Your SPF, DKIM, and DMARC records live in DNS, and you can only add them at the one provider that actually controls your domain's records right now. That provider is named in your domain's nameservers, which you can look up in about thirty seconds. The tricky part is that this is often not the company you bought the domain from, so before you touch a single record you need to answer one question: who hosts my DNS?
Reads public DNS only. Nothing is stored unless you save the domain to an account.
Get this prerequisite right and every provider guide on the internet suddenly makes sense. Get it wrong and you will spend an afternoon adding a perfect SPF record in a control panel that has zero effect on your live domain, because the real DNS is being served somewhere else. This page is the map. Look up your nameservers, identify your host, then follow the link to the exact steps for that host.
Registrar vs DNS host: why they are not the same thing
When you register a domain you deal with a registrar - GoDaddy, Namecheap, Google Domains (now Squarespace), Porkbun, and so on. The registrar's job is to reserve the name and record who owns it. That is a separate function from serving the DNS records that tell the world where your website and email live.
By default most registrars also act as your DNS host, so the same login handles both. But the moment you point your domain at another service, the two split apart. The classic example is Cloudflare: you keep the domain registered at GoDaddy, but you change the nameservers to Cloudflare, and from that point on GoDaddy no longer answers DNS questions for your domain. Cloudflare does. If you add a TXT record in the GoDaddy DNS panel, nothing happens on the live internet, because GoDaddy is no longer authoritative.
This split is the single most common reason people fail to add email authentication. They log into the place they remember paying, add the record, and it never resolves. The nameservers are the source of truth, not your memory of who you bought the domain from.
The chain of control
Think of it as a chain. Your registrar tells the domain's registry (the operator of .com, .org, and so on) which nameservers are authoritative. Those nameservers hold the actual zone file with your A, MX, TXT, and CNAME records. Whoever runs those nameservers is where SPF, DKIM, and DMARC go. Everything else is a distraction.
How to look up your nameservers
You have several ways to find the authoritative nameservers for your domain. Any one of them works.
Command line
On macOS or Linux, open a terminal and run:
dig NS example.com +short
On Windows, use:
nslookup -type=ns example.com
You will get back two or more hostnames. These are the nameservers, and their domain names usually reveal the host directly. A result like kip.ns.cloudflare.com means Cloudflare controls your DNS. ns-1234.awsdns-56.org means Amazon Route 53. ns01.domaincontrol.com is GoDaddy. dns1.registrar-servers.com is Namecheap's BasicDNS. The pattern in the hostname is your answer.
Web lookup tools
If the command line is not your thing, any public WHOIS or DNS lookup tool will show the nameservers. Search for "nameserver lookup," enter your domain, and read the NS records. WHOIS output also lists the registrar separately, which is a fast way to see the registrar-versus-host split with your own eyes.
Read the nameservers like a map
Here is a quick decode table for the most common hosts you will see in your NS records:
*.cloudflare.com- Cloudflare. See the Cloudflare setup guide.*.domaincontrol.com- GoDaddy. See the GoDaddy setup guide.*.registrar-servers.com- Namecheap BasicDNS. See the Namecheap setup guide.*.awsdns-*- Amazon Route 53. See the Route 53 setup guide.*.googledomains.comor*.google.com- Google/Squarespace DNS.*.azure-dns.*- Microsoft Azure DNS.ns*.digitalocean.com- DigitalOcean.*.dnsimple.com,*.name.com,*.porkbun.com- the named provider.
If your nameservers point at your web hosting company (for example a shared host like Bluehost or SiteGround), your DNS is managed there and you will add records in that hosting control panel, usually under a "Zone Editor" or "Advanced DNS" section.
A decision tree for where to add your records
Once you know your host, the path is short. Follow the branch that matches your NS lookup.
-
Nameservers say Cloudflare. Log into Cloudflare, pick the domain, open the DNS app, and add your TXT records there. Your registrar is irrelevant for this. Go to the Cloudflare guide.
-
Nameservers say GoDaddy (
domaincontrol.com). Manage DNS inside GoDaddy's domain portfolio, not the reseller who may have sold you hosting. Go to the GoDaddy guide. -
Nameservers say Namecheap (
registrar-servers.com). Use the Advanced DNS tab on the domain. Note that if you switched to a custom or premium DNS, the tab changes. Go to the Namecheap guide. -
Nameservers say
awsdns. Your zone is a hosted zone in Route 53, even if the domain is registered elsewhere. Go to the Route 53 guide. -
Nameservers say anything else. Log into that provider. The record types are identical everywhere - a TXT record for SPF and DMARC, and either a TXT or CNAME record for DKIM depending on what your email provider hands you. Once you are in the right panel, our SPF setup guide and DMARC setup guide walk through the exact values.
What each record looks like once you are in the right place
So you know what you are adding, here is the shape of the three records. SPF is a single TXT record on the root domain:
v=spf1 include:_spf.google.com ~all
DMARC is a TXT record on a special hostname, _dmarc.example.com:
v=DMARC1; p=none; rua=mailto:dmarc@example.com
DKIM is published by your email service and usually lives on a selector hostname like google._domainkey.example.com, often as a CNAME. If you are unsure which record type your provider wants, our explainer on DKIM CNAME versus TXT records clears it up. For a plain-English tour of what each of the three does, read SPF, DKIM, and DMARC explained.
Common gotchas that waste hours
You changed nameservers recently. DNS changes propagate, and nameserver changes at the registry can take up to 48 hours to settle globally. If your NS lookup still shows the old host, wait and check again before assuming something is broken.
You have a hidden "DNS management" toggle. Some registrars only let you edit records when the domain is set to use their default nameservers. If you moved to a custom set, the built-in DNS editor goes read-only or disappears. The fix is to edit at the provider your nameservers actually point to.
Two providers, split records. Occasionally a domain has been half-migrated and records exist in two places. Only the authoritative nameservers matter. Delete or ignore the orphaned records in the inactive panel so nobody edits the wrong copy next time.
Email hosting is not DNS hosting. Using Google Workspace or Microsoft 365 for email does not mean Google or Microsoft controls your DNS. They give you the record values, but you still publish them wherever your nameservers point. For those two platforms specifically, see the Google Workspace setup guide and the Microsoft 365 DMARC guide.
Confirm it worked
After you add the records, verify that they actually resolve on the live domain rather than trusting the control panel's confirmation screen. Run a lookup for each hostname, or run a full scan that checks SPF, DKIM, and DMARC together and grades the result. If a record you know you added does not show up, that is your signal that you edited DNS at the wrong provider - go back to your nameserver lookup and try the other one.
Frequently asked questions
Where do I add my SPF record?
You add it at whatever provider your domain's nameservers point to, as a TXT record on the root domain. Run dig NS yourdomain.com +short, read the provider name in the result, log into that provider's DNS panel, and add the record there. It is not necessarily the company you registered the domain with.
How do I know if my registrar or my DNS host controls my records?
Look up your nameservers. If they contain your registrar's name (for example domaincontrol.com for GoDaddy), the registrar is also your DNS host. If they name a different company like Cloudflare or AWS, that company controls your records and the registrar does not, even though the domain is still registered there.
I added a record but it is not showing up. What went wrong?
Almost always you edited DNS at a provider that is not authoritative for your domain. Re-run your nameserver lookup, confirm the exact provider, and add the record there instead. If the nameservers are correct and you still see nothing, wait for propagation and clear any local DNS cache before checking again.
Can I have SPF, DKIM, and DMARC at different providers?
No. All three are DNS records and they all live in the same zone, served by your authoritative nameservers. Your email provider supplies the values, but you publish every record in one place: the DNS host named in your nameservers.