More instructions, information, and context in this knowledge share (███████████████).
When launching a site, we have two options for the DNS records. We can use our nameservers or point A Records to our IP addresses to keep using external nameservers.
Our default should always be to point a domain’s nameserver records to our services, especially after the recent improvements in signing for transactional emails. If the domain is using our nameservers, the necessary outbound email records for SPF, DKIM, and DMARC are added automatically. If it’s using any other nameservers, you’ll need to add some or all of those records, in addition to A records, when pointing a domain to our services. These records should only be added to the primary domain, unless we are hosting a site on a subdomain.
From February 2024, Google and Yahoo will require email senders to authenticate messages sent from website domains. This means that transactional emails (lost password, order confirmation, email notifications, etc.) might not be delivered to the recipient if the below records are not in place.
The guides below are collected from the public documentation:
- Pressable – DNS Records for Email Authentication & Deliverability
- WordPress.com – Set Up Email Authentication For Your Domain
DKIM (required)
The DKIM (DomainKeys Identified Mail) records should be added to the primary domain (unless the site is on a subdomain, such as blog.site.com).
Sites hosted on WordPress.com
| Type | Host | Value/Target/Alias To |
|---|---|---|
| CNAME | wpcloud1._domainkey | wpcloud1._domainkey.wpcloud.com. |
| CNAME | wpcloud2._domainkey | wpcloud2._domainkey.wpcloud.com. |
Sites hosted on Pressable
| Type | Host/Name | Value/Target/Alias To |
|---|---|---|
| CNAME | openhosting1._domainkey | openhosting1._domainkey.wpcloud.com. |
| CNAME | openhosting2._domainkey | openhosting2._domainkey.wpcloud.com. |
SPF (optional/required)
SPF (Sender Policy Framework) records help identify which servers are allowed to send messages for your domain. There can be only one SPF record per domain; to modify/update an existing SPF record, this tool can be useful.
Sites hosted on WordPress.com (required)
If an SPF TXT record doesn’t exist, you will need to add the following:
| Type | Host | Value |
|---|---|---|
| TXT | @ | v=spf1 include:_spf.wpcloud.com ~all |
If you are sending from a subdomain, the Host value should be the subdomain string. For example, if your subdomain is news.yourgroovydomain.com, you would enter news in the Host field instead of @.
Sites hosted on Pressable (usually not needed)
This record is generally not required for Pressable’s site email delivery service, as it’s already set on Pressable’s sending server.
However, the partner’s domain may be leveraging other email-sending services that do require SPF records.
If you do encounter issues and you do not already have an SPF record, you may consider adding the following SPF record but it is generally not necessary for transactional emails sent from a Pressable-hosted site.
| Type | Host/Name | Value |
|---|---|---|
| TXT | @ | v=spf1 include:wpdatacenter.com ~all |
If a SPF record already exists
If you already have an SPF record, you need to combine the existing records with our SPF into a single SPF (TXT) record.
For example, if the value of the record looks like this:
v=spf1 include:_spf.google.com ~all
You will now add the SPF include:domain for the applicable service before the final ~all in the record value.
For example for sites on WordPress.com: v=spf1 include:_spf.google.com include:_spf.wpcloud.com ~all
For example for sites on Pressable: v=spf1 include:_spf.google.com include:wpdatacenter.com ~all
Please note that there is a maximum of 10 nested lookups/domains in the SPF record (you can check the number with a tool like The SPF Surveyor). If you have a domain with many domains already present in the SPF record, please consult the ███████████████ or your fellow TAMs.
DMARC (suggested/required)
DMARC (Domain-based Message Authentication Reporting and Conformance) is suggested for all domains and is required for bulk senders (5000+ emails/day).
A domain can only have one DMARC record, check first if one exists. It will look something like this:
Sites hosted on both Pressable and WordPress.com
If a DMARC record doesn’t exist, you can add the following:
| Type | Host | Value |
|---|---|---|
| TXT | _dmarc | v=DMARC1; p=none; |
Public documentation, WordPress.com and Pressable.
If you find yourself with a partner that is experiencing email deliverability issues or is particularly concerned about email authentication and signing, please consult the ███████████████ or your fellow TAMs.
DMARC can get much more granular with the permissions, including blocking emails that don’t pass SPF/DKIM signing. Services like Postmark and Cloudflare offer free DMARC management if a partner wants to get a weekly email with stats (Postmark) or see a dashboard with email stats (Cloudflare).
Automattic Special Projects 