> ## Documentation Index
> Fetch the complete documentation index at: https://loops.so/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# DMARC and DKIM setup

> How SPF, DKIM, and DMARC work with Loops, what records you copy into DNS during domain setup, and how to progress your DMARC policy over time.

Email authentication (SPF, DKIM, and DMARC) is what lets Gmail, Outlook, and other inbox providers confirm your email really came from you. Without it, even well-written email lands in spam. For a refresher on the underlying mechanics, see [What is DNS?](/guides/what-is-dns).

Loops provides the records you need. You copy them into your DNS during [domain setup](/sending-domain), and DKIM signing is active from your first send. If DNS is not owned by you, the domain records page in Loops supports [handing DNS setup off to someone else](#handing-dns-setup-to-someone-else).

## What Loops provides vs. what you add

| You add to DNS                                                              | Loops provides                                                         |
| --------------------------------------------------------------------------- | ---------------------------------------------------------------------- |
| SPF record (at `envelope.<sendingdomain>`, no collision with your root SPF) | DKIM signing on every outgoing email                                   |
| DKIM record                                                                 | A ready-to-copy default DMARC record                                   |
| MX record                                                                   | SPF alignment and envelope-from handling                               |
| DMARC record (with the policy you choose)                                   | Inbox-placement improvements via [Guardian](/creating-emails/guardian) |

The full set of records is visible on your Loops **Settings → Domain** page. See [Setting up your domain](/sending-domain) for the copy-paste-verify flow.

## How DKIM works in Loops

DKIM adds a cryptographic signature to every email you send. Inbox providers use the matching public key, published in DNS, to confirm the message was not tampered with.

During [domain setup](/sending-domain), Loops provides the exact DNS records you need to add so DKIM verification works for your sending domain. You do not generate or manage keys yourself.

<Note>
  Loops' SPF record lives at `envelope.sendingdomain.com` so it does not
  collide with any existing SPF record at your root domain. See the SPF note in
  [Setting up your domain](/sending-domain).
</Note>

## How DMARC works in Loops

DMARC tells inbox providers what to do with email that fails SPF or DKIM. Loops provides a DMARC record during domain setup that you copy into your DNS alongside the other records. You can keep the provided policy or update it over time.

The three policy levels, from least to most strict:

| Policy         | What happens to failing mail | When to use                                |
| -------------- | ---------------------------- | ------------------------------------------ |
| `p=none`       | Delivered, reported only     | Starting out, monitoring                   |
| `p=quarantine` | Sent to spam                 | After 2 to 4 weeks of clean `none` reports |
| `p=reject`     | Blocked entirely             | Once confident, typically 1 to 3 months in |

### Recommended DMARC progression

<Steps>
  <Step title="Start with p=none">
    For the first few weeks, publish `v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com` at `_dmarc.yourdomain.com`.

    This collects aggregate reports without affecting delivery. Use a service like [dmarc.postmarkapp.com](https://dmarc.postmarkapp.com) or similar to parse reports.
  </Step>

  <Step title="Move to p=quarantine">
    Once reports show 100% of legitimate mail is passing DMARC, move to `p=quarantine`. Failing mail goes to spam instead of the inbox.
  </Step>

  <Step title="Move to p=reject">
    After another few weeks of clean reports, move to `p=reject`. At this point, anyone spoofing your domain is fully blocked.
  </Step>
</Steps>

<Tip>
  If you only send email through Loops, you can move through this progression
  faster. The risk is legitimate mail from a forgotten service getting blocked,
  so if Loops is your only sender there is nothing else to miss.
</Tip>

## Setting it up

The full DNS record setup is covered in [Setting up your domain](/sending-domain). In short:

1. Add your sending domain in Loops. A subdomain like `mail.yourcompany.com` is recommended, see [why](/deliverability/sending-from-subdomain). If you send from more than one, see [Sending from multiple domains](/deliverability/sending-from-multiple-domains).
2. Copy the SPF, DKIM, MX, and DMARC records from the domain records page into your DNS provider, or use the [export options](#handing-dns-setup-to-someone-else) to hand that work off.
3. Click **Verify Records** in Loops.

DKIM signing is active from the first send, so your first [campaigns](/types-of-emails#campaigns), [workflows](/workflows), and [transactional emails](/transactional) are all signed.

Once authentication is in place, set up [BIMI](/guides/what-is-bimi) so inbox providers display your verified logo on outgoing mail.

### Handing DNS setup to someone else

If DNS is not owned by you (infra team, IT, or an external DNS provider), the domain records page in Loops has two options that avoid manual copy-paste. Both were introduced in the [DNS zone files release](https://loops.so/changelog/dns-zone-files):

<CardGroup cols={2}>
  <Card title="Zone file export" icon="file-export">
    Download a DNS zone file containing the records Loops provides. Most DNS
    providers can import a zone file directly.
  </Card>

  <Card title="Shareable records page" icon="share-from-square">
    Share a public records URL with whoever is managing DNS. They can read the
    records without access to your Loops account, which also works well for
    coordinating with your own [team members](/account/team-members).
  </Card>
</CardGroup>

Once the records are in place, come back to Loops and click **Verify Records**.

### Migrating an existing domain

If you are switching to Loops from another provider and cannot afford downtime, see [Migrating domains](/deliverability/migrating-domains) for the safe transition path. Your existing SPF/DKIM/DMARC posture matters when deciding whether to send from a subdomain or take over the root.

## Verifying it is working

Loops shows "Records present" on your domain settings page when everything validates. You can also check externally:

* **DKIM**: send yourself an email, view headers, look for `dkim=pass` in `Authentication-Results`
* **SPF**: same header, look for `spf=pass`
* **DMARC**: same header, look for `dmarc=pass`
* **End-to-end**: send a test to `check-auth@verifier.port25.com` or use `mail-tester.com`
* **In Loops**: send your [first email](/sending-first-email) and check `dkim=pass` in the headers of the received copy

For ongoing monitoring, Google Postmaster Tools is worth enabling. See [Gaining deliverability insights](/deliverability/gaining-insights) and, once you are sending at volume, [Understanding email open rates](/deliverability/understanding-email-open-rates).

## Troubleshooting

<AccordionGroup>
  <Accordion title="DKIM fails right after domain setup">
    Most often this is DNS propagation. Records can take up to an hour to
    propagate globally. Wait and re-verify from the domain records page. If
    the records are still missing after an hour, re-copy them (or re-export
    the [zone file](#handing-dns-setup-to-someone-else)) to confirm there is
    no typo.
  </Accordion>

  <Accordion title="DMARC fails but SPF and DKIM pass">
    This is almost always a domain alignment issue. The `From:` header domain
    needs to match either your SPF or DKIM domain. If you are sending from
    `you@yourdomain.com` but Loops signs at `mail.yourdomain.com`, you need
    relaxed alignment (`aspf=r; adkim=r`) in your DMARC record, which is the
    default in the record Loops provides.
  </Accordion>

  <Accordion title="Subdomain setup but DMARC is at root">
    A DMARC record at the root domain (`_dmarc.yourdomain.com`) applies to all
    subdomains by default. You do not need a separate DMARC record at
    `_dmarc.mail.yourdomain.com` unless you want a different policy there.
  </Accordion>

  <Accordion title="Multiple sending domains and overlapping DMARC">
    If you send from more than one domain, each needs its own records. See
    [Sending from multiple domains](/deliverability/sending-from-multiple-domains).
    A single root-level DMARC still applies to all subdomains unless you
    override it.
  </Accordion>

  <Accordion title="Still seeing deliverability issues">
    Authentication is necessary but not sufficient. Check your [sender
    reputation](/deliverability/sending-reputation), [list
    hygiene](/deliverability/maintaining-a-clean-list), and [inbox placement
    fundamentals](/deliverability/improving-inbox-placement). For ongoing
    signal, see [Gaining deliverability
    insights](/deliverability/gaining-insights). If you are sending at high
    volume, [Sending to a large
    audience](/deliverability/sending-to-large-audience) is worth reviewing.
  </Accordion>
</AccordionGroup>

## Read more

<CardGroup>
  <Card title="Setting up your domain" icon="globe" href="/sending-domain" />

  <Card title="Sending from a subdomain" icon="sitemap" href="/deliverability/sending-from-subdomain" />

  <Card title="What is BIMI?" icon="id-badge" href="/guides/what-is-bimi" />

  <Card title="Improving inbox placement" icon="inbox" href="/deliverability/improving-inbox-placement" />
</CardGroup>