How to Update DNS Records in DreamHost

DreamHost is a web hosting provider and domain registrar that includes DNS management in its control panel. DreamHost's DNS interface has both a basic mode and an advanced mode, and understanding which one to use matters for email authentication records. This guide walks you through adding and editing SPF, DMARC, MTA-STS, and DKIM DNS records for your domain in DreamHost. Each section includes the exact steps, correct field values, and DreamHost-specific details to get your records configured correctly.

DreamHost's control panel is organized differently from pure-play registrars. DNS management lives under the Manage Domains section, and the advanced editor gives you full control over individual records.

Accessing Your DNS Zone

1. Sign in to your DreamHost control panel at panel.dreamhost.com.
2. Navigate to Manage Domains in the left sidebar (sometimes listed under Domains).
3. Find your domain in the list and click DNS next to it. This opens the DNS management page for that domain.
4. You are now viewing the DNS records for your domain. DreamHost shows existing records and provides an area to add new custom records.

DreamHost separates automatically managed records (created by DreamHost hosting services) from custom records that you add manually. Your email authentication records will be custom records.

Note: DreamHost may automatically create SPF and DKIM records if you use DreamHost email hosting. If you are using a third-party email provider or mxio's Managed SPF, you may need to remove or edit these automatic records to avoid conflicts. Check for existing TXT records starting with v=spf1 before adding a new one.

TXT Records

SPF Record

SPF (Sender Policy Framework) tells receiving mail servers which IP addresses and services are authorized to send email for your domain. Your SPF record is published as a TXT record at the root of your domain.

1. In the DNS management page, scroll to the Add a custom DNS record section.
2. In the Name field, leave it blank. DreamHost uses a blank name field to represent the root of your domain.
3. Select TXT from the Type dropdown.
4. In the Value field, enter your SPF record: v=spf1 include:_spf.mxio.io ~all
5. Click Add Record.

DreamHost assigns a default TTL to custom records. This default is appropriate for most configurations.

If you already have an SPF record (either auto-generated by DreamHost or manually created), do not create a second one. Multiple SPF records cause a PermError and break email authentication entirely. Remove the existing SPF TXT record first, then create a new one that combines all your include mechanisms. For example, if DreamHost auto-created v=spf1 include:netblocks.dreamhost.com ~all and you also need mxio, your merged record would be: v=spf1 include:netblocks.dreamhost.com include:_spf.mxio.io ~all

DMARC Record

DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receiving servers how to handle email that fails SPF and DKIM checks. It also enables aggregate reporting so you can see who is sending email as your domain.

1. In the Add a custom DNS record section, enter _dmarc in the Name field. DreamHost will append your domain, resulting in _dmarc.yourdomain.com.
2. Select TXT from the Type dropdown.
3. In the Value field, enter your DMARC policy: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
4. Click Add Record.

Replace dmarc@yourdomain.com with the address where you want to receive DMARC aggregate reports. Start with p=none to collect data before enforcing. See the DMARC Deployment Guide for the full progression from none to quarantine to reject.

Note: mxio will support DMARC policy management in a future release.

CNAME Records

MTA-STS

MTA-STS (Mail Transfer Agent Strict Transport Security) tells sending servers that your domain supports TLS encryption for inbound email and that they should refuse to deliver over an unencrypted connection. The MTA-STS policy is published via HTTPS, and a CNAME record points to the policy host.

1. In the Add a custom DNS record section, enter _mta-sts in the Name field. DreamHost will append your domain automatically.
2. Select CNAME from the Type dropdown.
3. In the Value field, enter the CNAME target provided by your MTA-STS hosting service.
4. Click Add Record.

You also need a TXT record at _smtp._tls to publish the MTA-STS policy version identifier. Follow the same TXT record process described above, using _smtp._tls as the Name and the policy string as the Value.

Note: mxio will support MTA-STS hosting in a future release.

NS Delegation

DKIM Key Hosting

DKIM (DomainKeys Identified Mail) uses cryptographic signatures to verify that an email was sent by an authorized server and that the message body was not altered in transit. DKIM keys are published as DNS records under the _domainkey subdomain.

For centralized DKIM key management, you can delegate the _domainkey subdomain to a dedicated DNS host via NS records.

1. In the Add a custom DNS record section, enter _domainkey in the Name field. DreamHost will append your domain, resulting in _domainkey.yourdomain.com.
2. Select NS from the Type dropdown. If NS is not available as a record type, see the troubleshooting section below.
3. In the Value field, enter the first nameserver provided by your DKIM hosting service.
4. Click Add Record.
5. Repeat for each additional nameserver (typically 2-4 NS records are required for redundancy).

Note: mxio will support DKIM key hosting via NS delegation in a future release.

Verifying Your Changes

After adding or editing DNS records in DreamHost, verify that your changes are live and correct.

1. Use the mxio SPF Checker to validate your SPF record. Enter your domain and confirm that the record resolves correctly, the lookup count is within the 10-lookup limit, and all your sending services are included.
2. Use the mxio DMARC Checker to verify your DMARC record is published and syntactically correct.
3. Use the mxio Domain Health tool for a full overview of your domain's email authentication status, including SPF, DKIM, DMARC, and MX configuration.
4. If you created NS delegation records for DKIM, use the Delegation Health tool to verify that the NS records are resolving correctly and the delegated zone is responding.

DNS propagation from DreamHost typically takes 15 minutes to 4 hours. Most changes are visible within 1 hour. If your changes are not appearing after several hours, verify the record was saved correctly by refreshing the DNS management page.

Troubleshooting

Auto-generated records conflict

DreamHost automatically creates SPF and DKIM records when you use DreamHost email hosting. These auto-generated records may conflict with manually added records. If you are using a third-party email provider, remove or edit the DreamHost auto-generated SPF record before adding your own. Look for TXT records containing dreamhost.com in the value.

Duplicate SPF records

Your domain must have exactly one SPF TXT record at the root. If you see two TXT records starting with v=spf1 — one auto-generated and one manual — delete the one you do not need and merge the include mechanisms into a single record. Use the SPF Checker to confirm you have only one record.

Blank name field for root records

DreamHost uses a blank Name field for root domain records. Do not enter @ or your domain name — leave the field empty. If you enter the full domain name, DreamHost may create the record at the wrong hostname.

NS record type not available

DreamHost's basic DNS editor may not include NS as a record type option. If NS delegation is not available through the control panel, contact DreamHost support to request NS record creation for the _domainkey subdomain, or consider migrating your DNS hosting to a provider with full record type support.

DNS changes not saving

If your DNS changes do not appear to save, try clearing your browser cache and re-authenticating to the DreamHost panel. DreamHost's control panel session can sometimes timeout without displaying an obvious error. Refresh the page and verify your records were stored correctly.