Improve your trust score

Email & DNS protection

These DNS records stop criminals sending fake emails that appear to come from your domain, and stop attackers tampering with your DNS. SPF and DMARC are the important ones; DNSSEC and CAA are optional extras that earn more trust.

See how your domain is doing in your dashboard under Domains, then open the report for step-by-step recommendations.

01

SPF, stop spoofed email

SPF lists which mail servers are allowed to send email for your domain. Add a single TXT record at your DNS provider on the root of your domain:

Type: TXT
Name: @  (your root domain)
Value: v=spf1 include:_spf.google.com ~all

Replace include:_spf.google.com with your email provider (Google Workspace, Microsoft 365, your host, etc.), and combine multiple senders in one record. Use ~all (soft fail) while testing, then -all (hard fail) once you are confident. Only one SPF record is allowed per domain.

02

DMARC, tell receivers what to do

DMARC builds on SPF and tells receiving servers what to do with mail that fails checks, and can email you reports. Add a TXT record on the _dmarc subdomain:

Type: TXT
Name: _dmarc
Value: v=DMARC1; p=none; rua=mailto:[email protected]

Start with p=none (monitor only), review the reports, then move to p=quarantine and eventually p=reject for the strongest protection. rua is where aggregate reports are sent.

03

DNSSEC, sign your DNS (optional)

DNSSEC cryptographically signs your DNS records so they cannot be forged in transit. It is usually a one-click toggle at your domain registrar or DNS host:

  • Cloudflare: DNS, Settings, enable DNSSEC, then add the DS record it gives you at your registrar.
  • Most registrars: look for a DNSSEC option in the domain settings and enable it.

If your DNS is hosted separately from your registrar, you enable signing at the DNS host and paste the resulting DS record at the registrar.

04

CAA, control who issues your certificates (optional)

A CAA record says which certificate authorities are allowed to issue SSL certificates for your domain, reducing the risk of a mis-issued certificate. Add a CAA record:

Type: CAA
Name: @
Value: 0 issue "letsencrypt.org"

Use the authority your certificates come from (for example letsencrypt.org, digicert.com, sectigo.com, or pki.goog). Add multiple records if you use more than one.

05

After you add them

DNS changes can take a little time to propagate (usually minutes, up to a few hours). Your next TrustedOrigin scan will detect the new records and update your Email Security score automatically.

Stuck or not sure how to apply this to your setup? Email [email protected] and a human will help you through it.