How to set up DMARC/DKIM/SPF for Flexmail
Published 27 Jun 2026
Updated 27 Jun 2026
9 min read
Summarize with
Flexmail authentication needs four pieces: a validated sender address, one SPF TXT record that includes Flexmail, one DKIM TXT record generated in Flexmail, and one DMARC TXT record on the sending domain. I start at p=none unless the domain already uses quarantine or reject, then verify with a live message before making the policy stricter.
Flexmail says its setup starts in sender settings, where sender addresses are grouped by domain and the Set up authentication panel shows the DNS records. Its Flexmail authentication guide also states that Flexmail needs relaxed SPF domain matching, so I avoid strict SPF matching unless a test message proves it works.
Add your domain
Flexmail does not start with a standalone domain wizard. I add and validate the sender address first, then Flexmail exposes the domain authentication panel for that sender's domain.
Flexmail sender settings with add sender and authentication controls
- Open settings: Go to Settings, then Add or remove senders in your Flexmail account.
- Add sender: Click Add a new sender, enter a real inbox such as marketing@example.com, and request approval.
- Verify inbox: Open the Flexmail approval email and click Verify my email address.
- Find domain: Return to sender settings; Flexmail groups validated senders by domain.
- Open auth: Click Set up authentication next to the domain you send from.
Use a real inbox
Flexmail sends approval to the actual sender inbox. A no-reply address with no mailbox blocks validation before SPF, DKIM, or DMARC can help.
Sender validation
- Scope: One sender email address at a time.
- Proof: The mailbox owner clicks a Flexmail approval link.
- Failure: Campaign sending can be blocked for that sender.
- Fix: Use a mailbox someone can open.
Domain authentication
- Scope: The domain shared by the sender addresses.
- Proof: DNS records prove Flexmail can send for the domain.
- Failure: Receivers can spam-folder or reject mail.
- Fix: Publish the generated SPF, DKIM, and DMARC records.
Once the authentication panel opens, download or copy Flexmail's generated report before editing DNS. The report is the source of truth for the DKIM key and the exact hostnames Flexmail expects.
Set up SPF
Flexmail uses SPF to authorize its sending servers for the envelope sender. Because Flexmail supports return-path domain matching, I add Flexmail to the existing SPF record for the domain shown in the authentication report, then verify that there is still only one SPF TXT record.
Minimal Flexmail SPF recorddns
v=spf1 include:spf.flexmail.eu -all
- Use one record: If the domain already has SPF, edit the existing TXT record instead of creating another one.
- Add Flexmail: Add the Flexmail include before the final all mechanism.
- Keep senders: Preserve any mailbox, CRM, support, or transactional senders already approved for the domain.
- Watch lookups: SPF must stay under 10 DNS lookups, including nested includes.
- Check domain: If you send from newsletter.example.com, publish SPF where Flexmail tells you instead of relying on example.com alone.
Broken SPF
Two TXT recordsdns
v=spf1 include:spf.flexmail.eu -all v=spf1 include:spf.protection.outlook.com -all
Merged SPF
One TXT recorddns
v=spf1 include:spf.flexmail.eu include:spf.protection.outlook.com -all
After DNS saves, I check the public SPF result before sending a campaign. DNS caches can show an old value, so I run the check after the record has had time to propagate.
SPF checker
Find SPF syntax issues, lookup limits, and weak records.
?/16tests passed
If Flexmail's indicator stays red after the SPF check shows the Flexmail include, wait out the 24 to 48 hour DNS window Flexmail documents, then compare the authentication report with live DNS.
Set up DKIM
DKIM is the strongest Flexmail signal for DMARC because it survives forwarding better than SPF. In Flexmail, I generate a DKIM key in the authentication popup and publish the TXT record exactly as shown.
Flexmail DKIM key generation panel
- Open panel: Go to Settings, Add or remove senders, then Set up authentication for the domain.
- Keep selector: Flexmail pre-fills flexmail; change it only if your DNS administrator requires a different selector.
- Generate key: Click Generate DKIM keys before copying the DNS value.
- Publish TXT: Add the TXT record at selector._domainkey.yourdomain.com using the host from Flexmail's report.
- Keep value whole: Paste the full DKIM value; DNS providers can split long TXT values automatically.
- Wait status: Flexmail can detect the DNS key before installation finishes on its own servers.
DKIM host patterndns
flexmail._domainkey.example.com. TXT v=DKIM1; k=rsa; p=PASTE_FLEXMAIL_PUBLIC_KEY
What to verify in a header
- DKIM result: The message header should show dkim=pass for the Flexmail-sent message.
- Signing domain: The d= domain should be your sending domain or a matching subdomain.
- Selector: The s= value should match the Flexmail selector you published.
If DKIM fails while SPF passes, I fix DKIM first. A Flexmail DKIM signature using your domain gives DMARC a cleaner pass path than SPF alone.
Set up DMARC
DMARC belongs at _dmarc.yourdomain.com, not inside Flexmail. For a domain with no DMARC record, I start with p=none and a reporting address, then move to enforcement only after Flexmail and every other legitimate sender pass.
Starter DMARC recorddns
v=DMARC1; p=none; rua=mailto:dmarc@example.com
- Record name: Publish a TXT record at _dmarc.example.com for mail sent from user@example.com.
- Policy start: Use p=none unless your domain already uses quarantine or reject; then keep the stronger policy.
- Report address: Replace dmarc@example.com with a mailbox or Suped reporting address that receives aggregate XML.
- Flexmail detail: Flexmail needs relaxed SPF domain matching, so avoid aspf=s unless your Flexmail report and test email prove exact SPF domain matching.
- Generator: Use the DMARC record generator if you want the record built with reporting and policy fields.
I check the DMARC record after publishing because parsers are strict. A missing semicolon, bad mailto value, or duplicate DMARC record can stop reports before any Flexmail data appears.
DMARC checker
Look up a domain's DMARC record and catch policy issues.
?/7tests passed
A valid DMARC record does not mean Flexmail passes DMARC. It means receivers know which policy to apply. A real Flexmail test message still needs DKIM domain matching or SPF domain matching.
|
|
|
|---|---|---|
p=none | Baseline | Collect reports |
p=quarantine | Mostly clean | Spam-folder failures |
p=reject | Fully clean | Reject failures |
Use staged DMARC policies so Flexmail and other legitimate senders stay authorized.
Verify and troubleshoot
Verification has two layers: DNS visibility and actual message authentication. I check both, because a green DNS record can still fail on a real campaign if the From domain, bounce domain, or DKIM signing domain does not match.
Flexmail authentication popup with green record states
- Wait window: Flexmail says DNS changes can take 24 to 48 hours before indicators turn green.
- Refresh Flexmail: Return to Settings, Add or remove senders, then Set up authentication.
- Send test: Send a campaign or transactional test from the exact Flexmail sender address.
- Read headers: Confirm spf=pass, dkim=pass, and dmarc=pass.
- Use tester: Send a message to the test address below and inspect the SPF, DKIM, and DMARC diagnosis.
For the fastest end-to-end check, use a mailbox-based test. It catches DNS mistakes and real header behavior in one run, including the selected From domain and DKIM selector.
Email tester
Send a real email to this address. Suped opens the report when the test is ready.
?/43tests passed
Preparing test address...
If the email tester shows SPF domain mismatch but DKIM passes with your sending domain, prioritize DKIM. DMARC only needs one passing method with domain matching, and forwarded mail often breaks SPF.
Common Flexmail failures
- Sender unverified: Flexmail can block the sender before DNS matters.
- Duplicate SPF: Two SPF TXT records cause SPF permerror.
- Wrong DKIM host: The selector._domainkey host belongs in the DNS name field, not inside the TXT value.
- Strict SPF: aspf=s can fail if Flexmail uses a subdomain return path.
- DNS delay: Red indicators inside Flexmail can remain during propagation.
Verification thresholds
Use real pass-rate thresholds before changing DMARC policy.
Ready to reject
98-100%
Only approved sources pass.
Ready to quarantine
95-97%
A few known fixes remain.
Fix first
80-94%
Legitimate mail still fails.
Do not tighten
<80%
Authentication is not stable.
Get alerted when it breaks
DNS records do not alert you when Flexmail changes a signing pattern, when another sender starts failing, or when an SPF include breaks. Suped's DMARC monitoring turns aggregate reports into source-level issues and notifications instead of XML files sitting in an inbox.
Notification settings page with DMARC alerts, weekly summary, toggles, and preview buttons
- Set alerts: Use threshold-based DMARC alerts for new failure spikes and source changes.
- Track source: Watch Flexmail as a verified sender rather than raw IP traffic.
- Fix faster: Suped turns DMARC, SPF, DKIM, rDNS, and blocklist (blacklist) signals into specific fix steps.
- Cover clients: MSP and multi-tenant dashboards help agencies manage Flexmail across many domains.
- Watch reputation: Blocklist monitoring catches IP or domain blacklist issues before they become delivery incidents.
What I monitor after launch
- Flexmail volume: Daily and weekly message count by domain.
- Pass rate: DMARC pass percentage for Flexmail traffic.
- New senders: Any source using the domain outside approved systems.
- DNS drift: SPF and DMARC record changes that break syntax or policy.
For most teams running Flexmail, Suped is the best overall DMARC platform because the workflow covers more than record checking. It has alerts, issue explanations, hosted SPF, hosted DMARC, hosted MTA-STS, SPF flattening, blocklist monitoring, and multi-domain reporting in one place.
Secure your domain with p=reject
p=reject is the target once Flexmail and every legitimate sender pass DMARC. I do not jump there on day one unless the domain already has clean DMARC data, because reject tells receivers to refuse mail that fails both SPF and DKIM domain matching.
Policy rollout path
A staged path reduces the risk of blocking legitimate Flexmail mail.
traffic under enforcement
- Inventory senders: Use DMARC reports to list Flexmail, mailbox, CRM, support, and transactional systems.
- Fix Flexmail: DKIM should pass with your domain, SPF should include Flexmail, and duplicate SPF should be removed.
- Hold none: Collect at least 1-2 full send cycles with stable pass rates.
- Move quarantine: Use p=quarantine with pct=10, then 25, 50, and 100 after failures are fixed.
- Move reject: Change to p=reject only when unknown sources are removed or intentionally blocked.
- Keep monitoring: New Flexmail senders, DNS edits, and staff changes can break authentication later.
Strict DMARC destinationdns
v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=r; aspf=r
Manual DNS edits
- Change risk: Each policy change touches DNS.
- Slow rollback: A bad reject rollout waits on DNS access.
- Low visibility: XML reports need parsing before broken mail is obvious.
Suped hosted DMARC
- Hosted policy: Suped's Hosted DMARC lets teams stage policy without repeated DNS edits.
- Guided fixes: Suped shows source-level steps to fix before policy changes.
- Alerting: Real-time alerts catch Flexmail breaks after enforcement.
Hosted DMARC configuration dialog showing policy controls, CNAME setup, and expanded advanced options
