How Managed SPF and Managed DMARC Actually Work — Step by Step

What "managed" means here

When you turn on a managed service, you delegate the work of keeping one DNS record correct. You keep ownership of everything — your domain, your nameservers, your DNS provider, and every other record in your zone. Nothing about who controls your domain changes.

There is exactly one moment where anything in your DNS changes, and you make it: you publish a single record that points at the record mxio maintains for you. Until you publish that record, nothing has moved. After you publish it, you can move it back whenever you want.

That's the whole shape of it. The rest of this guide walks the two services — Managed SPF and Managed DMARC — one step at a time, naming the exact buttons and statuses you'll see on screen.

The honest version. A managed service saves you the upkeep; it does not trap you. Delegating is one DNS change. Taking it back is one DNS change. There's no lock-in and no penalty for leaving — if you switch back to self-managed, we hand you a working record to publish and step out of the way. For the record-by-record version of what's delegated vs what stays yours, see Managed Email Authentication: What It Is and Why It Matters.

---

Managed SPF, step by step {#managed-spf}

Managed SPF keeps your SPF record correct automatically: it stays under the limit on DNS lookups, and when your email providers change their server addresses, your record updates itself. You stop hand-editing SPF.

Step 1 — What mxio already did

When your domain became eligible, mxio built your flattened SPF record in our DNS zone and gave it a stable address (an include host). This happened on our side. Nothing in your DNS changed, and nothing you can see in your own zone changed. The service is sitting ready for you to point at.

On the domain's SPF page, this reads as Available — provisioned and ready to turn on, but not yet pointed at.

Step 2 — The one record you publish

To turn it on, you make a single change to your existing SPF record: you add one include that points at the record mxio maintains. The SPF page shows you the exact record to publish, as a TYPE / NAME / VALUE you can copy:

• Type: TXT
• Name: @ (your domain's root)
• Value: your SPF record with mxio's include added — for example v=spf1 include:yourdomain.spf.mxdns.io ~all

You replace your current SPF record with this one. You do not create a second SPF record. (A domain is allowed only one SPF record — publishing two is a permanent error that breaks SPF for all your mail. The page warns you and shows the existing record so you edit it rather than duplicate it.)

Why an include, and why this is safe. SPF is allowed only 10 DNS lookups before it fails. Every email provider you add — Google Workspace, a marketing tool, a billing system — costs lookups, and busy domains run out. "Flattening" resolves those providers down to their actual server addresses so your record stays under the limit. Pointing at mxio with one include lets us do that resolving for you and re-do it whenever a provider changes its addresses. It's your record, in your zone, with one entry pointed at the service. Learn the mechanics in What Is SPF Flattening?.

Step 3 — How mxio confirms it

After you publish, click Check DNS on the SPF page. mxio reads your domain's DNS directly from your nameservers and checks that your record now includes ours. (The page also checks quietly on its own, so it can update without you clicking.)

DNS changes can take a few minutes to show up. If the check doesn't match yet, it'll tell you — wait a moment and check again. It won't show a false failure.

Step 4 — What the statuses mean

The SPF card moves through a short, plain sequence:

• Available — provisioned and ready; you haven't pointed your record at it yet.
• Activating… — you've published the record and mxio is confirming it. Nothing for you to do; this clears on its own once your DNS is live.
• Active — it's on. mxio now keeps your record under the lookup limit and updates your senders' addresses automatically. You're done.
• Self-managed — you're maintaining SPF yourself (you never delegated it, or you handed it back). See "Switching back," below.

Step 5 — Switching back anytime

Managed SPF is reversible. From the SPF page you can hand it back: mxio gives you a complete, working SPF record to publish in place of the include, then steps out. The point is to save you the upkeep, not to keep you. Nothing in this flow is one-way.

---

Managed DMARC, step by step {#managed-dmarc}

Managed DMARC publishes and maintains your DMARC policy record for you, so you don't edit it by hand — and so your policy can move toward enforcement safely as your senders come into alignment.

The shape is identical to Managed SPF: one record you publish, the same statuses, the same free exit. The one difference is which record.

Step 1 — What mxio already did

When your domain became eligible, mxio set up your DMARC policy record in our zone and gave it a destination to point at (a CNAME target). Again: this happened on our side, nothing in your DNS changed, and the service sits ready. The DMARC card reads Available.

Step 2 — The one record you publish

For DMARC, the single record is a CNAME at the _dmarc name. The DMARC page shows it as a copyable TYPE / NAME / VALUE:

• Type: CNAME
• Name: _dmarc
• Value: the mxio target shown on the page

You replace your existing _dmarc record (a TXT record, if you have one) with this CNAME. The page shows you the record being replaced so you swap it rather than stack a second record at the same name — a name can't carry both a CNAME and a TXT.

Why a CNAME — and why this one record genuinely is delegated. SPF stays in your record with one entry pointed at us; DMARC works differently. By pointing _dmarc at mxio with a CNAME, you let us publish the policy on your behalf — which is exactly what lets us advance it from watching toward enforcement as your real senders line up, without you re-editing DNS at each step. You're handing over the contents of this one record so it can be kept correct. Everything else in your zone is untouched, and you can read exactly what we publish at any time. The phased path is covered in the DMARC Enforcement Journey.

Step 3 — How mxio confirms it

After you publish, click Verify CNAME on the DMARC page. mxio reads your _dmarc record straight from your nameservers and confirms it points at us. Like SPF, the page also checks on its own, and a not-yet-propagated record reports honestly ("not matched yet") rather than failing.

Step 4 — What the statuses mean

Same plain sequence as SPF:

• Available — ready; _dmarc not pointed at mxio yet.
• Activating… — you've published the CNAME and mxio is confirming it. Clears on its own.
• Active — mxio is publishing and maintaining your DMARC policy.
• Self-managed — you maintain _dmarc yourself (never delegated, or handed back).

Two statuses you may see if something needs your attention before activation: Needs review (an unusual tag in an existing DMARC record needs a quick decision) and Conflict (an old record is still in the way — for example a _dmarc TXT left alongside the new CNAME). Both tell you exactly what to clear.

What enforcement actually does — stated honestly. DMARC doesn't let mxio "block" anything. Your DMARC policy tells the receiving mail servers what to do with mail that fails the checks: at quarantine it directs them to send failing mail to spam; at reject it directs them to refuse it outright. The decision happens at each receiver, according to the policy you publish — so we describe it as what the policy directs, never as mail we blocked.

Step 5 — Switching back anytime

Managed DMARC is reversible too. Hand it back from the DMARC page and mxio gives you a working DMARC record to publish in place of the CNAME, then steps out. One DNS change in, one DNS change out.

---

Still stuck?

Everything above maps one-to-one to what's on screen. If the page isn't doing what this guide describes:

• Re-read the status word on the card — Available, Activating…, Active, Self-managed, Needs review, or Conflict — and match it to the step above.
• Give DNS a few minutes after publishing, then click Check DNS (SPF) or Verify CNAME (DMARC) again.
• Confirm you replaced the old record rather than adding a second one — two SPF records, or a TXT-plus-CNAME at _dmarc, is the most common snag.

For the bigger picture of why this is worth doing, see Managed Email Authentication and Who Sends Mail as Your Domain.

Related Articles

• Managed Email Authentication: What It Is and Why It Matters — the concept behind the walkthrough
• Who Sends Mail as Your Domain — your sender inventory, the foundation for both services
• The DMARC Enforcement Journey — the phased path from watching to enforcement
• What Is SPF Flattening? — how automated SPF management stays under the lookup limit