How to Set Up DMARC for Zoho Mail: Complete DNS Configuration Guide

Zoho Mail is a popular email platform for small and medium businesses, and like every other email provider, it works best when your domain has proper email authentication in place. Setting up DMARC for a domain that uses Zoho Mail involves configuring SPF and DKIM through Zoho, then adding a DMARC record in your DNS provider.

This guide walks you through the complete Zoho Mail DMARC setup, including the SPF and DKIM prerequisites that Zoho requires before DMARC can work effectively.

Prerequisites: SPF and DKIM for Zoho Mail

DMARC depends on SPF and DKIM to function. Before you publish a DMARC record, both need to be configured for your Zoho Mail domain. For a clear breakdown of how these three protocols work together, read SPF vs DKIM vs DMARC.

SPF for Zoho Mail

When you first set up your domain in Zoho Mail, Zoho provides an SPF record you need to add to your DNS. The standard Zoho SPF record looks like this:

v=spf1 include:zoho.com ~all

If you use Zoho's regional data centers, the include value may differ. For EU-hosted accounts, it might be include:zoho.eu, and for India-hosted accounts, include:zoho.in. Check your Zoho Admin Console for the exact value.

If your domain also sends email through other services (marketing platforms, transactional email tools, etc.), make sure those are included in your SPF record too. You can build a complete SPF record at spfcreator.com.

DKIM for Zoho Mail

Zoho Mail supports DKIM signing, but you need to enable it in the Zoho Admin Console. This step is essential — without DKIM, your DMARC setup will rely entirely on SPF, which is fragile and breaks when emails are forwarded.

Creating Your DMARC Record

With SPF and DKIM confirmed for your Zoho Mail domain, you are ready to create your DMARC record. For a first-time setup, we recommend starting with a monitoring policy:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100;

This tells receiving mail servers to send you aggregate reports about who is sending email using your domain, without blocking or quarantining any messages. Replace dmarc-reports@yourdomain.com with an email address you monitor.

Adding the DMARC Record to Your DNS

Here is the important thing to understand: you do not add the DMARC record in Zoho Mail. DMARC records go in your DNS provider — the same place where you added your SPF and DKIM records. This might be your domain registrar (GoDaddy, Namecheap, etc.) or a DNS service like Cloudflare.

Verifying Your Complete Setup

Once your DMARC record is live, verify that all three layers of email authentication are working together:

Check SPF. Send a test email from your Zoho Mail account to an external address. View the email headers and look for spf=pass. If SPF is failing, revisit your SPF record to make sure it includes the correct Zoho include value.

Check DKIM. In the same email headers, look for dkim=pass. If DKIM is failing, go back to the Zoho Admin Console and confirm the DKIM selector is verified and active. Also double-check that the DNS record matches exactly what Zoho provided.

Check DMARC. Look for dmarc=pass in the headers. If SPF or DKIM is passing with proper alignment to your From domain, DMARC should pass. If DMARC is failing despite SPF or DKIM passing, you may have an alignment issue — the domain in the authentication check does not match your From domain.

You can also use dmarcrecordchecker.com to look up your domain and verify the record is valid and being returned correctly by DNS.

Common Zoho Mail DMARC Issues

DKIM Not Signing Messages

If your DMARC reports show DKIM failures for messages sent from Zoho, the most likely cause is that DKIM was not properly activated. Go to the Zoho Admin Console, check the DKIM section for your domain, and make sure the status shows as active (not pending or unverified). If the DNS record is correct but Zoho has not verified it, click the verify button again.

SPF Include Value Is Wrong

Zoho uses different SPF include values depending on your data center region. If you set up include:zoho.com but your account is hosted in the EU data center, SPF will fail. Check your Zoho account settings to confirm your data center region, and update the SPF include value accordingly.

Multiple Sending Services

If you send email from both Zoho Mail and other services (like Mailchimp for marketing or SendGrid for transactional email), each service needs its own authentication configured. Your SPF record should include all of them, and each should have DKIM set up with its own selector. DMARC will check alignment for whichever protocol passes, so make sure at least one is correctly configured for every sending source. If you manage email for multiple clients, our DMARC for agencies guide covers how to handle multi-domain authentication at scale.

Moving Toward Enforcement

After collecting DMARC reports for at least two weeks at p=none, review them to confirm all your legitimate email sources are passing. Then begin tightening your policy:

Phase 1: Update to p=quarantine; pct=10; to quarantine ten percent of failing messages. Monitor for a week.

Phase 2: Increase to pct=50, then pct=100. At full quarantine, all messages failing DMARC go to the recipient's spam folder.

Phase 3: Move to p=reject to block spoofed messages entirely. This gives your domain the strongest protection available.

Monitor Your DMARC Record

You've created your DMARC record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.