Zoho Mail SPF, DKIM & DMARC Setup Guide

Overview

Zoho Mail is a business email platform popular with SMBs, particularly organizations already using the Zoho ecosystem (CRM, Books, Projects, Desk). Also known as Zoho Workplace or Zoho Email in different product bundles, it provides the core email infrastructure for Zoho-centric organizations. Its SPF record uses include:spf.zoho.com, costing 1 DNS lookup.

Regional SPF Includes

Zoho operates regional data centers, each with its own SPF include domain. You must use the include that matches the region where your Zoho account is hosted:

Using the wrong regional include causes SPF failures on every outbound message, because the sending IPs do not match the IP ranges in the published record. Check your Zoho account URL to determine your region — if you log in at mail.zoho.eu, use spf.zoho.eu.

DKIM Configuration

DKIM keys are generated in the Admin Console with a customizable selector name. Zoho supports multiple selectors per domain, which allows organizations to assign different signing identities to different user groups or departments. Both 1024-bit and 2048-bit RSA keys are supported, published as TXT records (not CNAME delegation). The DKIM setup has three distinct steps: generate the key and choose a selector name, publish the TXT record in DNS, then return to the Admin Console to verify and enable signing.

DMARC Alignment

Zoho Mail sends from the organization's domain by default, which means DMARC alignment works out of the box for both SPF and DKIM. The return-path uses your domain, so SPF alignment passes without additional configuration. DKIM alignment passes once the signing key is published and enabled, because the signing domain (d=) matches the From header domain.

Troubleshooting

DKIM Record Hostname Gotcha

A common DNS issue affects DKIM publishing: some DNS providers (GoDaddy, Namecheap) auto-append the domain suffix to the TXT record name. If you enter selector._domainkey.yourdomain.com as the hostname, the provider may store it as selector._domainkey.yourdomain.com.yourdomain.com. Use just selector._domainkey without the domain suffix if your provider appends automatically. Verify the published record with a DKIM checker after saving — this single issue accounts for a large percentage of failed DKIM setups across all providers, not just Zoho.

Wrong Regional Include

If SPF checks fail for all Zoho-sent messages, the most likely cause is using the wrong regional include. Organizations that started on zoho.com (US) and later migrated to zoho.eu (Europe) for GDPR compliance sometimes forget to update the SPF record. The fix is straightforward: replace the old regional include with the correct one. You do not need both — each region's include covers all sending IPs for that region's data center.

DKIM Key Not Signing After Publishing

Zoho's DKIM setup requires returning to the Admin Console to verify and enable signing after publishing the TXT record. If the TXT record is published but DKIM status shows "Pending" or "Not Verified," click the Verify button. If verification fails, the record is either not yet propagated, has a typo, or was published with the wrong hostname. Zoho does not automatically retry verification — you must manually trigger it.

2048-Bit Key TXT Record Truncation

Zoho supports 2048-bit RSA keys, which produce TXT record values longer than 255 characters. Some DNS providers split these into multiple strings automatically, which is correct per RFC 4408 (superseded by RFC 7208). Others truncate the value silently, breaking DKIM verification. If your 2048-bit key fails verification but a 1024-bit key works, your DNS provider is likely truncating the record. Check the raw DNS response to confirm the full key is published.

Multiple Selectors for Departments

Zoho's support for multiple DKIM selectors per domain is useful for organizations that want to track DKIM signing by department or user group. Each selector gets its own key pair and TXT record. When troubleshooting, note that DKIM failures may affect only specific selectors — check which selector is used for the failing messages and verify that specific TXT record rather than testing a different selector.

Additional Setup Notes

Outgrowing the Zoho Ecosystem

Organizations growing beyond Zoho's ecosystem often add transactional senders (SendGrid, Postmark) and marketing tools (Mailchimp, HubSpot), stacking SPF lookups. Zoho's 1 lookup plus two or three additional providers can push a record toward the 10-lookup limit quickly, especially when those providers' includes contain nested references of their own.

Zoho CRM and Zoho Campaigns

If you use Zoho CRM or Zoho Campaigns alongside Zoho Mail, be aware that these products may send email through different infrastructure. Zoho Campaigns, for example, may use its own sending IPs not covered by spf.zoho.com. Check each Zoho product's SPF requirements individually. The good news: Zoho products share the same DKIM signing infrastructure, so a single set of DKIM records covers all Zoho products sending from your domain.

Migrating to Zoho Mail

When migrating to Zoho Mail from Google Workspace, Microsoft 365, or another email platform, update your SPF record to include the correct Zoho regional include before changing MX records. This ensures that mail sent from Zoho during the transition period passes SPF checks. Keep the old provider's SPF include active during the migration window — remove it only after confirming all mailboxes are fully migrated and the old platform is no longer sending on your behalf.

Migrating Away from Zoho Mail

When migrating away from Zoho, remove spf.zoho.com (or the regional equivalent) from your SPF record only after all mailboxes are moved and no Zoho services are still sending email for your domain. Zoho CRM, Zoho Desk, and other ecosystem products may continue sending email even after you stop using Zoho Mail — verify that all Zoho products are decommissioned before removing the include.

Managed SPF can flatten nested includes into direct IP references, freeing up lookup budget for additional providers.