Setting up SPF, DKIM and DMARC for Zoho Mail is not optional — it is the difference between email that lands in the inbox and email that goes to spam or gets rejected entirely. For Indian businesses sending client communications, invoices, proposals or support replies, poor email authentication directly impacts deliverability and domain reputation.
This guide provides the exact DNS records and step-by-step instructions to configure all three authentication layers for Zoho Mail in India.
Why Email Authentication Matters
Every time your team sends an email from Zoho Mail, receiving mail servers ask three questions:
- SPF: Is Zoho Mail authorised to send on behalf of this domain?
- DKIM: Has this email been cryptographically signed by the domain owner?
- DMARC: What should happen if SPF or DKIM checks fail?
Without SPF and DKIM configured, major email providers — Gmail, Microsoft 365, Yahoo — increasingly classify your outgoing email as suspicious. Without DMARC, anyone can send email that appears to come from your domain (spoofing), damaging your brand and triggering spam complaints.
For businesses in India sending to clients who use Gmail or Outlook (the vast majority), correct SPF/DKIM/DMARC configuration is critical.
Understanding SPF, DKIM and DMARC
SPF (Sender Policy Framework) is a DNS TXT record that lists which mail servers are allowed to send email from your domain. When Gmail receives an email from yourname@yourcompany.com sent via Zoho Mail, it looks up your SPF record and checks whether Zoho's servers are listed. If they are, the SPF check passes.
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. Zoho Mail signs each email with a private key, and the public key published in your DNS allows receiving servers to verify the signature. This proves the email genuinely came from Zoho Mail and was not tampered with in transit.
DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together. It tells receiving servers what to do when emails from your domain fail authentication — monitor, quarantine (send to spam) or reject. It also provides email reports so you can see who is sending email on behalf of your domain.
Step 1 — SPF Setup for Zoho Mail
Choosing Your Data Centre
Zoho Mail offers two data centre options for Indian businesses:
- zoho.in — India data centre (recommended for Indian businesses, data stays in India)
- zoho.com — Global data centre (US-based)
Your SPF record will differ depending on which data centre your Zoho Mail account uses. Check your Zoho Mail admin panel under Settings → Domain to confirm which one you are using.
Adding the SPF Record
Log in to your DNS provider (GoDaddy, BigRock, Cloudflare, Namecheap, your registrar, or your hosting cPanel) and add a TXT record:
For zoho.in (India data centre):
Type: TXT
Host: @ (represents your root domain)
Value: v=spf1 include:zoho.in ~all
TTL: 3600
For zoho.com (Global data centre):
Type: TXT
Host: @ (represents your root domain)
Value: v=spf1 include:zoho.com ~all
TTL: 3600
Important SPF Rules
Only one SPF record per domain. If you already have an SPF record (from a previous email provider), do not add a second one — this causes SPF failure. Instead, merge everything into a single record.
If your website or CRM also sends email on your behalf, combine all services:
v=spf1 include:zoho.in include:sendgrid.net ip4:203.0.113.5 ~all
Understanding the ~all vs -all suffix:
~all(softfail) — emails that fail SPF are accepted but marked as suspicious. Recommended during initial setup.-all(hardfail) — emails that fail SPF are rejected outright. Use only after confirming all legitimate sending sources are in your SPF record.
Start with ~all and move to -all once you have DMARC reporting running and have confirmed no legitimate sources are missing.
Verify SPF
After adding the record, allow 15–30 minutes for DNS propagation and verify using:
- mxtoolbox.com → SPF Lookup
- Google Admin Toolbox → Check MX
A successful SPF check returns: v=spf1 include:zoho.in ~all with a "Pass" result.
Step 2 — DKIM Setup for Zoho Mail
DKIM requires generating a key pair in Zoho Mail Admin and publishing the public key in DNS.
Generating the DKIM Key in Zoho Mail
- Log in to Zoho Mail Admin Console
- Navigate to Email Authentication → DKIM
- Select your domain from the list
- Click Add Selector — enter a name (e.g.
zohoormail) - Choose key length: 2048-bit (recommended) or 1024-bit
- Click Generate — Zoho will display your DKIM public key
Adding DKIM to DNS
Copy the DKIM record Zoho provides and add it to your DNS:
Type: TXT
Host: zoho._domainkey.yourcompany.com
(or whatever selector name you chose, followed by ._domainkey.yourdomain)
Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNA...
(Zoho provides the full p= value — it is a long string)
TTL: 3600
Note on Host field formatting: Some DNS providers require you to enter just zoho._domainkey (without the domain suffix). Others require the full hostname zoho._domainkey.yourcompany.com. Check your provider's documentation.
Enabling DKIM in Zoho Mail Admin
After adding the DNS record:
- Wait 15–30 minutes for DNS propagation
- Return to Admin Console → Email Authentication → DKIM
- Click Verify next to your selector
- Once verified, click Enable DKIM to activate signing for all outgoing email
Verify DKIM
Send a test email to a Gmail address and open the email. Click the three-dot menu → "Show original" and look for:
dkim=pass header.i=@yourcompany.com
This confirms DKIM is signing and verifying correctly.
Step 3 — DMARC Setup for Zoho Mail
DMARC is added as a TXT record on a special subdomain: _dmarc.yourcompany.com.
DMARC Policy Levels
DMARC has three enforcement policies — you should start at none and graduate to stricter policies after reviewing reports:
| Policy | Effect | When to Use |
|---|---|---|
p=none | Monitor only — no action taken | Start here. Collect data. |
p=quarantine | Failing emails go to spam | After 2–4 weeks of clean reports |
p=reject | Failing emails are rejected | Final state — maximum protection |
Adding the DMARC Record
Stage 1 — Start with monitoring (p=none):
Type: TXT
Host: _dmarc (represents _dmarc.yourcompany.com)
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourcompany.com; ruf=mailto:dmarc@yourcompany.com; fo=1
TTL: 3600
rua=— address to receive aggregate DMARC reports (daily summaries)ruf=— address to receive forensic reports (individual failure details)fo=1— generate failure reports when either SPF or DKIM fails
After adding this record, you will receive daily XML reports from major email providers showing who is sending email from your domain and whether SPF/DKIM checks are passing.
Stage 2 — After 2–4 weeks (p=quarantine):
Review the DMARC reports. If all legitimate sending sources are passing authentication, upgrade to quarantine:
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourcompany.com
pct=25 applies the policy to 25% of failing emails initially — this lets you test the impact gradually.
Stage 3 — Full enforcement (p=reject):
Once you are confident all sending sources are authenticated:
v=DMARC1; p=reject; rua=mailto:dmarc@yourcompany.com
This is the final, maximum-protection state. Emails that fail SPF and DKIM authentication from your domain are rejected outright by receiving servers.
Verify DMARC
Use mxtoolbox.com → DMARC Lookup or Google Admin Toolbox to verify the record is live and correctly formatted.
Step 4 — Full DNS Verification Checklist
After configuring all three records, verify your complete DNS setup:
| Record | Type | Expected Result |
|---|---|---|
| MX | MX | mx.zoho.in (Priority 10), mx2.zoho.in (20), mx3.zoho.in (50) |
| SPF | TXT | v=spf1 include:zoho.in ~all |
| DKIM | TXT | v=DKIM1; k=rsa; p=... (your key) |
| DMARC | TXT | v=DMARC1; p=none; rua=mailto:... |
Use mail-tester.com — send an email to the address provided and get a deliverability score. A correctly configured Zoho Mail domain should score 9/10 or higher.
Common Errors and Solutions
SPF returns "PermError: too many DNS lookups"
SPF has a maximum of 10 DNS lookup mechanisms. If you have too many include: statements, this limit is exceeded. Audit your SPF record and remove sending sources that are no longer active.
DKIM verification fails immediately after setup DNS propagation may not be complete. Wait 30–60 minutes and verify again. If it still fails, check that the Host field in your DNS record is formatted correctly for your provider.
DMARC reports show third-party services failing If your website contact form, CRM or newsletter tool sends email using your domain but is not included in your SPF record, DMARC reports will flag it. Add the service to your SPF record and/or configure DKIM for it.
Email clients show "via zoho.in" in Gmail
This appears when SPF passes but DMARC alignment is not fully achieved. Ensure your From: address domain matches the domain in your SPF and DKIM records exactly.
If you need Cloudfy Systems to configure SPF, DKIM and DMARC as part of a full Zoho Mail deployment in India, contact us at +91 97600 50555. We handle the complete DNS setup for every client.
Frequently Asked Questions
Do I need all three — SPF, DKIM and DMARC — for Zoho Mail?
Yes. SPF and DKIM each protect one layer of email authentication. DMARC ties them together and adds enforcement. Without all three, your domain is vulnerable to spoofing and your outgoing email may be filtered as spam by major providers. Google and Microsoft have significantly tightened their filtering requirements — all three are now effectively mandatory for business email.
What is the difference between zoho.in and zoho.com for SPF?
zoho.in is Zoho's India data centre — email is stored and processed in India. zoho.com is the global data centre. The SPF include: value differs: use include:zoho.in for the India data centre and include:zoho.com for global. Check your Zoho Mail admin panel to confirm which you are using.
How long does it take for DMARC reports to start arriving?
DMARC aggregate reports (rua) are sent once per day by most major providers including Gmail, Microsoft and Yahoo. You should start receiving reports within 24–48 hours of adding your DMARC record, as long as email is being sent from or spoofed from your domain.
What does ~all vs -all mean in SPF?
~all (softfail) means emails that fail SPF are accepted but marked as suspicious. -all (hardfail) means failing emails are rejected. Start with ~all during initial setup. Move to -all only after DMARC reporting confirms all your legitimate sending sources are correctly included in SPF.
Can Cloudfy Systems set up SPF, DKIM and DMARC for us?
Yes. Cloudfy Systems configures SPF, DKIM and DMARC as part of every Zoho Mail deployment. We also handle DNS access coordination with your registrar or hosting provider. Contact us at +91 97600 50555 or via WhatsApp.
Why is my outgoing email going to spam even after setting up SPF and DKIM?
SPF and DKIM authenticate the sender but do not guarantee inbox delivery. Other factors include: domain reputation (new domains with no sending history are treated cautiously), sending volume, content triggers, recipient engagement history and the absence of DMARC. Allow 2–4 weeks of clean authenticated sending to build domain reputation.