DMARC Requirements on the Hosted Email Platform

Beginning February 2024, Google and Yahoo required bulk email senders to implement DMARC. Starting May 5, 2025, Microsoft began enforcing the same requirement for Outlook and Hotmail mailboxes. This article explains how those requirements apply to mail you send through the OpenSRS Hosted Email platform, and the DNS records you need to publish so messages keep reaching the inbox.

What the major mailbox providers now require

Google, Microsoft, and Yahoo recognize the importance of email and are taking steps to make it safer. By enforcing authentication, they help prevent spam and spoofing from reaching their users. Bulk senders that fail authentication checks are increasingly rejected outright rather than delivered to the spam folder.

The shared requirements across all three providers are:

• Messages must authenticate with SPF (Sender Policy Framework) — the Return-Path / envelope-from domain must match the From header domain and be listed in the SPF record.
• Messages must authenticate with DKIM (DomainKeys Identified Mail) — the sending domain must publish a DKIM public key, and the signature must verify.
• The sending domain must publish a DMARC (Domain-based Message Authentication, Reporting, and Conformance) TXT record at _dmarc.example.com.

Why DMARC matters

DMARC builds on SPF and DKIM by binding both checks to the visible From-header domain and telling receiving servers what to do when authentication fails. Publishing a DMARC record helps mailbox providers identify you as a sender that takes email standards seriously, which improves inbox placement and reduces spam-folder routing. It also gives you reporting (via the rua and ruf tags) so you can see who is sending mail as your domain.

Required DNS records for Hosted Email senders

SPF

The include:_spf.hostedemail.com mechanism authorizes the OpenSRS Hosted Email sending infrastructure to send on your behalf.

DKIM

Enable DKIM for each Hosted Email domain in the Mail Administration Console (MAC), under the domain's Settings > DKIM section. For the procedure to add OpenSRS-managed DKIM CNAMEs on a reseller technical contact domain, see How to Configure DKIM for Automated Outbound Emails.

DMARC

Add the DMARC record in the Reseller Control Panel

1. Log in to the Reseller Control Panel (RCP).
2. Enter the domain name in the search field and click Search.
3. Click the domain name in the search results.
4. In the DNS section, click Edit.
5. In the Add Sub-domain field, enter _dmarc and click Add Sub-domain.
6. Select TXT from the Add record drop-down menu.
7. Enter the DMARC record value. Replace username@example.comwith the address where you want to receive reports:

   v=DMARC1; p=none; rua=mailto:username@example.com; ruf=mailto:username@example.com; fo=1;

8. Click Save DNS settings.

Verify your configuration

• Use the dmarcian DMARC Record Checker to confirm the TXT record parses correctly.
• Send a test message to a Gmail address and check Show original: SPF, DKIM, and DMARC should all show PASS.
• Review the first week of rua aggregate reports before tightening policy beyond p=none.

Next steps

• Configure DKIM for outbound notifications — see How to Configure DKIM for Automated Outbound Emails.
• Apply the same controls on the Domains platform — if you also send mail through OpenSRS Domains, see Gmail, Microsoft, and Yahoo DMARC Requirements on the Domains Platform.
• Read the providers' announcements — Yahoo's Postmaster blog, Google's Gmail security update, and Microsoft's Outlook high-volume sender requirements.
• Move to enforcement — after reviewing aggregate reports, plan a phased upgrade to p=quarantine then p=reject to maximize spoofing protection.

Questions? Contact OpenSRS Support.