Suped

How to set up DMARC/DKIM/SPF for Epsilon

Published 9 Jul 2026
Updated 9 Jul 2026
10 min read
Summarize with
Editorial image for setting up DMARC, DKIM, and SPF for Epsilon.
Set up Epsilon by adding your sending domain in Epsilon, publishing the account-specific Return-Path and DKIM DNS records Epsilon gives you, then publishing DMARC on the visible From domain. I start with p=none only when the domain is not already protected, verify Epsilon traffic in message headers, and move to p=reject after Epsilon and every other sender passes DMARC consistently.
Epsilon DNS values are account-specific. Do not guess an SPF include, DKIM selector, or CNAME target from another domain. Copy the records shown in your Epsilon account or provided by your Epsilon implementation team.

Add your domain

Add the domain Epsilon will use in the visible From address, then enable the branded Return-Path domain for the same organizational domain. That gives Epsilon a clean SPF path and keeps DMARC tied to your domain instead of an Epsilon-owned bounce domain.
  1. Choose scope: Use a dedicated marketing subdomain such as email.example.com when your main domain already has several senders.
  2. Open settings: In Epsilon, go to the sending domain, sender profile, or domain authentication area for your tenant.
  3. Add domain: Enter the From domain, add the default From address, and choose the business unit or campaign folder that will send mail.
  4. Enable bounce branding: Ask Epsilon to configure a custom Return-Path such as bounces.example.com or bounces.email.example.com.
  5. Copy records: Export the DNS checklist for SPF, DKIM, tracking links, and any bounce CNAMEs before editing DNS.
  6. Verify status: After DNS publishes, return to Epsilon and run the built-in domain verification check.
Epsilon sender domain settings with a pending domain verification row.
Epsilon sender domain settings with a pending domain verification row.
I keep marketing mail on a subdomain unless the brand has a reason to send directly from the root domain. It reduces operational risk when Epsilon DNS changes, and it keeps DMARC investigation cleaner.
  1. Root domain: Use only when marketing, corporate mail, and transactional mail are already governed together.
  2. Subdomain: Use when Epsilon has separate teams, templates, reply handling, or sender reputation needs.

Set up SPF

SPF for Epsilon matters when the Return-Path domain belongs to your domain family. Since Epsilon supports a branded Return-Path setup, publish the SPF or CNAME record Epsilon gives you for the bounce host, then confirm the envelope sender domain has an SPF pass.
  1. Find host: Use the exact bounce host shown by Epsilon, such as bounces.example.com.
  2. Use one method: If Epsilon gives you a CNAME for the bounce host, publish that CNAME and do not add a TXT SPF record on the same host.
  3. Keep one SPF: A hostname can have only one SPF TXT record. Merge mechanisms when the host already has SPF.
  4. Limit lookups: Keep SPF under 10 DNS lookups, especially when Epsilon is added to a domain with several enterprise senders.
  5. Test headers: Send one Epsilon test message and confirm SPF passes against the Return-Path domain.
SPF pattern for an Epsilon bounce hostdns
bounces.example.com. TXT "v=spf1 include:<epsilon-spf-host> -all"
Use this as a pattern only. Replace the include value with the host Epsilon gives you, or use the CNAME method if Epsilon assigns one.
Epsilon SPF DNS verification screen for a branded Return-Path host.
Epsilon SPF DNS verification screen for a branded Return-Path host.

SPF checker

Find SPF syntax issues, lookup limits, and weak records.

?/16tests passed
After publishing the record, check the exact bounce host, not only the root domain. If your Epsilon Return-Path is bounces.email.example.com, that is the host that needs the SPF check.
Good SPF setup
  1. Sender host: The Return-Path uses your organizational domain.
  2. SPF owner: The SPF record sits on the bounce host Epsilon uses.
  3. DNS count: The full SPF chain stays below the lookup limit.
Risky SPF setup
  1. Wrong host: SPF was added to the root, but Epsilon sends with a bounce subdomain.
  2. Duplicate SPF: Two SPF TXT records exist on the same hostname.
  3. Open policy: The record ends in +all or uses a broad IP range.

Set up DKIM

DKIM is the main authentication control for Epsilon. I require Epsilon DKIM to sign with your domain or a subdomain of it, then I confirm the message has a DKIM pass before moving DMARC policy forward.
  1. Generate keys: In Epsilon, request DKIM for the sending domain and select 2048-bit keys when the option is available.
  2. Publish selectors: Add the selector records Epsilon provides, usually as CNAMEs or TXT records under _domainkey.
  3. Use both selectors: Publish both active and standby selectors when Epsilon provides two records for rotation.
  4. Verify signing: Send a test message and check that d= uses your domain family, not only an Epsilon domain.
  5. Remove old keys: Delete retired Epsilon DKIM selectors after Epsilon confirms they are no longer signing mail.
DKIM CNAME patterndns
eps1._domainkey.email.example.com. CNAME eps1.example.epsilon.net. eps2._domainkey.email.example.com. CNAME eps2.example.epsilon.net.
The selector names and targets above are placeholders. Epsilon must supply the live selector names and target hosts for your account.
Epsilon DKIM selector records waiting for DNS verification.
Epsilon DKIM selector records waiting for DNS verification.
Old third-party DKIM keys are a real risk. After a rotation, a retired selector that still exists in DNS can let old signing material remain valid. I keep a list of every Epsilon selector and remove retired records after the sending team confirms the cutover.

Set up DMARC

DMARC is published on the visible From domain, not inside Epsilon. If the domain has no DMARC policy yet, start with this exact monitoring record and replace the reporting address with one that can process aggregate XML reports.
Starter DMARC recorddns
_dmarc.example.com. TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com"
If your domain is already on p=quarantine or p=reject, keep that policy. Add Epsilon as an authenticated sender first, then watch reports before changing policy.
  1. Confirm domain: Publish DMARC at _dmarc on the exact From domain, such as _dmarc.email.example.com.
  2. Set reports: Use a real aggregate report mailbox or a DMARC reporting address, because raw XML is hard to review manually.
  3. Keep relaxed: Leave DKIM and SPF domain matching at relaxed mode unless every sender is already mapped precisely.
  4. Check Epsilon: Make sure Epsilon passes DMARC through DKIM, SPF, or both.
Use the DMARC record generator when you need a record with reporting, subdomain policy, or staged enforcement fields.
Epsilon verification summary showing SPF, DKIM, Return-Path, and DMARC checks.
Epsilon verification summary showing SPF, DKIM, Return-Path, and DMARC checks.

DMARC checker

Look up a domain's DMARC record and catch policy issues.

?/7tests passed
Check the From domain that subscribers see, not the bounce domain. If Epsilon sends from news@email.example.com, the DMARC lookup is on email.example.com.

Verify and troubleshoot

Verification is not complete when DNS says the records exist. I send a real Epsilon test campaign, inspect the received headers, and compare those results with DMARC aggregate reports after live traffic starts.
  1. Send test: Create a low-risk Epsilon test campaign with the final From domain, final template, and final sender profile.
  2. Inspect SPF: Confirm the Authentication-Results header shows spf=pass for the Epsilon Return-Path domain.
  3. Inspect DKIM: Confirm d= matches your domain family and dkim=pass appears in the receiving mailbox.
  4. Inspect DMARC: Confirm dmarc=pass appears for the visible From domain.
  5. Check reports: After the first live send, confirm Epsilon appears as an authorized source in aggregate reporting.

Symptom

Likely cause

Fix

SPF fail
Wrong host
Check bounce DNS
DKIM fail
Bad selector
Republish key
DMARC fail
Domain mismatch
Fix DKIM domain
No reports
Bad rua
Update mailbox
Policy block
Unauth source
Pause rollout
Common Epsilon authentication fixes
The fastest check is to send a real Epsilon email to a diagnostic address. That catches DNS records, headers, content, and authentication in one pass.

Email tester

Send a real email to this address. Suped shows a results button when the test is ready.

?/43tests passed
If SPF fails but DKIM passes and DMARC passes, do not stop the launch only because SPF is red in one mailbox. DMARC needs one passing method with the right domain match. For Epsilon, I still fix SPF because branded Return-Path is supported and it improves the diagnostic picture.
Epsilon test send screen with authentication checks before sending.
Epsilon test send screen with authentication checks before sending.

Get alerted when it breaks

Epsilon DNS can break after a key rotation, Return-Path change, new business unit, DNS migration, or campaign team change. Suped's DMARC monitoring is the best overall fit for this workflow because it connects DMARC, SPF, DKIM, blocklist (blacklist) monitoring, and deliverability signals in one place.
  1. New source: Alert when a new Epsilon IP range or host starts sending for your domain.
  2. DKIM drop: Alert when Epsilon DKIM pass rate falls after a selector or DNS change.
  3. SPF drift: Alert when the branded Return-Path stops passing SPF.
  4. Policy risk: Alert before Epsilon traffic is affected by quarantine or reject.
  5. Reputation check: Monitor Epsilon sending IPs for blocklist and blacklist signals during high-volume sends.
Notification settings page with DMARC alerts, weekly summary, toggles, and preview buttons
Notification settings page with DMARC alerts, weekly summary, toggles, and preview buttons
In Suped's product, I set alert thresholds around authentication drops and new sources instead of waiting for a weekly report. That matters for Epsilon because enterprise marketing sends usually happen in batches, so a broken selector can affect a large campaign quickly.
Suped's issue detection turns the raw DMARC failure into a practical fix path: which source changed, which domain failed, what DNS record to inspect, and what to verify after the fix.
  1. Owner: Route Epsilon alerts to marketing operations and DNS owners.
  2. Severity: Raise severity when failures affect a domain already on enforcement.
  3. Evidence: Use source, IP, selector, and policy data before changing DNS.

Secure your domain with p=reject

The goal is a reject policy, but only after Epsilon and every legitimate sender is authenticated. I move domains in stages, watch DMARC reports between each stage, and keep a rollback record ready for the DNS owner.
Policy readiness checks
Use these thresholds before moving an Epsilon sending domain to enforcement.
Ready
98-100% pass
Epsilon and all approved senders pass DMARC consistently.
Investigate
95-97% pass
Some Epsilon traffic or another approved sender fails authentication.
Stop
Under 95%
Important sources fail or unknown senders still use your domain.
Suped's Hosted DMARC helps here because policy staging happens in the product, while DNS can stay stable through a CNAME-based setup.
  1. Collect reports: Run monitoring long enough to see normal Epsilon campaign volume, seasonal jobs, and triggered sends.
  2. Authorize sources: Mark Epsilon as approved only after DKIM or SPF passes DMARC.
  3. Start quarantine: Move to quarantine with a partial percentage after all critical senders pass.
  4. Increase coverage: Raise enforcement only when Epsilon traffic remains clean after each campaign cycle.
  5. Finish reject: Publish reject after failures are either malicious, unused, or fully remediated.
Staged DMARC valuesdns
Host: _dmarc.example.com TXT: "v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com" TXT: "v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@example.com" TXT: "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"
Hosted DMARC configuration dialog showing policy controls, CNAME setup, and expanded advanced options
Hosted DMARC configuration dialog showing policy controls, CNAME setup, and expanded advanced options
For most teams, Suped is the practical choice for getting Epsilon domains to reject because it combines source discovery, hosted policy changes, SPF flattening, hosted SPF, alerts, and blocklist (blacklist) monitoring without making every change a DNS ticket.

FAQ

DMARC monitoring

Start monitoring your DMARC reports today

Suped DMARC platform dashboard
What you'll get with Suped
Real-time DMARC report monitoring and analysis
Automated alerts for authentication failures
Clear recommendations to improve email deliverability
Protection against phishing and domain spoofing