Setup Guide

How to Set Up SPF, DKIM, and DMARC for Intercom

Intercom is a customer messaging platform that sends email on behalf of your domain — outbound campaigns, automated onboarding sequences, proactive support messages, and replies to customer conversations. Because Intercom sends directly from your domain's From address, proper authentication is critical for both deliverability and DMARC compliance.

SPF Configuration

No SPF changes are required for Intercom. Intercom handles SPF entirely by setting a custom return-path on all outgoing email. Their sending infrastructure uses intercom-mail.com internally, but customers do not add any include to their domain's SPF record. Intercom's documentation states explicitly: "Intercom handles SPF for you by setting a custom return-path on all emails we send."

Your existing SPF record requires no modification for Intercom. Focus on DKIM setup and the optional return-path CNAME (which enables SPF alignment under DMARC).

Verify your total lookup count has not been affected by any recent changes with the SenderClarity SPF Checker.

DKIM Configuration

Intercom configures DKIM and the optional return-path CNAME through their email channel settings.

  1. In Intercom, go to Settings → Channels → Email → Domains & addresses.
  2. Select your email address and click Authenticate your domain.
  3. Intercom provides two CNAME records and one optional return-path CNAME:
Type:  CNAME
Host:  intercom._domainkey
Value: (provided by Intercom — unique to your account)

Type:  CNAME
Host:  (subdomain provided by Intercom)
Value: (provided by Intercom — handles return-path for SPF alignment)
  1. Add the DKIM CNAME to your DNS. Add the return-path CNAME as well — it is optional but strongly recommended for SPF alignment under DMARC (see Considerations section).
  2. Return to Intercom and complete verification.

Intercom uses CNAME-based DKIM so they can rotate keys without requiring DNS changes on your end. The exact CNAME target values are account-specific and only visible inside the Intercom dashboard.

Cloudflare users: Set both CNAMEs to DNS Only (grey cloud). Proxied CNAMEs will break DKIM verification.

DMARC Configuration

Start with monitoring mode:

Type:  TXT
Host:  _dmarc
Value: v=DMARC1; p=none; rua=mailto:your-address@reports.senderclarity.com; fo=1

Progress to enforcement after confirming Intercom traffic passes:

  1. p=quarantine; pct=25
  2. p=quarantine; pct=100
  3. p=reject

DMARC Considerations for Intercom

  • The return-path CNAME is what enables SPF alignment: Without it, DKIM provides alignment but SPF does not. Both can pass under DMARC with just the DKIM CNAME in place, but adding the return-path CNAME achieves full dual alignment — making your DMARC setup more resilient. Intercom recommends adding it even though it is labeled optional.

  • Intercom sends from AWS infrastructure: Intercom's sending IPs are AWS us-west-2 addresses (52.x.x.x ranges). Before domain authentication is complete, messages will appear in DMARC reports as intercom-mail.com with no alignment to your domain. After DKIM setup, the d= tag in DKIM results will show your domain.

  • Support replies are your most reputation-sensitive traffic: When customers email your support address and an agent replies through Intercom, that reply must pass DMARC. A failed authentication on a support reply directly erodes customer trust. Prioritize Intercom DKIM setup before moving to any enforcement policy on your DMARC record.

  • Developer workspaces cannot send outbound email: If your Intercom account is a Developer workspace, outbound email is disabled entirely regardless of DNS configuration. This is an account-type restriction, not a DNS issue.

  • Each email address requires its own authentication: If you use multiple support addresses in Intercom from different domains (e.g., support@company.com and help@subsidiary.com), each domain requires its own DKIM CNAME and return-path CNAME. Authenticating one does not cover the other.

Verification

  • Check your SPF record →
  • Send a test outbound message from Intercom and inspect the email headers
  • Confirm dkim=pass aligned to your domain in the Authentication-Results header
  • Monitor DMARC reports in SenderClarity for Intercom traffic

Common Issues

DKIM verification failing: DNS propagation can take up to 48 hours. If verification still fails after that, confirm the CNAME record is DNS Only in Cloudflare (not proxied) and that your DNS provider has not appended your domain name to the host, resulting in a doubled suffix.

SPF alignment still failing after return-path CNAME: Confirm the second CNAME (the return-path record) was added correctly and has propagated. This is separate from the DKIM CNAME — both are required for full alignment.

"Via intercom-mail.com" label in email clients: This appears before domain authentication is complete. Once the DKIM CNAME is active and verified, Intercom signs messages with your domain and the label disappears.

SPF Lookup Impact

Include Estimated Lookups
Intercom (no include required) 0

Intercom adds no lookups to your domain's SPF record. Their return-path handling is managed entirely on their side.