Quick Tip: Set Up DMARC (and Fix DKIM in GoDaddy) for Better Deliverability

If you want your email to land in inboxes (and not look sketchy), DMARC is one of the best “trust signals” you can add to your domain. DMARC tells mailbox providers (Google, Microsoft, Yahoo, etc.) what to do when someone tries to spoof your domain.

DMARC works best when SPF and/or DKIM are already set up and passing.

TL;DR

• Add a DMARC TXT record in DNS
• Start with monitor mode (p=none), review reports, then move to quarantine and/or reject

DMARC record (start safe / monitor mode):

Host/Name: _dmarc
Type: TXT
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; adkim=r; aspf=r; pct=100

How to Add a DMARC Record in GoDaddy

• Log into GoDaddy → My Products
• Find your domain → DNS / Manage DNS
• Under Records, click Add
• Set:
  • Type: TXT
  • Name/Host: _dmarc
  • Value: paste one of the DMARC policies below
  • TTL: leave default (1 hour is fine)
• Click Save

Choose Your DMARC Policy

1) Monitor Mode (Recommended First)

Collects data, does not block mail.

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; adkim=r; aspf=r; pct=100

2) Quarantine (Send Failures to Spam/Junk)

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; adkim=r; aspf=r; pct=100

3) Reject (Strongest Anti-Spoofing Protection)

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; adkim=r; aspf=r; pct=100

What These DMARC Tags Mean

• v=DMARC1 = DMARC version (required)
• p= = policy (none, quarantine, reject)
• rua= = where aggregate reports go (expect XML—noisy but useful)
• adkim= = DKIM alignment (r relaxed, s strict)
• aspf= = SPF alignment (r relaxed, s strict)
• pct=100 = apply policy to 100% of mail

WebWize rule of thumb: start relaxed (r) and enforce only after you confirm legitimate mail sources are passing.

Quick Decision Box: Which Email System Am I Using?

Step 1 — Where do you manage users/mailboxes?

• Microsoft 365 (Exchange Online): You manage mailboxes in Microsoft 365 / Exchange admin; Outlook/Microsoft 365 apps are the norm. DKIM is almost always CNAME (two records): selector1 and selector2.
• Google Workspace (Gmail for business): You manage users in Google Admin Console (admin.google.com). DKIM is usually TXT (one record) with a selector like google or a custom selector.
• SmarterMail (self-hosted or managed mail server): You log into a SmarterMail web panel (often mail.yourdomain.com). DKIM is usually TXT (one record per domain): selector._domainkey.
• Mailgun (Transactional Email): You use Mailgun for forms, receipts, app mail, order notifications. DKIM is often CNAME (multiple records) provided by Mailgun.

Step 2 — What kind of email are you trying to authenticate?

• Normal business email (people emailing from Outlook/Gmail): Set up DKIM/DMARC for the primary provider first (Microsoft 365 / Google Workspace / SmarterMail).
• Website form emails / receipts / app emails: Often Mailgun (or another transactional sender). It must also be aligned or DMARC will keep failing.

Step 3 — Quick DNS Clues (even if you’re not sure)

• selector1._domainkey and selector2._domainkey → usually Microsoft 365
• google._domainkey or a TXT key starting with v=DKIM1 → usually Google Workspace
• a CNAME target containing mailgun.org → Mailgun
• default._domainkey or smartermail._domainkey → often SmarterMail (selector names vary)

Common Providers: DKIM Record Type Summary

Microsoft 365

• DKIM type: CNAME (usually two)
• Hosts: selector1._domainkey and selector2._domainkey
• Notes: DNS must exist before DKIM can be enabled in Microsoft 365

Google Workspace

• DKIM type: TXT (usually one)
• Host: google._domainkey (or Google-generated selector)
• Notes: Publish TXT, then “Start authentication” in Google Admin

SmarterMail

• DKIM type: TXT (one per sending domain)
• Host: selector._domainkey
• Notes: SmarterMail generates the keypair; you publish the public key in DNS

Mailgun (Transactional)

• DKIM type: CNAME (often multiple)
• Notes: Commonly used for forms/receipts—if not aligned, DMARC reports will show failures

WebWize Pro Tip: The #1 DMARC Failure Pattern

• Microsoft 365 for regular email (passes)
• Mailgun sending forms/receipts (not aligned)
• A newsletter platform (not aligned)

Result: DMARC reports show failures even though “email works.” Fix it by aligning each sender using SPF and/or DKIM so DMARC can pass.

If GoDaddy Won’t Accept Your DKIM Record (Fast Fix Checklist)

1) Confirm you’re editing the correct DNS (Nameservers check)

• If nameservers are GoDaddy, add DKIM in GoDaddy.
• If nameservers are Custom (Cloudflare/Wix/Squarespace/Microsoft/etc.), add DKIM where DNS is hosted (not in GoDaddy).

2) DKIM type mismatch (CNAME vs TXT)

• Microsoft 365 and Mailgun commonly require CNAME.
• Google Workspace and SmarterMail commonly use TXT.
• Trying to add the wrong type often triggers GoDaddy validation errors.

3) Host/Name format is wrong

• In GoDaddy, the Host/Name field should be the left-side label only (example: selector1._domainkey), not the full domain name.

4) DKIM already exists (edit, don’t add)

• Search DNS for _domainkey or selector.
• If it exists, edit the current record to match the provider’s value.

5) TXT key copy/paste issues (Google/SmarterMail)

• Paste the DKIM TXT value as one clean string starting with v=DKIM1;
• Avoid smart quotes and stray quotation marks.

6) You’re authenticating the wrong domain

• Make sure DKIM/DMARC matches the domain you send from (example: @yourdomain.com means authenticate yourdomain.com).
• If you send from a subdomain, it may require its own DNS/auth settings.

7) GoDaddy UI glitch workaround

• Refresh, try a private window, or use a different browser if GoDaddy won’t save valid data.

AEO-Friendly Answers (for AI snippets)

How do I add a DMARC record? Add a TXT record at host _dmarc with a value like v=DMARC1; p=none; rua=mailto:you@yourdomain.com. Start with p=none to monitor, then move to quarantine or reject after SPF/DKIM are aligned.

Why can’t I add a DKIM record in GoDaddy? Most DKIM issues happen because DNS is hosted elsewhere (nameservers not GoDaddy), the record type is wrong (CNAME vs TXT), the host name is formatted incorrectly, or a conflicting DKIM record already exists and must be edited.

WebWize Recommended Rollout

• Publish DMARC using p=none
• Review reports and identify all legitimate senders
• Fix alignment for any third-party senders (forms/transactional/newsletters)
• Move to p=quarantine
• Move to p=reject

FAQs

Do I need SPF and DKIM before DMARC?

You can publish DMARC anytime, but enforcement only works well when SPF and/or DKIM pass and align. Start with p=none to monitor, then enforce after your legitimate senders are aligned.

What email address should I use for DMARC reports (rua)?

Use a dedicated mailbox like dmarc@yourdomain.com or a DMARC reporting service. Reports are typically XML and can get noisy fast.

Should I use relaxed or strict alignment?

Most domains should start with relaxed alignment (adkim=r; aspf=r). Strict alignment can be great, but it can break legitimate email if your sending ecosystem is not clean.

How long does it take for DMARC changes to work?

Usually minutes to a few hours, depending on DNS TTL and provider caching. Verification tools may also take time to reflect changes.

Why do DMARC reports show failures when email seems to work?

Because some third-party sender (forms, receipts, newsletters, CRMs) is sending as your domain without proper SPF/DKIM alignment. DMARC reports are the “truth serum” that reveals these sources.

Can Microsoft 365 and Mailgun both send as the same domain?

Yes. In that case, you must configure both so that SPF and/or DKIM align for each sender. Otherwise DMARC will fail for one of them.