1. Merchant Central
  2. Getting Started User Guides
  3. Domain & Email Setup

Adding SPF, DKIM & DMARC Records

 

Overview

This article explains how to configure SPF, DKIM, and DMARC records for email sent from Merchant Central.

When you send an email from your CRM site, or when a system notification email is sent, the recipient sees your email address as the sender. However, because the message is sent from a Merchant Central server, the sending server domain is still iriscrm.com.

If the sending server domain does not match the sender’s email address domain, receiving mail systems may reject the message or mark it as spam. Adding SPF, DKIM, and DMARC records to your domain’s DNS settings helps confirm that iriscrm.com is authorized to send messages on your behalf.

Proper email authentication can improve email deliverability, reduce bounce rates, and help protect your domain from spoofing.

Prerequisites

Before configuring SPF, DKIM, and DMARC records, make sure you have:

  • Access to manage DNS records for your email domain.
  • The ability to create or edit TXT and CNAME records.
  • An email domain used by users sending email from Merchant Central.
  • Access to an online DNS lookup tool, such as MX Toolbox, to validate your records.

How email authentication works

When the sending server domain is different from the sender’s email address domain, receiving email systems check the sender’s DNS records to confirm that the message is authentic and came through an authorized server.

For Merchant Central emails, this means the receiving mail server checks whether your domain authorizes iriscrm.com to send messages.

You can use the CRM's Email Domain Checker to automatically check the health of email addresses used in the system.

We also recommend using the Email Metrics page to monitor email delivery rates and bounce rates.

What is SPF?

Sender Policy Framework, or SPF, is an email authentication method that defines which mail servers or applications are allowed to send email from your domain.

SPF is implemented through an SPF record, which is a TXT record published in your domain’s DNS. The record includes a list of email servers authorized to send email on behalf of your domain.

If the sending server used by Merchant Central is included in your SPF record, your email is more likely to be authenticated successfully and delivered to the recipient’s inbox.

How SPF works

Here is an example of the SPF authentication process when you send an email from Merchant Central:

  1. Using Merchant Central, you send an email from jim@yourdomain.com to bill@clientdomain.com.
  2. The clientdomain.com mail server checks the DNS records at yourdomain.com for a valid SPF record.
  3. If an SPF record exists, clientdomain.com checks whether iriscrm.com is included in the SPF record.
  4. If iriscrm.com is included, SPF passes and the email is authenticated.
  5. If iriscrm.com is not included, or if no SPF record is published, SPF fails and the email is not properly authenticated.

Adding an SPF record

To add an SPF record, find the TXT record in your DNS settings with a value that starts with v=spf, and then edit that value.

There can only be one SPF record for a domain. If no SPF record exists, create one. Add include:_spf.iriscrm.com to the record.

In the example below, the added value authorizes Merchant Central to send messages using your email address:

Type: TXT
Current Value: v=spf1 +a +mx ~all
New Value: v=spf1 +a +mx include:_spf.iriscrm.com ~all
TTL: 1 hour / 3600

Checking your SPF record

To confirm that your SPF record is configured correctly, use an online tool such as MX Toolbox.

  1. Go to https://mxtoolbox.com/spf.aspx.
  2. Enter your domain name and click SPF Record Lookup.

  3. Review the SPF record and diagnostic information. Soft fails are acceptable.

    30.png

What is DKIM?

DomainKeys Identified Mail, or DKIM, is another email authentication method that allows the receiving server to confirm that an email was sent and authorized by the owner of the sending domain.

DKIM provides an additional layer of authentication alongside SPF and helps protect your domain from spoofing.

Major email providers, including Google, Microsoft, and Yahoo, check email for a valid DKIM signature.

How DKIM works

DKIM adds a digital signature to the email header. This signature is secured with public-key cryptography and can be verified using a public key published in your DNS records.

In general, the process works like this:

  • The domain owner publishes a cryptographic public key as a specially formatted TXT record in the domain’s DNS records.
  • When an inbound mail server receives an email, it looks up the sender’s public DKIM key in DNS.
  • The inbound mail server uses the key to decrypt the signature and compare it against a newly computed version.
  • If the two values match, the message can be verified as authentic and unaltered in transit.

Adding a DKIM record

DKIM authentication is already configured on Merchant Central’s server. You only need to create new DNS records that point to the correct Merchant Central DKIM servers.

Create the following two records in your DNS:

Type: CNAME
Host: iris._domainkey
Points to: dkim.iriscrm.com
TTL: 1 hour / 3600

Type: CNAME
Host: iris1._domainkey
Points to: dkim1.iriscrm.com
TTL: 1 hour / 3600

☝️ Both DKIM records must be added to your DNS configuration.

Checking your DKIM record

To confirm that your DKIM record is configured correctly, use an online tool such as MX Toolbox.

  1. Go to https://mxtoolbox.com/dkim.aspx.
  2. Enter your domain name and selector iris, for example yourdomain.com:iris, and click DKIM Lookup.
  3. Review the DKIM record and diagnostic information. Soft fails are acceptable.30.png

Common provider documentation

The following table includes links to documentation for common DNS and email providers.

Provider

 SPF

DKIM
Google Ensure mail delivery & prevent spoofing (SPF) Set up DKIM to prevent email spoofing
Outlook Set up SPF to help prevent spoofing Use DKIM to validate outbound emails sent from your custom domain
Yandex SPF record DKIM signature
Yahoo How do I manage TXT records for my domain? How do I add, edit, and delete a CNAME record?
GoDaddy Add an SPF record Add a CNAME record
Bluehost How To Setup a DNS SPF Record How To Create & Edit CNAME
Amazon SES Authenticating Email with SPF in Amazon SES Authenticating Email with DKIM in Amazon SES

ℹ️These are external links and may be broken if the provider made an update. Please let us know about any broken links by sending an email to support@iriscrm.com.

What is DMARC?

Domain-based Message Authentication, Reporting, and Conformance, or DMARC, is an email authentication protocol that uses SPF and DKIM to help determine whether an email message is authentic.

DMARC helps Internet Service Providers prevent malicious email practices, such as domain spoofing used in phishing attempts.

DMARC also allows email senders to specify how receiving servers should handle messages that fail SPF or DKIM authentication. Depending on the policy, these emails can be delivered, sent to junk, or blocked.

Your DMARC record is published alongside your DNS records, including SPF, A records, CNAME records, and DKIM records.

Not all receiving servers perform a DMARC check before accepting a message, but major ISPs do, and adoption continues to grow.

Benefits of DMARC

There are three key reasons to implement DMARC:

  1. Reputation: Publishing a DMARC record helps protect your brand by preventing unauthenticated parties from sending mail from your domain. In some cases, publishing a DMARC record can improve your domain’s reputation.
  2. Visibility: DMARC reports provide visibility into your email program by showing who is sending emails from your domain.
  3. Security: DMARC helps the email community apply a consistent policy for messages that fail authentication, making the email ecosystem more secure and trustworthy.

Adding a DMARC record

To receive DMARC reports from your custom domain, add a DMARC policy to your DNS records.

Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@iriscrm.com; ruf=mailto:dmarc-reports@iriscrm.com; fo=1
TTL: 1 hour / 3600

Frequently Asked Questions

  • Can I have more than one SPF record? No. A domain should only have one SPF record. If you already have an SPF record, edit the existing record and add include:_spf.iriscrm.com.
  • Why do I need to add SPF, DKIM, and DMARC records? These records help receiving email systems verify that Merchant Central is authorized to send emails on behalf of your domain. This can improve delivery rates and reduce the chance that emails are rejected or marked as spam.
  • Do I need to add both DKIM records? Yes. Both DKIM CNAME records must be added to your DNS configuration.
  • How can I check whether my records are working? You can use MX Toolbox to check SPF and DKIM records. You can also use the CRM’s Email Domain Checker and the Email Metrics page to monitor email health and delivery performance.
  • Will DNS changes take effect immediately? DNS changes may take time to propagate. The recommended TTL for the records in this article is 1 hour / 3600.
Didn't find what you were looking for? Submit a Ticket
or Email Support

Articles in this section

Related articles

Powered by Zendesk