DMARC Setup Guides for Every Email Provider
Step-by-step DMARC setup guides for Gmail, Google Workspace, Microsoft 365, SendGrid, Mailchimp, HubSpot, and every major email and marketing platform.
Last updated: 2026-04-05
Setting up DMARC is not a one-size-fits-all process. Every email provider handles SPF and DKIM differently, which means DMARC alignment requirements vary depending on where your email originates. Whether you send through Google Workspace, Microsoft 365, Mailchimp, SendGrid, or any combination of platforms, each service has its own authentication mechanisms, DNS requirements, and configuration steps that affect how your DMARC policy works in practice.
This hub page collects all of our provider-specific DMARC setup guides in one place. Find the services you use, follow the linked guide, and get every sending source properly authenticated and aligned with your DMARC policy. If you are new to DMARC entirely, start with our complete guide to DMARC or our walkthrough on how to set up DMARC before diving into individual providers.
Why Provider-Specific Guides Matter
DMARC works by checking whether the domain in the From header of an email aligns with the domains authenticated by SPF and DKIM. The challenge is that every email service implements SPF and DKIM in its own way. Some providers sign messages with your custom domain automatically. Others sign with their own domain by default and require you to explicitly configure custom DKIM signing. Some services send from shared IP pools that need specific SPF includes, while others give you dedicated IPs with different requirements.
These differences mean that a generic DMARC setup tutorial can only get you so far. You might create a valid DMARC record but still see failures because one of your sending services is not properly aligned. A provider-specific guide walks you through the exact SPF includes, DKIM configuration steps, and alignment considerations for that particular service.
Understanding DMARC alignment is especially important when you use multiple sending services. Each one needs to pass either SPF alignment, DKIM alignment, or both. Our individual guides explain exactly how to achieve that for each provider.
If you are not sure whether your domain already has a DMARC record, use dmarcrecordchecker.com to check your current configuration before making changes.
Email Hosting Providers
These are the platforms that host your primary business or personal email. They handle your day-to-day inbox and are usually the first sending source you need to authenticate.
Google Workspace
Google Workspace is one of the most widely used business email platforms, and Google now requires bulk senders to have DMARC in place. Our guide covers enabling DKIM in the Admin console, configuring the correct SPF include, and creating a DMARC record that aligns with Google's sending infrastructure.
Set up DMARC for Google Workspace
Gmail (Free)
Free Gmail accounts work differently from Google Workspace. Google handles authentication on its own servers, but if you are using Gmail with a custom domain through a third-party setup or sending as an alias, additional configuration is required. Our guide explains the specifics.
Microsoft 365 / Office 365
Microsoft 365 is the dominant email platform for enterprises and many mid-sized businesses. It supports both SPF and DKIM out of the box, but DKIM signing with your custom domain must be enabled through the Microsoft 365 Defender portal. Our guide walks through each step.
Set up DMARC for Microsoft 365
Zoho Mail
Zoho Mail provides business email with built-in SPF and DKIM support. Configuration happens through the Zoho Mail Admin console, and the SPF include and DKIM selector differ from other providers. Our guide covers the exact DNS records you need.
Fastmail
Fastmail is popular among privacy-conscious users and small businesses. It supports custom domain email with DKIM signing, but the setup process is specific to Fastmail's infrastructure. Our guide explains how to configure SPF, DKIM, and DMARC for Fastmail-hosted domains.
Email Marketing Platforms
Marketing platforms send email on your behalf using their own infrastructure. Each one needs to be explicitly authorized in your SPF record and configured to sign messages with DKIM using your domain. Without proper setup, marketing emails are among the most common sources of DMARC failures.
When adding marketing platforms to your SPF record, remember that SPF has a 10 DNS lookup limit. If you use many services, you may need to consolidate or restructure your SPF record. Build and validate your SPF record at spfcreator.com.
Mailchimp
Mailchimp is one of the most popular email marketing tools for small and mid-sized businesses. It supports custom domain authentication through DKIM and requires a specific CNAME record for verification. Our guide walks through Mailchimp's domain authentication flow and the DNS records you need.
SendGrid
SendGrid is widely used for both transactional and marketing email. It offers domain authentication through automated DNS record setup, including SPF via CNAME records and DKIM signing with your custom domain. Our guide covers the full authentication process.
HubSpot
HubSpot sends marketing, sales, and service emails on behalf of your domain. It supports DKIM signing through its email sending domains feature, and SPF alignment requires specific DNS entries. Our guide details the HubSpot-specific setup steps.
Klaviyo
Klaviyo is a leading email marketing platform for ecommerce brands. It requires dedicated sending domain setup for DMARC alignment, including DKIM records and SPF authorization. Our guide covers Klaviyo's domain authentication workflow.
Mailgun
Mailgun is a developer-focused email API service. It offers robust domain verification with SPF and DKIM records that you add to your DNS. Our guide explains how to configure Mailgun's sending domain to pass DMARC checks.
Amazon SES
Amazon Simple Email Service is the go-to email sending service for AWS-based applications. SES supports custom MAIL FROM domains for SPF alignment and DKIM signing via Easy DKIM. Our guide walks through both configurations.
Salesforce
Salesforce sends email from multiple contexts, including Sales Cloud, Marketing Cloud, and Pardot. Each has its own authentication requirements. Our guide covers how to align Salesforce-originated email with your DMARC policy.
Constant Contact
Constant Contact is a popular email marketing platform for small businesses and nonprofits. It supports self-authentication through DKIM and requires a CNAME record to enable custom domain signing. Our guide details the setup process.
Set up DMARC for Constant Contact
Postmark
Postmark focuses on transactional email delivery with high deliverability rates. It supports DKIM signing with your custom domain and provides clear DNS records during the setup process. Our guide covers how to get Postmark emails passing DMARC.
Brevo (Sendinblue)
Brevo, formerly Sendinblue, handles both marketing and transactional email. It supports domain authentication through DKIM and SPF records that you publish in your DNS. Our guide walks through Brevo's sender authentication setup.
ActiveCampaign
ActiveCampaign combines email marketing with CRM and automation. It supports DKIM signing for custom domains and provides specific DNS records during the domain setup process. Our guide explains how to get ActiveCampaign properly authenticated.
Set up DMARC for ActiveCampaign
Kit (ConvertKit)
Kit, formerly ConvertKit, is built for creators and newsletter publishers. It supports custom domain authentication including DKIM signing, which is essential for DMARC alignment. Our guide covers Kit's authentication flow and DNS requirements.
Support and Helpdesk Platforms
Helpdesk tools send email replies, ticket notifications, and automated messages on behalf of your domain. These are often overlooked during DMARC setup but can be a significant source of authentication failures if not properly configured.
Freshdesk
Freshdesk sends support ticket responses and notifications from your domain. It supports custom mailbox configuration with SPF and DKIM records to ensure outgoing support emails pass DMARC checks. Our guide covers the required DNS entries and configuration steps.
Zendesk
Zendesk sends a high volume of email on behalf of support teams. It requires specific SPF includes and DKIM CNAME records to authenticate outbound messages with your domain. Our guide walks through Zendesk's email authentication setup.
Ecommerce Platforms
Ecommerce platforms send order confirmations, shipping notifications, and marketing emails from your store's domain. Ensuring these messages pass DMARC is critical for customer trust and deliverability.
Shopify
Shopify sends transactional emails such as order confirmations and shipping updates on behalf of your store. It supports sender authentication through SPF and DKIM, and our guide explains how to configure your DNS so these messages align with your DMARC policy.
WordPress
WordPress sites often send email through plugins, contact forms, and WooCommerce. By default, WordPress sends email from the server's IP address without proper authentication, which almost always fails DMARC. Our guide explains how to configure authenticated email sending for WordPress.
Universal Steps for Every Provider
Regardless of which platforms you use, the core DMARC setup process follows the same sequence. Every provider guide above builds on these fundamental steps.
Verify domain authentication for each sending service
Log in to each platform that sends email on behalf of your domain and complete their domain authentication or verification process. This typically involves adding DNS records that the provider generates for you.
Check SPF alignment
Make sure your SPF record includes the correct entries for every service that sends email as your domain. Each provider has a specific include: mechanism or IP range. Validate your full SPF record at spfcreator.com to catch missing entries and ensure you stay within the 10 DNS lookup limit.
Enable DKIM signing with your custom domain
For each sending service, enable DKIM signing using your own domain rather than the provider's default domain. This requires publishing DKIM public key records in your DNS. Generate and verify DKIM records at dkimcreator.com.
Create your DMARC record
Publish a DMARC TXT record at _dmarc.yourdomain.com. Start with a p=none policy so you can monitor results without affecting delivery. Include a rua address to receive aggregate reports.
Monitor reports and move to enforcement
Review your DMARC aggregate reports to confirm that all legitimate sending sources are passing authentication. Once everything looks clean, move from p=none to p=quarantine and eventually to p=reject. Read our guide on DMARC monitoring for details on this process.
Create your DMARC record
Use our free DMARC generator to build a valid record for your domain.
Using Multiple Providers Together
Most organizations send email from more than one platform. You might use Google Workspace for internal email, Mailchimp for newsletters, SendGrid for transactional messages, and Zendesk for support tickets. Each of these services must independently pass DMARC alignment for the messages it sends.
The key challenge with multiple providers is SPF record management. Every service you add requires another include: entry in your SPF record, and SPF has a hard limit of 10 DNS lookups. If you exceed this limit, SPF evaluation fails entirely, which can cause DMARC failures across all your email.
Here are the strategies that work:
Rely on DKIM as the primary alignment mechanism. DKIM does not have a lookup limit and works reliably even when email is forwarded. If every provider signs messages with DKIM using your custom domain, your email will pass DMARC regardless of SPF. This is the most robust approach for organizations with many sending sources.
Audit your SPF record regularly. Remove include: entries for services you no longer use. Consolidate where possible. If you previously used both Sendinblue and Mailchimp but have since moved everything to HubSpot, update your SPF record accordingly.
Use subdomains for different sending services. You can configure marketing email to send from mail.yourdomain.com and support email from support.yourdomain.com. Each subdomain gets its own SPF record with its own 10-lookup budget. This also makes it easier to apply different DMARC policies to different mail streams. Read more about this approach in our DMARC for subdomains guide.
Test each provider individually. After configuring authentication for a new service, send test messages and check the email headers to confirm that both SPF and DKIM pass with proper alignment. Use dmarcrecordchecker.com to verify your DMARC record is valid and spfcreator.com to validate your SPF record syntax.
When you add a new sending service, always update your SPF record and configure DKIM signing before sending any volume of email. Messages sent without proper authentication will generate DMARC failures that end up in your reports and can affect your domain's reputation.
If you also need help adding DMARC records to a specific DNS host, see our companion hub page on DMARC DNS hosting setup guides.
Related Articles
Never miss a DMARC issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring