To set up SPF, DKIM, and DMARC on GoDaddy, open the DNS panel for your domain in the Domain Portfolio, add or edit one TXT record for SPF, add the DKIM records your email provider gives you (usually CNAME records), and only then add a DMARC TXT record at _dmarc. The order matters: authenticate first with SPF and DKIM, confirm they pass, then turn on DMARC in monitoring mode so nothing gets rejected while you finish. GoDaddy allows only one SPF record per domain, so if you send through Microsoft 365, Google Workspace, or GoDaddy's own email, every source has to be merged into a single line.
Reads public DNS only. Nothing is stored unless you save the domain to an account.
This guide walks the current GoDaddy DNS Management screen, the exact gotchas that break email during setup, and a DMARC record you can paste today.
Open the GoDaddy DNS panel the right way
GoDaddy moved DNS management into the Domain Portfolio. Sign in, go to your product list, and open Domain Portfolio. Click the domain you want to edit, then choose DNS (older accounts see a Manage DNS button). You land on a table of DNS records with an Add New Record button.
Two things trip people up before they even add a record. First, if your domain uses GoDaddy nameservers you edit records here, but if you moved DNS to Cloudflare or another host, GoDaddy is not where your records live. Check the Nameservers section on the same page: if it shows something other than GoDaddy, edit records at that host instead. If you are not sure who controls your DNS, our guide on how to find your DNS host sorts it out in a minute.
Second, GoDaddy's editor uses a Name field where you type the host. This is the field behind the most common SPF mistake, which we cover below.
Add your SPF record first (and only one)
SPF tells receiving servers which systems are allowed to send mail using your domain. It is published as a single TXT record at the root of your domain. The rule that catches everyone: a domain may have exactly one SPF record. RFC 7208 says a second v=spf1 TXT record causes a PermError, and most receivers then treat SPF as failed. GoDaddy will happily let you create two, so the discipline is on you.
If you send only through GoDaddy's email (the secureserver.net platform), your record looks like this:
v=spf1 include:secureserver.net -all
If you send through Microsoft 365, use:
v=spf1 include:spf.protection.outlook.com -all
If you send through more than one service, you merge the includes into one record. Do not stack two lines. A domain on GoDaddy email plus a marketing tool might use:
v=spf1 include:secureserver.net include:spf.protection.outlook.com -all
The @ versus host-prefix gotcha
In GoDaddy's editor, set Type to TXT and Name to @. The @ means the root of your domain, which is where SPF must live. People sometimes type the domain name or leave a subdomain prefix here, which publishes SPF on the wrong host where no receiver will look for it. Paste the full policy string into the Value field, leave TTL at the default (1 hour is fine), and save.
Two more cautions. Keep the final mechanism as -all (hard fail) or ~all (soft fail) and never use +all, which authorizes the entire internet to send as you. Here is why +all in an SPF record is dangerous. And watch your DNS lookup count: SPF is capped at 10 include, a, mx, and similar lookups. Piling on marketing tools blows past that limit and triggers a PermError. If you are close, read how to fix SPF too many DNS lookups.
Add DKIM before you touch DMARC
DKIM signs each message with a private key held by your sending platform and publishes the matching public key in DNS. Receivers verify the signature, which proves the message was not altered and really came from an authorized system. Unlike SPF, DKIM survives most forwarding, so it is the stronger of the two signals for DMARC alignment.
You do not invent DKIM records. Your email provider generates them and hands you the exact hostnames and values. On GoDaddy these are almost always CNAME records, and the reason DKIM prefers CNAME over a raw TXT key is that it lets the provider rotate keys without you re-editing DNS. More on that tradeoff in DKIM CNAME versus TXT records.
Typical patterns you will paste into GoDaddy:
- Microsoft 365: two CNAME records,
selector1._domainkeyandselector2._domainkey, each pointing to anonmicrosoft.comtarget Microsoft shows you. Then turn DKIM signing on in the Microsoft Defender portal. - Google Workspace: a single TXT record at
google._domainkeywith the key from the Google Admin console. - GoDaddy email / Microsoft 365 via GoDaddy: GoDaddy often adds the DKIM records for you when you provision the mailbox. Confirm they exist before assuming.
In the GoDaddy editor, put only the host portion in the Name field. If the provider says the record is selector1._domainkey.yourdomain.com, you type selector1._domainkey in Name. GoDaddy appends your domain automatically, so typing the full name creates a broken doubled hostname. This is the DKIM version of the same host-prefix confusion that bites SPF. For the full walkthrough see how to set up DKIM.
Save the DKIM records and give DNS a few minutes. Send yourself a test message and confirm both SPF and DKIM pass before moving on. Skipping this check is how people end up with a DMARC policy quietly failing legitimate mail.
Add DMARC last, in monitoring mode
DMARC ties SPF and DKIM together with alignment and tells receivers what to do when a message fails both. Publishing it before SPF and DKIM are verified is the classic way to break email during setup, which is exactly why it goes last. Start with a policy of p=none, which asks receivers to report but not to reject or quarantine anything. You watch, confirm your real senders pass, then tighten.
Create one more TXT record. In Name type _dmarc (not @, not the full domain). Paste this starter into Value:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; fo=1
Replace the mailbox with a real address you can read. The rua tag is where aggregate reports are sent so you can see who is sending as your domain. fo=1 asks for a failure report when either SPF or DKIM fails alignment. Keep it simple at first; you can add pct or subdomain policies later. The difference between none, quarantine, and reject is explained in DMARC policy: none vs quarantine vs reject.
Leave the policy at p=none for two to four weeks while reports come in. Once you confirm every legitimate source aligns, move to p=quarantine and eventually p=reject. That staged rollout is the whole point of moving DMARC from none to reject safely, and it is what Google and Yahoo now expect from bulk senders.
Verify before you walk away
DNS edits on GoDaddy usually propagate within minutes, though the record's TTL sets the ceiling. Do not trust the panel alone; confirm what the internet actually sees. Run your domain through the SPFWise checker above. It reads your live SPF, DKIM, and DMARC records, flags a duplicate SPF record, counts your DNS lookups, catches a DMARC record published on the wrong host, and returns a letter grade with the specific fix for anything failing.
If something is off, the usual GoDaddy culprits are a second stray SPF TXT record, the full hostname typed into the Name field, or DMARC accidentally set to @ instead of _dmarc. Fix, wait for the TTL, and re-check.
Frequently asked questions
Can I have two SPF records on GoDaddy?
No. A domain must publish exactly one v=spf1 TXT record. Two records cause a PermError and receivers treat SPF as broken. If you send through GoDaddy email and another platform, merge both includes into a single line like v=spf1 include:secureserver.net include:spf.protection.outlook.com -all.
What do I put in the GoDaddy Name field for DMARC?
Type _dmarc. GoDaddy appends your domain automatically, so the record becomes _dmarc.yourdomain.com, which is where DMARC must live. Do not type @ (that is for SPF at the root) and do not type the full domain, which creates a doubled, invalid hostname.
Why should I add DMARC after SPF and DKIM?
Because DMARC acts on the results of SPF and DKIM. If you publish a strict DMARC policy before those two are verified as passing, receivers can quarantine or reject your real mail. Start at p=none, confirm your senders align using the aggregate reports, then tighten to quarantine and reject.
Does GoDaddy set up DKIM automatically?
Sometimes. When you provision a GoDaddy-hosted mailbox or Microsoft 365 through GoDaddy, the DKIM records are often added for you. Do not assume it happened. Check the DNS panel for the _domainkey records and send a test message to confirm DKIM actually signs and passes.