These DNS records stop criminals sending fake emails that appear to come from your domain, and stop attackers tampering with your DNS. SPF and DMARC are the important ones; DNSSEC and CAA are optional extras that earn more trust.
See how your domain is doing in your dashboard under Domains, then open the report for step-by-step recommendations.
SPF lists which mail servers are allowed to send email for your domain. Add a single TXT record at your DNS provider on the root of your domain:
Type: TXT Name: @ (your root domain) Value: v=spf1 include:_spf.google.com ~all
Replace include:_spf.google.com with your email provider (Google Workspace, Microsoft 365, your host, etc.), and combine multiple senders in one record. Use ~all (soft fail) while testing, then -all (hard fail) once you are confident. Only one SPF record is allowed per domain.
DMARC builds on SPF and tells receiving servers what to do with mail that fails checks, and can email you reports. Add a TXT record on the _dmarc subdomain:
Type: TXT Name: _dmarc Value: v=DMARC1; p=none; rua=mailto:[email protected]
Start with p=none (monitor only), review the reports, then move to p=quarantine and eventually p=reject for the strongest protection. rua is where aggregate reports are sent.
DNSSEC cryptographically signs your DNS records so they cannot be forged in transit. It is usually a one-click toggle at your domain registrar or DNS host:
If your DNS is hosted separately from your registrar, you enable signing at the DNS host and paste the resulting DS record at the registrar.
A CAA record says which certificate authorities are allowed to issue SSL certificates for your domain, reducing the risk of a mis-issued certificate. Add a CAA record:
Type: CAA Name: @ Value: 0 issue "letsencrypt.org"
Use the authority your certificates come from (for example letsencrypt.org, digicert.com, sectigo.com, or pki.goog). Add multiple records if you use more than one.
DNS changes can take a little time to propagate (usually minutes, up to a few hours). Your next TrustedOrigin scan will detect the new records and update your Email Security score automatically.
Stuck or not sure how to apply this to your setup? Email [email protected] and a human will help you through it.