DMARC Setup for Zoho Mail: SPF, DKIM, and Compliance

Step-by-step guide to configuring SPF, DKIM, and DMARC for Zoho Mail and verifying everything aligns correctly.

Zoho Mail is a great low-cost alternative to Google Workspace and Microsoft 365, and it handles SPF, DKIM, and DMARC about as well as the bigger providers — once you've actually configured them. The catch is that none of it is enabled by default, and Zoho's admin console buries the DKIM settings in a non-obvious place.

This guide walks through the full Zoho Mail authentication setup from scratch and shows you how to verify everything is working before you switch DMARC into enforcement mode.

What You Need Before Starting

  • Admin access to your Zoho Mail account
  • DNS access for your domain (the place where you manage TXT records)
  • A test email account on a different provider (Gmail works) for verifying delivery

If you're new to all of this, the SPF, DKIM, and DMARC overview explains how the three protocols work together.

Step 1: Configure SPF for Zoho

Zoho's official SPF include is straightforward. Add this TXT record at the root of your domain:

v=spf1 include:zoho.com ~all

If you already have an SPF record (for example, you also send through a CRM), merge the includes — you can only have one SPF record per domain:

v=spf1 include:zoho.com include:_spf.othercrm.com ~all

The trailing ~all is a soft fail. Once you're confident everything legitimate is included, change it to -all (hard fail) for stronger protection.

Step 2: Enable DKIM in Zoho Mail Admin

This is the step most people miss. Zoho doesn't sign with DKIM unless you explicitly enable it.

  1. Go to Zoho Mail Admin Console -> Domains -> click your domain.
  2. Open the Email Configuration tab and find DKIM.
  3. Click Add and create a selector (Zoho suggests zoho or zmail).
  4. Zoho generates a TXT record. Copy it and publish it in your DNS at <selector>._domainkey.yourdomain.com.
  5. Wait for DNS propagation (usually a few minutes), then click Verify in the Zoho console.
  6. Once verified, toggle the selector to Enabled.

That last step matters — Zoho will let the selector sit verified-but-disabled, and then you'll wonder why your messages aren't being signed.

Verify by sending a test email to a Gmail account and checking the original message headers for dkim=pass with d=yourdomain.com.

Step 3: Publish a DMARC Record

Start in monitoring mode so you can spot any other sending sources before enforcement:

v=DMARC1; p=none; rua=mailto:[email protected];

You can generate a tailored DMARC record and then check it published correctly with the free DMARC record checker.

Verifying Alignment

DMARC requires SPF or DKIM to align with your From address domain — not just pass. Send a test message and check the headers for an Authentication-Results line. You're looking for:

spf=pass smtp.mailfrom=yourdomain.com
dkim=pass header.d=yourdomain.com
dmarc=pass

If SPF passes but shows smtp.mailfrom=zoho.com, your SPF won't align — fall back on DKIM, which should be aligned because Zoho signs with your domain's selector.

Common Zoho Setup Issues

SymptomCauseFix
DKIM not signing despite verified recordSelector verified but not enabled in Zoho adminToggle the selector to Enabled in the DKIM panel
Multiple SPF records in DNSOld SPF wasn't replaced when adding ZohoMerge into a single TXT record with multiple includes
DMARC fails for forwarded mailForwarder rewrites SPF and breaks DKIMNormal — accept some forwarded failures or use ARC
DKIM TXT record won't validateDNS provider split the record across lines or added quotesRepublish as a single quoted string
Aliases failing alignmentSending from an alias on a different domainAdd and verify each alias domain separately in Zoho

The DKIM split-record issue is especially common with DNS providers like Cloudflare and GoDaddy. The published key is long and many providers wrap it incorrectly. If verification fails, look at the raw TXT and remove any internal quote marks or line breaks.

Multi-Domain Zoho Setups

If you host multiple domains in one Zoho account (Zoho lets you add several), each needs its own SPF, DKIM, and DMARC records. There's no shortcut — repeat the process for every domain. Use the DMARC record checker on each domain after setup to confirm.

Moving to Enforcement

Wait two to four weeks in p=none and review aggregate reports for unexpected sources. Common surprises for Zoho users include:

  • A Zoho CRM or Zoho Campaigns account sending under the same domain — these may need separate authentication
  • Old marketing tools still configured against the domain
  • Calendar invitations being relayed through external services

Once everything legitimate is aligned, move to p=quarantine and then p=reject. Full sequence in the DMARC enforcement guide.

Troubleshooting

If your Zoho mail is failing DMARC after setup:

  1. Confirm the DMARC record is parsing correctly via the record checker.
  2. Send to a Gmail account and read the Authentication-Results header.
  3. Check that the DKIM selector is enabled (not just verified) in Zoho admin.
  4. Make sure you don't have two SPF records — only the first is evaluated.
  5. Review aggregate reports for the failing sources.

Deeper diagnostics in our DMARC fail guide.

Don't Set It and Forget It

Zoho's admin panel gives you a snapshot of your current authentication status, but it won't tell you when something changes. Continuous monitoring catches DNS edits, expired DKIM keys, and new third-party services sending from your domain — the things that quietly break compliance between manual checks.

Keep your Zoho domain authenticated, automatically

Continuous DMARC monitoring with alerts on DKIM changes, SPF drift, and new sending sources — so your Zoho setup stays compliant.

Start Monitoring