Employment Hero email authentication needs three layers: DKIM CNAME records generated inside Payroll classic, SPF for the custom Return-Path domain when Employment Hero gives you that DNS value, and a DMARC record on the domain in the visible From address. I start with DKIM because Employment Hero makes that the required in-product step, then I verify SPF and DMARC from DNS.
Employment Hero's Payroll classic guide says admins can open Business Settings, Payroll Settings, Email Sender Authentication, add a domain, then copy generated CNAME records into DNS. The DKIM setup guide gives the same flow and notes a common validation issue when a DNS host auto-adds the domain to CNAME hostnames.
Add your domain
Add the domain that Employment Hero uses in the visible From address. For payslips, leave requests, expense requests, and report packs, that is usually the company domain after the @ sign. Do not add a restricted mailbox domain unless you control its DNS.
- Access: Sign in as an admin, open Business Settings, then open Payroll Settings.
- Open auth: Select Email Sender Authentication.
- Add domain: Click Add, enter the domain used in Employment Hero email, then click Register.
- Copy records: Copy every generated CNAME host and target exactly into your DNS host.
- Validate: Return to Email Sender Authentication and click the Unvalidated status for the domain.
- Confirm: The domain should move to Validated once DNS has propagated and the CNAMEs resolve.
Employment Hero Email Sender Authentication page with a domain ready to register
DNS ownership matters
- DNS access: You need permission to create CNAME and TXT records for the sending domain.
- Restricted domains: Do not authenticate a mailbox provider domain you do not own.
- Duplicate claim: A domain already registered error means another payroll account or brand has claimed that domain.
Set up SPF
SPF checks the envelope sender, which often becomes the Return-Path header. It only helps DMARC when that Return-Path domain is the same organizational domain as the visible From address. Employment Hero supports return-path matching for this sending source, so I check whether the account has supplied a custom return-path host, CNAME, or SPF value.
Employment Hero's public DKIM setup pages do not publish one universal SPF include for every customer. Do not guess one. Use the tenant-specific value shown by Employment Hero or provided by support, then merge it into the correct SPF record.
- Find value: Look in Employment Hero email sender authentication details or request the custom Return-Path/SPF value for your tenant.
- Choose host: Publish SPF on the exact host Employment Hero gives you, commonly the root domain or a bounce subdomain.
- Merge once: Keep one SPF TXT record per hostname. Merge senders into the existing record instead of adding a second SPF record.
- Control lookups: Keep SPF under the 10 DNS-query limit. Suped's Hosted SPF and SPF Flattening help when a domain has many senders.
- Accept DKIM: If your account only exposes DKIM CNAMEs, expect SPF domain-match errors for Employment Hero and rely on DKIM passing DMARC.
SPF record shapetext
Host: example.com Type: TXT Value: v=spf1 include:sender.example ~all Host: eh-bounces.example.com Type: CNAME Value: tenant-return.example
After publishing the DNS value, check the exact hostname that holds SPF. The checker should show a single SPF record and no lookup-limit failures before you depend on SPF for Employment Hero mail.
SPF checker
Find SPF syntax issues, lookup limits, and weak records.
?/16tests passed
If the SPF checker returns multiple SPF records, remove the duplicate and keep one combined TXT record. If it returns too many lookups, shorten the sender chain or move the record into a hosted SPF setup.
Set up DKIM
DKIM is the main Employment Hero authentication step. Once the domain is registered, Employment Hero generates CNAME records. DKIM passes when those CNAMEs resolve and the message is signed with a domain that matches the visible From domain.
- Generate CNAMEs: Register the domain in Email Sender Authentication and wait for Employment Hero to display the generated records.
- Copy host: Copy the selector hostname exactly, including the _domainkey label.
- Copy target: Copy the CNAME target exactly as shown by Employment Hero.
- Wait TTL: Allow DNS to propagate before clicking Unvalidated again.
- Send sample: Send a real Employment Hero notification after validation and inspect headers for DKIM pass.
DKIM CNAME shapetext
Type: CNAME Host: selector1._domainkey.example.com Value: selector1-example._domainkey.employmenthero.example Type: CNAME Host: selector2._domainkey.example.com Value: selector2-example._domainkey.employmenthero.example
Employment Hero DKIM CNAME records waiting for DNS validation
Common CNAME mistakes
- Host suffix: If your DNS host auto-adds example.com, enter only the selector part before the domain.
- Target dot: Some DNS hosts need a final dot on CNAME targets, while others reject it.
- Flattening risk: Do not create TXT DKIM records when Employment Hero asks for CNAME records.
Single business
- Path: Use Payroll Settings, then Email Sender Authentication.
- Scope: Applies to mail sent for that business using the authenticated domain.
- Best fit: Use this for a normal Employment Hero Payroll classic setup.
Brand level
- Path: Use the partner dashboard, then Brand management.
- Scope: Applies the same authenticated domain across businesses under that brand.
- Best fit: Use this when one payroll brand sends for several business entities.
Set up DMARC
DMARC belongs in DNS for the visible From domain, not inside Employment Hero. It tells receivers what to do when neither DKIM nor SPF produces a From-domain match, and it sends aggregate reports to the mailbox or reporting endpoint in the rua tag.
Start with p=none unless your domain already uses p=quarantine or p=reject. If you already enforce DMARC, keep that policy and fix Employment Hero until it passes under the existing policy. Use the DMARC record generator if you prefer to build the tags interactively.
Starter DMARC recordtext
Host: _dmarc.example.com Type: TXT Value: v=DMARC1; p=none; rua=mailto:dmarc@example.com
- Create host: Create a TXT record at _dmarc on the domain used in the visible From address.
- Set policy: Use v=DMARC1; p=none; rua=mailto:dmarc@example.com while you collect reports.
- Add reports: Replace dmarc@example.com with the reporting address you control.
- Check syntax: One missing semicolon or extra DMARC TXT record can stop receivers from using the policy.
After the record is live, validate the syntax and parsed tags. The checker should show one DMARC record, a valid policy, and a valid reporting destination.
DMARC checker
Look up a domain's DMARC record and catch policy issues.
?/7tests passed
Do not skip monitoring
A DMARC record without report review tells receivers your policy, but it does not tell you whether Employment Hero, payroll mail, and other legitimate sources are passing.
Verify and troubleshoot
Verify from the product, DNS, and a real message. Employment Hero can show the domain as Validated while DMARC still fails if the visible From domain, DKIM signature domain, or Return-Path domain do not match correctly.
- Product status: Email Sender Authentication should show the domain as Validated.
- DNS status: DKIM CNAMEs should resolve to Employment Hero targets, and SPF should have one TXT record at the correct host.
- Header status: A real Employment Hero message should show DKIM pass, SPF pass when return-path matching is configured, and DMARC pass.
- Timing status: DNS caches can keep old values until TTL expiry, so retest after the longest TTL on the changed records.
|
|
|
|---|---|---|
Domain | Validated | CNAME host |
DKIM | Pass | CNAME target |
SPF | Pass | Return-Path |
DMARC | Pass | From match |
Fast troubleshooting matrix
Employment Hero domain validated after DKIM DNS records resolve
The quickest live check is to send an Employment Hero test email to the address generated by the email tester. It returns the actual SPF, DKIM, DMARC, DNS, and header diagnosis for that message instead of relying on DNS alone.
Email tester
Send a real email to this address. Suped opens the report when the test is ready.
?/43tests passed
Preparing test address...
If DKIM passes and DMARC passes, the setup is usable even when SPF fails because Employment Hero is not using a custom Return-Path on that tenant. If DKIM fails, fix DKIM first because it is the authentication method Employment Hero exposes in the product flow.
Get alerted when it breaks
A one-time Employment Hero validation does not tell you when someone edits DNS later, removes a CNAME, adds a duplicate SPF record, or changes the sending domain. Suped's DMARC monitoring turns receiver reports into source-level alerts and fix steps.
- Real-time alerts: Suped flags new failure spikes, DNS breakage, and unverified sources before payroll mail problems spread.
- Issue steps: Suped turns authentication failures into fixes such as restore DKIM CNAMEs, merge SPF records, or correct report tags.
- Unified view: Suped brings DMARC, SPF, DKIM, blocklist (blacklist) monitoring, hosted SPF, hosted MTA-STS, and deliverability signals into one workflow.
- MSP control: Suped's multi-tenancy dashboard keeps many client domains, reports, and alerts separate without losing source detail.
Suped workflow
Suped is our DMARC reporting and email authentication platform. It is the strongest practical choice for most teams after Employment Hero is authenticated because it keeps watching every sender, shows exact failing sources, and sends steps to fix instead of raw XML.
Secure your domain with p=reject
Use p=reject only after Employment Hero and every other legitimate sender has DMARC pass through DKIM or SPF. For Employment Hero, that means the DKIM CNAMEs validate, real messages pass DKIM, and return-path matching passes SPF when your tenant uses it.
DMARC policy path
Move only after legitimate Employment Hero mail passes DMARC.
Inventory
Reports
Find every source using the domain.
Monitor
p=none
Collect data without blocking mail.
Quarantine
pct stages
Send failing mail to spam.
Reject
p=reject
Block unauthenticated use of the domain.
- Inventory: Collect DMARC reports long enough to see regular payroll cycles, including payslips and report packs.
- Fix source: Confirm Employment Hero DKIM is Validated and SPF is correct when a custom Return-Path is configured.
- Stage policy: Move to quarantine with pct at 25 percent, then 50 percent, then 100 percent before reject.
- Keep enforcement: If the domain already uses quarantine or reject, keep that policy and fix Employment Hero as a source.
- Watch impact: Use Suped alerts and source reports after each policy change to confirm legitimate mail still passes.
Policy progressiontext
v=DMARC1; p=none; rua=mailto:dmarc@example.com v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com v=DMARC1; p=reject; rua=mailto:dmarc@example.com
Practical reject rule
I move a domain to reject when Suped shows all expected sources passing, unknown sources are either fixed or removed, and no important receiver reports show legitimate Employment Hero mail failing DMARC.
