DMARC Setup for Zoho Mail: SPF, DKIM, and Compliance
Step-by-step guide to configuring SPF, DKIM, and DMARC for Zoho Mail and verifying everything aligns correctly.
Zoho Mail is a great low-cost alternative to Google Workspace and Microsoft 365, and it handles SPF, DKIM, and DMARC about as well as the bigger providers — once you've actually configured them. The catch is that none of it is enabled by default, and Zoho's admin console buries the DKIM settings in a non-obvious place.
This guide walks through the full Zoho Mail authentication setup from scratch and shows you how to verify everything is working before you switch DMARC into enforcement mode.
What You Need Before Starting
- Admin access to your Zoho Mail account
- DNS access for your domain (the place where you manage TXT records)
- A test email account on a different provider (Gmail works) for verifying delivery
If you're new to all of this, the SPF, DKIM, and DMARC overview explains how the three protocols work together.
Step 1: Configure SPF for Zoho
Zoho's official SPF include is straightforward. Add this TXT record at the root of your domain:
v=spf1 include:zoho.com ~all
If you already have an SPF record (for example, you also send through a CRM), merge the includes — you can only have one SPF record per domain:
v=spf1 include:zoho.com include:_spf.othercrm.com ~all
The trailing ~all is a soft fail. Once you're confident everything legitimate is included, change it to -all (hard fail) for stronger protection.
Step 2: Enable DKIM in Zoho Mail Admin
This is the step most people miss. Zoho doesn't sign with DKIM unless you explicitly enable it.
- Go to Zoho Mail Admin Console -> Domains -> click your domain.
- Open the Email Configuration tab and find DKIM.
- Click Add and create a selector (Zoho suggests
zohoorzmail). - Zoho generates a TXT record. Copy it and publish it in your DNS at
<selector>._domainkey.yourdomain.com. - Wait for DNS propagation (usually a few minutes), then click Verify in the Zoho console.
- Once verified, toggle the selector to Enabled.
That last step matters — Zoho will let the selector sit verified-but-disabled, and then you'll wonder why your messages aren't being signed.
Verify by sending a test email to a Gmail account and checking the original message headers for dkim=pass with d=yourdomain.com.
Step 3: Publish a DMARC Record
Start in monitoring mode so you can spot any other sending sources before enforcement:
v=DMARC1; p=none; rua=mailto:[email protected];
You can generate a tailored DMARC record and then check it published correctly with the free DMARC record checker.
Verifying Alignment
DMARC requires SPF or DKIM to align with your From address domain — not just pass. Send a test message and check the headers for an Authentication-Results line. You're looking for:
spf=pass smtp.mailfrom=yourdomain.com
dkim=pass header.d=yourdomain.com
dmarc=pass
If SPF passes but shows smtp.mailfrom=zoho.com, your SPF won't align — fall back on DKIM, which should be aligned because Zoho signs with your domain's selector.
Common Zoho Setup Issues
| Symptom | Cause | Fix |
|---|---|---|
| DKIM not signing despite verified record | Selector verified but not enabled in Zoho admin | Toggle the selector to Enabled in the DKIM panel |
| Multiple SPF records in DNS | Old SPF wasn't replaced when adding Zoho | Merge into a single TXT record with multiple includes |
| DMARC fails for forwarded mail | Forwarder rewrites SPF and breaks DKIM | Normal — accept some forwarded failures or use ARC |
| DKIM TXT record won't validate | DNS provider split the record across lines or added quotes | Republish as a single quoted string |
| Aliases failing alignment | Sending from an alias on a different domain | Add and verify each alias domain separately in Zoho |
The DKIM split-record issue is especially common with DNS providers like Cloudflare and GoDaddy. The published key is long and many providers wrap it incorrectly. If verification fails, look at the raw TXT and remove any internal quote marks or line breaks.
Multi-Domain Zoho Setups
If you host multiple domains in one Zoho account (Zoho lets you add several), each needs its own SPF, DKIM, and DMARC records. There's no shortcut — repeat the process for every domain. Use the DMARC record checker on each domain after setup to confirm.
Moving to Enforcement
Wait two to four weeks in p=none and review aggregate reports for unexpected sources. Common surprises for Zoho users include:
- A Zoho CRM or Zoho Campaigns account sending under the same domain — these may need separate authentication
- Old marketing tools still configured against the domain
- Calendar invitations being relayed through external services
Once everything legitimate is aligned, move to p=quarantine and then p=reject. Full sequence in the DMARC enforcement guide.
Troubleshooting
If your Zoho mail is failing DMARC after setup:
- Confirm the DMARC record is parsing correctly via the record checker.
- Send to a Gmail account and read the
Authentication-Resultsheader. - Check that the DKIM selector is enabled (not just verified) in Zoho admin.
- Make sure you don't have two SPF records — only the first is evaluated.
- Review aggregate reports for the failing sources.
Deeper diagnostics in our DMARC fail guide.
Don't Set It and Forget It
Zoho's admin panel gives you a snapshot of your current authentication status, but it won't tell you when something changes. Continuous monitoring catches DNS edits, expired DKIM keys, and new third-party services sending from your domain — the things that quietly break compliance between manual checks.
Keep your Zoho domain authenticated, automatically
Continuous DMARC monitoring with alerts on DKIM changes, SPF drift, and new sending sources — so your Zoho setup stays compliant.
Start Monitoring