godaddydmarcspfdkimdnstutorial

How to Set Up DMARC, SPF, and DKIM on GoDaddy (The 2026 Guide)

Updated Jan 2026

DmarcBeacon Team6 min read

Why Your Emails Are Ending Up in Spam

If your transactional emails or newsletters are hitting spam folders, the culprit is almost always missing or misconfigured email authentication. Gmail, Microsoft 365, and Yahoo now require SPF, DKIM, and DMARC for reliable inbox delivery.

Without these records, receiving servers have no way to verify your emails are legitimate—so they assume the worst.

This guide walks you through setting up all three in GoDaddy's DNS manager. Takes about 15 minutes.

Prerequisites

Before you start, make sure you have:

  • GoDaddy account access with DNS management permissions
  • List of services that send email for your domain (Google Workspace, SendGrid, Mailchimp, etc.)
  • Their SPF include statements (check their documentation)
  • DKIM keys from your email provider (we'll cover how to get these)

Step 1: Set Up SPF (Sender Policy Framework)

SPF tells receiving servers which mail servers are authorized to send email on behalf of your domain.

1.1 Log into GoDaddy DNS Manager

  • 1.Go to GoDaddy.com and sign in
  • 2.Navigate to My ProductsDNS for your domain
  • 3.Scroll to the DNS Records section

1.2 Create the SPF Record

Click Add New Record and configure:

FieldValue
TypeTXT
Name@
Value(see below)
TTL1 Hour

Your SPF record depends on which services send email for you. Here's a template:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

Common include statements:

ProviderInclude
Google Workspaceinclude:_spf.google.com
Microsoft 365include:spf.protection.outlook.com
SendGridinclude:sendgrid.net
Mailchimpinclude:servers.mcsv.net
Amazon SESinclude:amazonses.com

1.3 Example: Google Workspace + SendGrid

If you use Google Workspace for company email and SendGrid for transactional emails:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

Warning: SPF has a 10 DNS lookup limit. If you exceed it, SPF will fail completely. Check your lookup count with DmarcBeacon's scanner after saving.

Click Save when done.

Step 2: Set Up DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to your emails. Receiving servers use it to verify the message hasn't been tampered with.

2.1 Get Your DKIM Key

You need to get the DKIM public key from your email provider. Here's how for common providers:

Google Workspace:

  • 1.Go to Admin Console → AppsGoogle WorkspaceGmail
  • 2.Click Authenticate email
  • 3.Select your domain and click Generate new record
  • 4.Copy the TXT record value
SendGrid:
  • 1.Go to SettingsSender Authentication
  • 2.Click Authenticate Your Domain
  • 3.Follow the wizard to get your DKIM records

2.2 Add the DKIM Record in GoDaddy

Click Add New Record in GoDaddy DNS:

FieldValue
TypeTXT
Namegoogle._domainkey (or your selector)
Value(the key from your provider)
TTL1 Hour

The record name format is: selector._domainkey

Example DKIM record value:

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2K...

Note: DKIM keys are long. GoDaddy may split them across multiple strings—this is normal and expected.

2.3 Verify DKIM in Your Email Provider

After adding the record, go back to your email provider and click Verify or Start Authentication. It may take 15-60 minutes to propagate.

Step 3: Set Up DMARC

DMARC ties SPF and DKIM together with a policy that tells receiving servers what to do when authentication fails.

3.1 The p=reject Trap

Critical: Do NOT start with p=reject. This will cause legitimate emails to be blocked if there are authentication issues you haven't discovered yet.

The correct approach:

  • 1.Start with p=none (monitor only)
  • 2.Analyze reports for 2-4 weeks
  • 3.Move to p=quarantine with a percentage
  • 4.Finally, implement p=reject

3.2 Create the DMARC Record

Click Add New Record in GoDaddy DNS:

FieldValue
TypeTXT
Name_dmarc
Value(see below)
TTL1 Hour

Starter DMARC record (monitoring mode):

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100

Replace dmarc-reports@yourdomain.com with an email address where you can receive aggregate reports.

3.3 DMARC Record Breakdown

TagMeaning
v=DMARC1Version (required)
p=nonePolicy: none/quarantine/reject
rua=mailto:...Where to send aggregate reports
pct=100Percentage of emails to apply policy to

Production DMARC record (after testing):

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=100

Step 4: Verify Your Configuration

DNS changes can take 15 minutes to 48 hours to propagate globally. Here's how to verify your setup:

4.1 Check DNS Propagation

After you save the records in GoDaddy, it can take hours to propagate. Use DmarcBeacon's free scanner to check if your records are live instantly—no waiting for propagation guesses.

Go to dmarcbeacon.com, enter your domain, and you'll see:

  • ✅ SPF record status and lookup count
  • ✅ DKIM configuration (if detectable)
  • ✅ DMARC policy and reporting address
  • ✅ Overall security score

4.2 Send a Test Email

Send an email to a Gmail or Outlook account and check the message headers:

Gmail: Open the email → Click the three dots → Show original

Look for: 

SPF: PASS
DKIM: PASS
DMARC: PASS

4.3 Common Issues

ProblemSolution
SPF failsCheck you didn't exceed 10 DNS lookups
DKIM failsVerify the selector name matches your provider
DMARC failsEnsure alignment—From domain must match SPF/DKIM domain

Recommended DMARC Rollout Timeline

WeekPolicyAction
1-2p=noneMonitor reports, identify all senders
3-4p=quarantine; pct=25Quarantine 25% of failing emails
5-6p=quarantine; pct=100Quarantine all failing emails
7+p=rejectBlock unauthenticated emails

Quick Reference: All Three Records

Here's what your GoDaddy DNS should look like when you're done:

TypeNameValue
TXT@v=spf1 include:_spf.google.com ~all
TXTgoogle._domainkeyv=DKIM1; k=rsa; p=MII...
TXT_dmarcv=DMARC1; p=none; rua=mailto:...

Next Steps

  • 1.Wait 24-48 hours for full propagation
  • 2.Verify with DmarcBeacon to confirm all records are live
  • 3.Re-scan periodically with DmarcBeacon to catch configuration issues
  • 4.Gradually tighten policy from none → quarantine → reject
Email authentication isn't a one-time setup. Re-scan your domain regularly to catch issues before they impact deliverability.

Did your GoDaddy records work?

GoDaddy DNS can take 24-48 hours. Scan now to see if your records are live.

Scan Now