Zoho's business email hosting service with productivity tools. This guide covers the complete email authentication stack for Zoho Mail: SPF, DKIM, and DMARC. Each section gives you the exact DNS records, step-by-step instructions, common pitfalls, and how to verify your setup.
Authorize Zoho Mail to send email on behalf of your domain by adding the correct SPF include for your Zoho region.
TXT
@
v=spf1 include:zoho.com ~all
Use include:zoho.com for US, include:zoho.eu for EU, or include:zoho.in for India. Match your Zoho data center region.
Determine which Zoho data center you use: zoho.com (US), zoho.eu (EU), or zoho.in (India). This affects the SPF include value.
Go to mail.zoho.com (or your regional URL) and access the admin console.
Go to Domains > your domain > Email Configuration. Zoho displays the required DNS records.
Add the appropriate include to your SPF record based on your region.
v=spf1 include:zoho.com ~all
# OR for EU: v=spf1 include:zoho.eu ~all
# OR for India: v=spf1 include:zoho.in ~allReturn to Zoho admin and verify the DNS records. Zoho will confirm SPF is configured.
v=spf1 ~allv=spf1 include:zoho.com ~allUse include:zoho.com for US accounts, include:zoho.eu for EU, or include:zoho.in for India. Add the correct one to your SPF record.
Check the URL you use to access Zoho Mail: mail.zoho.com (US), mail.zoho.eu (EU), or mail.zoho.in (India).
You should only need the include for your specific region. Adding multiple adds unnecessary DNS lookups.
Generate and publish a DKIM key in Zoho Mail admin to enable cryptographic signing of outgoing email.
TXT
zmail._domainkey
v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY_FROM_ZOHO
The default selector is "zmail" but you can customize it. Generate the key in Zoho Mail admin.
Go to the Zoho Mail admin console for your domain.
Go to Domains > your domain > Email Authentication > DKIM.
Click "Add" to create a new DKIM key. You can customize the selector name (default is often "zmail") and choose the key size (2048-bit recommended).
Copy the generated TXT record and add it to your DNS.
zmail._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkq..."Click "Verify" in Zoho Mail admin. Once verified, Zoho will begin signing outgoing email with DKIM.
Zoho Mail commonly uses "zmail" as the default selector, but you can customize it during DKIM key generation.
Yes. Zoho recommends 2048-bit keys for stronger security. Use 1024-bit only if your DNS provider has character limits.
Yes. Zoho Mail allows multiple DKIM selectors per domain, which is useful for key rotation.
Publish a DMARC record to protect your Zoho Mail domain from spoofing and phishing.
TXT
_dmarc
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1
Set up SPF and DKIM for Zoho Mail first.
Verify both SPF and DKIM are configured for Zoho Mail and passing.
Send a test email from Zoho Mail and check the headers for SPF and DKIM pass results.
Add a TXT record at _dmarc.yourdomain.com.
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1Review DMARC aggregate reports for 2-4 weeks.
Move from p=none to p=quarantine to p=reject.
Yes. When SPF and DKIM are configured, Zoho Mail provides proper alignment for DMARC.
Start with p=none to monitor. After 2-4 weeks of clean reports, move to p=quarantine and then p=reject.
Zoho does not have a built-in DMARC report analyzer, but you can send reports to a third-party DMARC monitoring service.
Once your SPF, DKIM, and DMARC records are in place, run a full domain scan to confirm everything is configured correctly. DNS changes typically propagate within minutes but can take up to 48 hours.