforcement

After 2–4 weeks of clean reports (all legitimate sources passing alignment):

v=DMARC1; p=quarantine; pct=50; rua=mailto:[email protected]; adkim=s; aspf=s

  • p=quarantine asks receivers to spam-folder mail that fails DMARC.

  • pct=50 applies enforcement to 50% of failing mail (ease in).

  • adkim=s and aspf=s set strict alignment (exact-domain match). You can keep defaults (relaxed) if needed.

Step 3 — Full enforcement

When you’re confident everything legitimate passes alignment:

v=DMARC1; p=reject; rua=mailto:[email protected]; adkim=s; aspf=s

  • p=reject asks receivers to reject mail that fails DMARC.

  • Keep rua so you continue to see attempts and any misconfigurations.

Optional tags you might use

  • ruf=mailto:[email protected] – request forensic (failure) samples. Not all receivers send these; they may contain message excerpts, so use with care.

  • fo=1 – request forensic reports on any SPF/DKIM failure that contributes to DMARC fail.

  • sp= – apply a different policy to subdomains (e.g., sp=quarantine).

  • pct= – enforce policy on a percentage of mail (good for gradual rollout).

Exactly one DMARC record per domain. If you already have one, edit/merge rather than creating a second.

Choosing a DMARC rollout plan

  1. Inventory senders: HostBible (handled), plus any others (M365, Google Workspace, CRM, marketing, ticketing, etc.).

  2. Enable DKIM (and SPF) on each sender so it can pass DMARC.

  3. Start with p=none and review reports for 2–4 weeks.

  4. Enforce gradually: p=quarantine with pct=25→50→100, then move to p=reject.

  5. Keep monitoring even after full enforcement.

Examples for common scenarios

HostBible only

v=DMARC1; p=none; rua=mailto:[email protected]

Move to p=reject once you verify your mail flow.

HostBible + Microsoft 365

  • Ensure DKIM is enabled in Microsoft 365 for your domain.

  • Then use:

v=DMARC1; p=quarantine; pct=50; rua=mailto:[email protected]; adkim=s; aspf=s

Apply a different policy to subdomains

If you send from subdomains (e.g., news.yourdomain.com) and want a softer policy there:

v=DMARC1; p=reject; sp=quarantine; rua=mailto:[email protected]; adkim=s; aspf=s

Automatic management (what we do vs. what you do)

  • DKIM (HostBible: we do it)
    For Web Hosting customers using our standard setup, we automatically sign outbound mail and publish/rotate the public keys. No additional action is required on your side for DKIM.

  • DMARC (you do it)
    Because DMARC is a policy decision for your domain, you must create and manage the _dmarc TXT record. We’re happy to advise on values and review your rollout plan.

If your DNS is hosted outside HostBible or you use additional outbound services, we can help you confirm alignment and consolidate everything into a safe, enforceable DMARC policy.

Best practices & pitfalls

  • One DMARC TXT per domain — duplicates cause failures.

  • Use a working rua mailbox (or a DMARC reporting service).

  • Don’t rush to p=reject until all legitimate senders pass alignment.

  • Forwarding can break SPF; DKIM is more resilient. Prefer DKIM where possible.

  • Keep it simple: only add tags you need.

  • Test changes with DNS lookups:

    • nslookup -type=txt _dmarc.yourdomain.com

    • dig txt _dmarc.yourdomain.com +short

FAQ

Do I need a DMARC record if HostBible manages DKIM?
Yes. DKIM proves your mail is authorized; DMARC tells receivers what to do with mail that isn’t. DMARC also gives you visibility via reports.

Will HostBible create my DMARC record for me?
We don’t publish DMARC by default because it’s a policy for your domain. We can provide recommended values and help you implement it with your DNS host.

Should I set adkim=s and aspf=s?
Strict alignment is safest but can surface misconfigurations. Many start with relaxed alignment (defaults) and tighten later.

What email address should I use for rua?
Create a dedicated mailbox or use a DMARC report service. You can list multiple addresses separated by commas:

rua=mailto:[email protected],mailto:[email protected]

Need help?

Not sure which policy to choose, or seeing failures in your DMARC reports? Contact HostBible Support. We’ll review your sender inventory, confirm DKIM/SPF alignment, and propose a safe path to enforcement.

Related Articles
HostBible: Set up Google Workspace (formerly “G Suite”) email: create DNS records
HostBible: Set up Microsoft 365 (M365) DNS records
Why It’s Nearly Impossible to Block 100% of Spam (and what HostBible offers)
Did this answer your question?