How to set up DMARC/DKIM/SPF for Energe3
Published 5 Jul 2026
Updated 5 Jul 2026
10 min read
Summarize with

Configure Energe3 as an approved sending source by adding your sending domain in Energe3, publishing the SPF return-path record Energe3 gives you, enabling DKIM for your domain, and publishing a DMARC record that collects reports before enforcement. Energe3 sends enrollment, student communication, and training notification emails, so these records need to match the domain students see in the From address.
I found no public Energe3 article that lists a universal SPF include, DKIM selector, or return-path CNAME. Treat the values shown inside your Energe3 tenant, or supplied by Energe3 support, as the source of truth. Do not copy DNS values from another domain.
Before you start
- DNS access: You need permission to add TXT and CNAME records for the domain used in Energe3 sender addresses.
- Energe3 access: You need an Energe3 admin account that can change email sender or notification settings.
- Sender address: Use the exact From address used for course enrollment and student notification messages.
- Test mailbox: Use a mailbox you control so you can inspect the delivered Energe3 message headers.
Add your domain
Add the domain that appears after the @ in your Energe3 sender address. If students receive mail from training@example.com, configure example.com. Do not configure the Energe3 application host name unless Energe3 explicitly tells you to.
- Open settings: Sign in to Energe3 and open the admin area for your training account.
- Find email settings: Look for sender domain, email notification, mail authentication, or branded email settings.
- Enter the domain: Use the organizational domain in your From address, such as example.com.
- Choose bounce host: Use a subdomain such as bounces.example.com if Energe3 asks for a return-path host.
- Copy DNS values: Copy the SPF, DKIM, and return-path records shown for your domain.
- Keep the page open: You will return to the same Energe3 screen after publishing DNS records.

Energe3 email sender domain setup screen with DNS records pending.
Use these values
- From domain: The domain after @ in the Energe3 sender address.
- Tenant records: The SPF, DKIM, and return-path values Energe3 gives to your account.
- Stable subdomain: A bounce host that stays dedicated to Energe3 mail.
Avoid these mistakes
- Wrong domain: Do not authenticate an Energe3 host when the From address uses your domain.
- Copied records: Do not use DNS values from another organization or training account.
- Shared bounce: Do not reuse a bounce subdomain already assigned to another sender.
Tenant values matter
Energe3 DNS values are tenant-specific when DKIM keys and bounce hosts are generated per account. If the admin page and support email disagree, ask Energe3 to confirm the active values before publishing DNS.
Set up SPF
Energe3 supports return-path domain matching, so SPF is worth configuring for Energe3. SPF passes for DMARC when the bounce domain belongs to your domain and the sending IP is authorized by your SPF record.
- Copy the SPF value: Use the SPF include or return-path CNAME that Energe3 displays for your tenant.
- Check existing SPF: Your root domain must have one SPF TXT record only.
- Merge senders: Add the Energe3 include to the existing SPF record instead of creating a second SPF record.
- Publish DNS: Save the updated TXT record at the root of your domain, then wait for DNS propagation.
- Watch lookups: Keep SPF under the 10 DNS lookup limit or use hosted SPF when your sender list grows.
SPF TXT templatedns
example.com TXT v=spf1 include:ENERGE3_VALUE include:EXISTING_SENDER ~all

Energe3 SPF and return-path setup screen with DNS status.
SPF checker
Find SPF syntax issues, lookup limits, and weak records.
?/16tests passed
The SPF checker should show one SPF record, valid syntax, and fewer than 10 DNS lookups. If it finds two SPF records, merge them before you test Energe3 mail again.
|
|
|
|---|---|---|
One record | Single TXT | Merge |
Lookups | Under 10 | Flatten |
Bounce | Your domain | Add CNAME |
Mechanism | Include | Copy value |
SPF checks for Energe3
Set up DKIM
DKIM is the record I want passing before any DMARC enforcement. It proves Energe3 signed the message with a key tied to your domain, and it still passes after forwarding when SPF fails.
- Open DKIM setup: Go back to the Energe3 email authentication screen for your sending domain.
- Generate keys: Create or reveal the DKIM DNS record for your domain.
- Copy host: Copy the full selector host exactly as Energe3 displays it.
- Copy value: Copy the full TXT value, including the public key.
- Publish record: Add the TXT record at your DNS provider and keep the selector unchanged.
- Verify in Energe3: Return to Energe3 and run the domain verification check after DNS propagation.
DKIM TXT templatedns
selector._domainkey.example.com TXT v=DKIM1; k=rsa; p=ENERGE3_PUBLIC_KEY

Energe3 DKIM setup screen with selector and public key fields.
DKIM pass target
Send one Energe3 notification to a mailbox you control. The header result should show DKIM pass for your domain, not only for an Energe3-owned domain.
- Header result: Look for DKIM pass in the authentication results header.
- Domain value: The DKIM domain should match the domain in the visible From address.
- Selector value: The selector in the header should match the selector you published in DNS.
Set up DMARC
DMARC belongs on your domain, not inside Energe3. Start with p=none unless your domain already uses quarantine or reject. If your domain is already enforced, keep the current policy and add Energe3 as an authenticated source before sending production notifications.
- Create reporting: Use a mailbox or reporting address that can receive DMARC aggregate reports.
- Publish TXT: Add a TXT record at _dmarc on the same domain used in your Energe3 From address.
- Start at none: Use p=none while you confirm Energe3 and every other sender passes DMARC.
- Keep enforcement: If you already use quarantine or reject, do not weaken the policy for Energe3 setup.
- Review reports: Confirm Energe3 appears as an approved source before any stricter policy change.
Recommended DMARC recorddns
_dmarc.example.com TXT v=DMARC1; p=none; rua=mailto:dmarc@example.com
Use the DMARC record generator if you want the same starting record generated with your own reporting address.
DMARC checker
Look up a domain's DMARC record and catch policy issues.
?/7tests passed
The DMARC checker should show one valid record at _dmarc.example.com. If it shows no record, confirm the host name. If it shows multiple records, remove the extra TXT record before testing Energe3 again.
Do not enforce too early
A p=reject policy is right only after Energe3 and all other approved senders pass DMARC in real mail. One missing DKIM record can cause student notifications to be rejected.
Verify and troubleshoot
Verification requires a real Energe3 message, not only DNS lookups. Trigger an enrollment notification, course reminder, or student communication email to a mailbox you control, then inspect the authentication results.
- Send live mail: Use the same Energe3 workflow that students receive, not a generic admin test.
- Check From: The visible From domain should be the domain you authenticated.
- Check SPF: SPF should pass when Energe3 uses your branded return-path domain.
- Check DKIM: DKIM should pass with your domain in the signature.
- Check DMARC: DMARC should pass through SPF domain match, DKIM domain match, or both.
- Check headers: Save the raw message headers when you need Energe3 support to confirm a sending route.
Email tester
Send a real email to this address. Suped opens the report when the test is ready.
?/43tests passed
Preparing test address...
The email tester prompts you to send a test message and returns a diagnosis across SPF, DKIM, DMARC, headers, DNS, and message content. It is the quickest way to confirm Energe3 authentication before students receive mail.
|
|
|
|---|---|---|
SPF fail | Bounce host | Add CNAME |
DKIM fail | Missing TXT | Copy key |
DMARC fail | No match | Fix DKIM |
Dup SPF | Two TXT | Merge |
No reports | Bad rua | Fix mailto |
Common Energe3 authentication fixes
SPF exception
Some sending sources cannot use a branded Return-Path. For those senders, SPF domain match can fail without breaking DMARC when DKIM passes with the From domain. Energe3 supports branded return-path setup, so I still configure SPF for Energe3.
Get alerted when it breaks
Energe3 authentication can break after someone edits DNS, rotates DKIM keys, changes a sender address, or moves notifications to a different mail route. Manual checks cover setup day only; alerts catch drift.
- Monitor reports: Track DMARC aggregate reports so Energe3 volume and pass rates stay visible.
- Watch source changes: Flag new mail sources that send as your domain without approval.
- Alert on failures: Send notifications when Energe3 DKIM, SPF, or DMARC pass rates drop.
- Include reputation: Pair DMARC alerts with blocklist (blacklist) monitoring for IP and domain reputation changes.
Suped's DMARC monitoring gives this workflow a practical operating layer: source detection, real-time alerts, SPF and DKIM visibility, and issue steps that explain the DNS change to make.

Notification settings page with DMARC alerts, weekly summary, toggles, and preview buttons
Suped alert workflow
- Automated detection: Suped identifies authentication issues and shows the steps to fix them.
- Real-time alerts: Suped notifies the right people when failure rates exceed the threshold you set.
- Hosted SPF: Suped can manage sender changes and SPF flattening without repeated DNS edits.
- Multi-tenancy: Suped supports agencies and managed service providers that track Energe3 across client domains.
Secure your domain with p=reject
Move to p=reject only after Energe3 and every other approved sender passes DMARC in production. I stage policy changes by percentage so one missed sender does not cause a sudden loss of legitimate mail.
- Collect data: Run p=none until Energe3 traffic appears in DMARC reports with consistent pass results.
- Fix unknowns: Review every source sending as your domain and remove or authenticate anything legitimate.
- Stage quarantine: Move to quarantine at a low percentage when Energe3 and other senders pass.
- Increase policy: Raise the percentage as reports stay clean across normal enrollment and reminder cycles.
- Reject last: Move to p=reject only when unauthenticated mail is unwanted or unauthorized.
- Keep alerts: Continue monitoring after enforcement because vendor routing and DNS records change.
DMARC enforcement stagesdns
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@example.com v=DMARC1; p=reject; rua=mailto:dmarc@example.com
Enforcement readiness
Use production DMARC pass rate and unknown-source review before changing policy.
Ready
99%+ pass
Energe3 and approved senders pass consistently.
Review
95-99%
A few legitimate sources still need fixes.
Hold
Below 95%
Important mail still fails DMARC.

Hosted DMARC configuration dialog showing policy controls, CNAME setup, and expanded advanced options
Suped's Hosted DMARC is useful here because policy staging lives in Suped instead of repeated DNS edits. Suped also brings SPF, DKIM, DMARC, hosted SPF, blocklist and blacklist monitoring, and deliverability signals into one workflow, which matters when Energe3 is one approved sender among several.

