DMARCER
Sign in

Connecting a DNS provider

How to connect your DNS provider to DMARCER so it can read your live DNS and, once you approve, apply your SPF, DKIM, DMARC, MTA-STS and DNSSEC fixes for you.

Published 29 Jun 2026 4

Connecting a DNS provider lets DMARCER read your live DNS and, once you are ready, apply the record changes you approve. That means one-click fixes for SPF, DKIM, DMARC, MTA-STS and DNSSEC, with no need to copy records by hand into your provider's control panel. You add a provider on the Integrations page, give it a name, paste the provider's API credentials, and DMARCER finds your zones so you can link them to the domains you already manage in DMARCER.

What connecting a provider does

A DNS provider integration safely stores one set of API credentials (encrypted while stored, and never shown in logs) and uses them to talk to your DNS host. Once it is connected, DMARCER can list the zones those credentials can see, read the current records, and write back the fixes you publish. Each integration keeps its own credentials, so you can hold several at once (for example, one per client) and tell them apart by their friendly name. That name also appears in the audit log next to every change made through it, so you always have a clear record.

Before you start: provider credentials

Each provider signs you in differently, so it helps to create the right credential in the provider's own dashboard first. DMARCER works with the following DNS providers, and each one has its own set of fields in the Add Integration form:

  • ICUK: your ICUK username and password.
  • Cloudflare: a single API token created under My Profile then API Tokens, using the Edit zone DNS template (Zone:Read plus DNS:Edit).
  • Azure DNS: a Microsoft Entra service principal given the DNS Zone Contributor role on the resource group that holds your zones. You paste five values: Entra tenant ID, subscription ID, service principal client ID, client secret and resource group.
  • Google Cloud DNS: a service account given the DNS Administrator role, then paste the whole downloaded JSON key. DMARCER keeps only the few fields it needs (project_id, client_email, private_key, token_uri), never the raw file.
  • GoDaddy: a Production API key and secret from developer.godaddy.com. Please note that GoDaddy only opens up Production DNS API access to higher-tier accounts.
  • IONOS Cloud DNS: a public prefix and secret created at developer.hosting.ionos.com.
  • AWS Route 53: an IAM access key ID and secret access key for a user who can list hosted zones, list record sets and change record sets.
  • Plesk DNS: an API key from Tools and Settings then API Keys, plus the full panel URL including the port (usually 8443).

Connecting your provider step by step

  1. Open Integrations and, on the DNS tab, click Add DNS integration.
  2. Under Type of integration, choose DNS provider.
  3. Pick your host from the Provider list (ICUK, Azure DNS, Cloudflare, Google Cloud DNS, GoDaddy, IONOS Cloud DNS, AWS Route 53 or Plesk DNS).
  4. Enter a Friendly name (up to 120 characters) so you can tell this credential apart from your others, for example 'Acme Corp - ICUK'.
  5. Fill in the provider-specific credential fields that appear for the provider you chose.
  6. Leave 'Start in TEST mode (recommended)' and 'Sync zones immediately after connecting' ticked.
  7. Click Connect. DMARCER runs a connection test straight away and, if the sync option is ticked, finds your zones and tells you how many it found.

[Screenshot: the Add Integration modal with DNS provider selected, showing the provider dropdown, friendly name and the TEST mode and Sync zones options]

TEST mode versus LIVE

A new integration starts in TEST mode. In TEST mode DMARCER does not make any real DNS changes, so it is completely safe to connect, review what it found and check that the credentials work. When you are happy for DMARCER to apply the changes you approve, open the integration's menu and use Switch mode to flip it to LIVE. Switching mode sets the connection status back to Untested (because TEST and LIVE can use different platforms), so just run the connection test again afterwards to refresh the status badge.

Linking zones to your domains

Finding zones is not quite the same as managing them. After a sync, open the integration's menu and choose Manage zones and links. DMARCER sorts the zones it found into groups so you can see what is happening at a glance:

  • Matched, unlinked: the zone name matches a DMARCER domain but has no link yet. Use Link all matched to link every matching, writable zone in one go, or link them one at a time.
  • Linked here: the zone is already linked to one of your DMARCER domains through this integration.
  • Broken links: the zone is linked to a DMARCER domain here, but its nameservers now point elsewhere, so DMARCER can no longer write to it. Fix the nameservers, or unlink and relink it through the integration that now serves the zone.
  • Linked elsewhere: the matching domain is already linked through a different integration. A domain can be linked through only one provider at a time, so these are shown but held back until you unlink the other one.
  • No DMARCER domain: the zone does not have a matching DMARCER domain yet.

DMARCER only offers to link a zone it can genuinely write to. A zone can still exist at the provider even though its nameservers at the registry now point somewhere else (sometimes called a ghost zone). Any changes to it would never reach the real world, so DMARCER marks it as read-only and skips it when you use Link all matched.

Common pitfalls

  • Not enough permissions on the credential: if the connection test fails with a sign-in error, check the token or key has the permissions listed above (for example, Cloudflare needs DNS:Edit, not just read).
  • Plesk self-signed certificate: if your Plesk panel uses a self-signed certificate the connection will fail. Install a proper certificate (Plesk's one-click Let's Encrypt option does this for you).
  • GoDaddy account tier: GoDaddy only opens up Production DNS API access to higher-spend accounts. If the test comes back as 'forbidden', it usually means your account does not yet qualify, and you will need to take it up with GoDaddy.
  • DNSSEC over the API: AWS Route 53 and IONOS do not let you manage DNSSEC through their APIs, so DMARCER cannot switch it on or off for those providers. Please manage DNSSEC in the provider's console or at your registrar instead.
  • A zone matches but will not link: this almost always means the domain is already linked through another integration, or the zone's nameservers point elsewhere so it is read-only.
  • Forgetting to go LIVE: while the integration stays in TEST mode, no real records are written. Switch to LIVE and re-test once you have reviewed what DMARCER found.

Was this article useful?

Be the first to vote.
Got feedback for our team? Send us a comment

Related articles

Connecting ICUK

How to connect your ICUK reseller account to DMARCER so it can read your DNS, find the domains you host at ICUK, and publish the email-security records you approve (SPF, DMARC, MTA-STS, DKIM) plus manage DNSSEC.

Adding a domain (MSP)

How to add a client's domain as an MSP, assign it to the right customer, and verify ownership so you can start monitoring.