Login
Support home

Resources

Community Video Library Agent Training

Products

Freshservice Freshdesk Freshchat Freshcaller Freshsales Freshteam Freshworks Neo Freshsurvey
Freshservice for MSP
Solution home Security and Policies Email Security

Adding a DMARC policy after setting up SPF and DKIM in Freshservice products

Modified on: Wed, 4 Mar, 2026 at 12:41 PM
This feature works the same across all Freshservice products.


TABLE OF CONTENTS

DMARC Email Authentication Setup

DMARC (Domain-based Message Authentication Reporting and Conformance) is an authentication mechanism layered on top of SPF and DKIM. It verifies if the address in the "From" header is the actual sender of the message. This protects your domain by allowing you to tell recipients how to handle unauthorized use of your email domains.

How DMARC Works

DMARC works by aligning the domain in the "From" header with the domain validated by SPF or DKIM. Alignment means the "From" domain must match at least one of them.

  • For DKIM: The domain used to create the signature (the d parameter) must match the "From" header.

  • For SPF: The domain in the MAIL FROM portion of SMTP (typically the Return-Path header) must match the "From" header.

DMARC authenticates if either SPF, DKIM, or both alignment checks pass. It is possible for SPF and DKIM to pass individually, but for DMARC to fail if the domains do not match your defined policy.

How to Add a DMARC Record

DMARC is a TXT record that must be defined and added by the domain owner in your DNS records. Freshservice cannot add this for you.

To add the record:

  1. Log in to your DNS provider's management console.

  2. Create a new TXT record.

  3. Set the Host/Name to: _dmarc (your provider may automatically append your domain to become _dmarc.yourdomain.com).

  4. Enter the Value string based on your chosen policy (see below).

DMARC Values and Tags

A standard DMARC record uses specific tags to communicate with receiving servers.

Tag

Name

Description

Example

v

Version

Required. Identifies the record as DMARC.

v=DMARC1;

p

Policy

Required. Tells the receiver how to handle failures.

p=none;

rua

Reporting

Optional. The email address for aggregate reports.

rua=mailto:user@domain.com;


Types of DMARC Policy

You can set one of three policies for your domain:

  • None (p=none): Monitoring mode. No action is taken against failed emails. Use this during initial setup.

  • Quarantine (p=quarantine): Failed emails are sent to the recipient's spam folder.

  • Reject (p=reject): Failed emails are blocked entirely.

Alignment Strictness

  • Relaxed: The check passes if there is a domain-subdomain match.

  • Strict: The check passes only if there is an exact domain match.

Example of Alignment in Freshservice

The following example shows how alignment works after completing SPF and DKIM authentication:

  • Custom domain name: sampledomain.com

  • From address: help@sampledomain.com

  • "d" parameter in DKIM Signature: sampledomain.com

  • SPF Return-Path address: help@fsdkim.sampledomain.com

Result: Because the DKIM domain matches the "From" address exactly, you can set up a strict alignment policy for DKIM. For SPF, you would set up a relaxed policy because it uses a subdomain. Since DMARC only requires one of these to pass, your emails will be DMARC-compliant.

Troubleshooting DMARC Failures

If your DMARC check fails, it is usually due to a breakdown in alignment or a syntax error in your DNS records. Use the following checklist to resolve common issues:

1. Check for Syntax Errors

  • Semicolons: Ensure all tags are separated by a semicolon (;).

  • Required Tags: The record must start with v=DMARC1; (case-sensitive) and include a p= tag.

  • Extra Spaces: Ensure there are no accidental spaces within the tag names (e.g., use p=none, not p = none).

2. Verify SPF and DKIM Health

DMARC cannot pass if both underlying authentication methods fail.

  • SPF Pass: Ensure your SPF record includes the Freshservice domain: include:_spf.freshservice.com.

  • DKIM Pass: Ensure your DKIM selector is "Verified" within your Freshservice Admin portal.

  • Single SPF Record: Confirm you only have one SPF TXT record. Multiple records will cause a permanent error.

3. Resolve Alignment Issues

"DMARC Fail" often occurs even when SPF/DKIM "Pass" if the domains do not align.

  • Domain Match: Ensure the domain in your "From" address matches the domain in your DKIM signature (d=) or SPF Return-Path.

  • Subdomain Policy: If you send from a subdomain (e.g., support.company.com), use Relaxed (r) alignment instead of Strict (s) to ensure the root domain record covers the subdomain.

4. Wait for Propagation

DNS changes can take up to 48 hours to update globally. If you have recently added or changed your record, wait for propagation before re-testing.