How to Set Up SPF and DKIM for Zoho Mail

This guide outlines the steps to configure Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) for your domain in Zoho Mail, ensuring compliance with Domain-based Message Authentication, Reporting, and Conformance (DMARC) standards.

Prerequisites:

• A domain should have only one SPF record.

• Administrator access to your Zoho Mail account and Admin Console.

• Administrator access to your DNS provider (e.g. Cloudflare, GoDaddy, Namecheap).

SPF Setup:

Identify your existing SPF record:

Before adding anything, check whether your domain already has an SPF record. You can do this using the free Domain Intelligence tool at Dmarclytics — enter your domain and it will show you any existing SPF record instantly.

Add or modify your SPF record:

If no SPF record exists, log in to your Zoho Mail Admin Console and navigate to: Domains > Select your domain > Email Configuration > SPF

Zoho will display the SPF record value you need to publish. Add the following TXT record to your DNS:

Record Type: TXT

Hostname / Host: @

Value: v=spf1 include:zoho.com ~all

If an SPF record already exists on your domain, do not create a second one. Instead, modify the existing record to include Zoho by appending include:zoho.com before the ~all or -all at the end. For example:

v=spf1 include:zoho.com include:otherprovider.com ~all

Save the record and allow up to 48 hours for DNS propagation, though changes typically take effect within the hour.

Verify your SPF record in Zoho:

Once the DNS record has propagated, return to the Zoho Admin Console > Domains > Email Configuration > SPF and click Verify. A confirmation message will appear once Zoho detects the record successfully.

DKIM Setup:

Sign in to your Zoho Mail Admin Console and navigate to: Domains > Select your domain > Email Configuration > DKIM

Click Add Selector to generate a DKIM key pair. Zoho will provide you with a unique public key value and a selector name (typically formatted as zmail._domainkey).

Add the DKIM TXT record to your DNS:

Open your domain's DNS settings in a separate tab and create a new TXT record with the following details:

Record Type: TXT

Hostname / Host: zmail._domainkey.yourdomain.com (replace yourdomain.com with your actual domain)

Value: Paste the full public DKIM key string provided by Zoho Mail

Save the record and allow DNS propagation before proceeding.

Enable DKIM in Zoho:

Return to the Zoho Admin Console > Domains > Email Configuration > DKIM and click Verify next to your selector.

Once the status updates to Verified, a prompt will appear asking whether you want to enable DKIM immediately or later. Select Enable Immediately.

From this point, DKIM signatures will be automatically added to all outgoing emails sent from your domain.

Verification:

Once both records are published and enabled, confirm the following:
SPF record is visible in your DNS and returns a pass result.
DKIM selector status in Zoho Mail shows Verified and Enabled.
Outgoing emails are being signed with a DKIM signature.
Use the free Domain Intelligence tool at Dmarclytics to verify your SPF and DKIM configurations are correctly published and readable.

Next Step — Add DMARC:

With SPF and DKIM in place, your domain is ready for DMARC. A DMARC record tells receiving mail servers what to do when an email fails authentication. Start with a monitoring-only policy:

Record Type: TXT

Hostname / Host: _dmarc

Value: v=DMARC1; p=none; rua=mailto:reports@yourdomain.com

Once you start receiving reports, use Dmarclytics to analyse them and move towards a p=quarantine or p=reject policy with confidence.

Support:

For assistance, contact us via live chat or submit a support ticket.

By implementing these steps, your domain will be correctly configured for DMARC compliance, improving email security and deliverability for all mail sent through Zoho.