Last updated: 2026-03-06

Source: https://support.freshservice.com/support/solutions/articles/50000003934-configure-dmarc-for-freshservice

Configure DMARC for Freshservice

What is DMARC?

Domain-based Message Authentication Reporting and Conformance (DMARC) is an authentication mechanism layered on top of Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It verifies if the address in the "From" header is the actual sender of the message. This protects your domain by allowing you to tell recipients how to handle unauthorized use of your email domains.

How DMARC Works

DMARC works by aligning the domain in the "From" header with the domain validated by SPF or DKIM. Alignment means the "From" domain must match at least one of them.

  • For DKIM: The domain used to create the signature (the d parameter) must match the "From" header.
  • For SPF: The domain in the MAIL FROM portion of SMTP (typically the Return-Path header) must match the "From" header.

    • DMARC authenticates if either SPF, DKIM, or both alignment checks pass. It is possible for SPF and DKIM to pass individually, but for DMARC to fail if the domains do not match your defined policy.

    How to Add a DMARC Record

    DMARC is a TXT record that must be defined and added by the domain owner in your DNS records. Freshservice cannot add this for you.

    To add the record:

    1. Log in to your DNS provider's management console.

    2. Create a new TXT record.

    3. Set the Host/Name to: \_dmarc (your provider may automatically append your domain to become \_dmarc.yourdomain.com).

    4. Enter the Value string based on your chosen policy (see below).

    DMARC Values and Tags

    A standard DMARC record uses specific tags to communicate with receiving servers.

    TagNameDescriptionExample
    vVersionRequired. Identifies the record as DMARC.v=DMARC1;
    pPolicyRequired. Tells the receiver how to handle failures.p=none;
    ruaReportingOptional. The email address for aggregate reports.rua=mailto:user@domain.com;

    Types of DMARC Policy

    You can set one of three policies for your domain:

  • None (p=none): Monitoring mode. No action is taken against failed emails. Use this during initial setup.
  • Quarantine (p=quarantine): Failed emails are sent to the recipient's spam folder.
  • Reject (p=reject): Failed emails are blocked entirely.

    • Alignment Strictness

  • Relaxed: The check passes if there is a domain-subdomain match.
  • Strict: The check passes only if there is an exact domain match.

    • Example of Alignment in Freshservice

    The following example shows how alignment works after completing SPF and DKIM authentication:

  • Custom domain name:sampledomain.com
  • From address:help@sampledomain.com
  • "d" parameter in DKIM Signature:sampledomain.com
  • SPF Return-Path address:help@fsdkim.sampledomain.com

    • Result: Because the DKIM domain matches the "From" address exactly, you can set up a strict alignment policy for DKIM. For SPF, you would set up a relaxed policy because it uses a subdomain. Since DMARC only requires one of these to pass, your emails will be DMARC-compliant.

    Troubleshooting DMARC Failures

    If your DMARC check fails, it is usually due to a breakdown in alignment or a syntax error in your DNS records. Use the following checklist to resolve common issues:

    1\. Check for Syntax Errors

  • Semicolons: Ensure all tags are separated by a semicolon (;).
  • Required Tags: The record must start with v=DMARC1; (case-sensitive) and include a p= tag.
  • Extra Spaces: Ensure there are no accidental spaces within the tag names (e.g., use p=none, not p = none).

    • 2\. Verify SPF and DKIM Health

    DMARC cannot pass if both underlying authentication methods fail.

  • SPF Pass: Ensure your SPF record includes the Freshservice domain: include:\_spf.freshservice.com.
  • DKIM Pass: Ensure your DKIM selector is "Verified" within your Freshservice Admin portal.
  • Single SPF Record: Confirm you only have one SPF TXT record. Multiple records will cause a permanent error.

    • 3\. Resolve Alignment Issues

    "DMARC Fail" often occurs even when SPF/DKIM "Pass" if the domains do not align.

  • Domain Match: Ensure the domain in your "From" address matches the domain in your DKIM signature (d=) or SPF Return-Path.
  • Subdomain Policy: If you send from a subdomain (e.g., support.company.com), use Relaxed (r) alignment instead of Strict (s) to ensure the root domain record covers the subdomain.

    • 4\. Wait for Propagation

    DNS changes can take up to 48 hours to update globally. If you have recently added or changed your record, wait for propagation before re-testing.