Skip to main content
DMARC

DMARC Checker for GoDaddy

GoDaddy does not run a DMARC report-collection service — you publish a record like any domain and route the rua= mailbox to an aggregate-report parser of your choice. Start at p=none until your aggregate reports confirm every sender (including the GoDaddy webmail path) is aligning, then move to p=quarantine.

Recommended DMARC record for GoDaddy

GoDaddy does not run a DMARC report-collection service — you publish a record like any domain and route the rua= mailbox to an aggregate-report parser of your choice. Start at p=none until your aggregate reports confirm every sender (including the GoDaddy webmail path) is aligning, then move to p=quarantine.

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain; ruf=mailto:dmarc-forensic@yourdomain; fo=1; adkim=r; aspf=r

Source: official GoDaddy documentation

How to add this record in GoDaddy

  1. Open DNS for the domain

    Domain Portfolio → three-dot menu → Edit DNS.

  2. Add a TXT record at _dmarc

    Add New Record → Type TXT → Name _dmarc → Value v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.

  3. Provision the rua= mailbox

    Either create dmarc@yourdomain as a GoDaddy mailbox or use an external aggregate-report service. DMARCguard's 7-day free trial works here.

  4. Wait 24-48 hours for first reports

    Google, Microsoft, and Yahoo send daily aggregate reports. The first one usually arrives within 24h; a full sender inventory takes a week.

  5. Migrate to enforcement

    Once every legitimate sender shows aligned-pass in the reports, move the record to p=quarantine, then p=reject. The p=none Escape Plan walks the full 4-week migration.

Common DMARC mistakes with GoDaddy

  • Starting at p=reject without a monitoring period. GoDaddy webmail and any other senders that were unaligned start bouncing immediately.
  • Pointing rua= at a personal Outlook mailbox. The reports are XML — they need a parser, not human eyeballs.
  • Adding _dmarc as a CNAME instead of a TXT. DMARC must be a TXT record per RFC 7489 §6.1.

GoDaddy-specific DMARC gotchas

  • GoDaddy customers who also use Microsoft 365 Outbound from the same domain will see two distinct sending paths in the rua reports — secureserver.net and the M365 outbound IPs. Both must align for DMARC to pass.
  • If you front your DNS with Cloudflare while keeping GoDaddy registrar, publish DMARC at Cloudflare, not GoDaddy — whichever zone is authoritative is the one receivers query.
  • Subdomain policy: GoDaddy's hosted-email customers often forget that DMARC at example.com does NOT automatically cover support.example.com. Add sp=quarantine or sp=reject if you want subdomains to inherit.

Recommended starting policy

p=none

Frequently asked questions about GoDaddy DMARC

Does GoDaddy support DKIM out of the box?

Only if your domain uses GoDaddy's Microsoft 365 reseller mailboxes — in that case DKIM is configured via the two M365 CNAME selectors above. If you only use GoDaddy for DNS but send mail via a different provider (Mailgun, SendGrid, your own server, etc.), DKIM comes from THAT provider, not GoDaddy.

Why does my GoDaddy SPF record need <code>include:secureserver.net</code>?

secureserver.net is the umbrella domain GoDaddy uses for the outbound IP space of its hosted-mailbox products (Webmail Plus and the M365 reseller plans). Including it covers every IP GoDaddy currently uses, and they keep the include up to date.

Where do I get the exact CNAME targets for my GoDaddy + M365 setup?

Sign in to Microsoft 365 Defender at security.microsoft.com, then Email & collaboration → Policies & rules → Threat policies → DKIM. Select your domain and Microsoft displays the two CNAME values customised for your tenant ID.

GoDaddy says my TXT record value is 'too long' — what do I do?

GoDaddy's DNS editor accepts up to 1,024 characters in a TXT value. If you hit the limit (rare for SPF, common for some DKIM keys), the record needs to be split into multiple quoted strings per RFC 7208 §3.3 — but GoDaddy's UI does not expose that directly. Workaround: shorten the record (use the SPF Flattener for SPF) or move DNS to a provider that supports multi-string TXT.

Can I use Cloudflare in front of GoDaddy without changing registrar?

Yes — point GoDaddy's nameservers to Cloudflare's, then manage SPF/DKIM/DMARC in Cloudflare. Whichever provider answers DNS queries is the one receivers query. Don't publish the same record in both places; pick one.

Why are my DKIM checks failing even though the CNAMEs are correct?

Three common causes: (1) you enabled DKIM signing in M365 before the CNAMEs propagated — wait 10 minutes and re-toggle. (2) The two CNAMEs point at different tenants — they MUST both point at the same .onmicrosoft.com host. (3) Your M365 tenant has multiple custom domains and you used the wrong tenant ID in the CNAME target. The DKIM CNAME Validator walks the chain and surfaces the exact failure mode.

For the latest from GoDaddy themselves, see their official email-authentication documentation .

Read the complete DMARC guide to learn more.

Get the full picture with DMARCguard

Continuous monitoring, aggregate report parsing, and actionable insights for all your email authentication protocols.

Start Free