Which Email DNS Fixes Can Be Automatic (and Why Some Can't)
See which email DNS fixes Domain Email Doctor can apply for you, which ones need your input, and the reason behind each, from SPF and DMARC to DKIM and MTA-STS.
After a scan, some fixes show a "Fix this for me" button while others only show you the exact records to add yourself. That is deliberate. We auto-apply a change only when it is safe and unambiguous, and we guide you by hand for everything that needs your judgment or a value only your provider can give you.
Two questions decide whether a fix can be automatic. First: can we reach the place your DNS is managed? Second: even if we can, is the change safe to make without your input? This guide walks through both, so the result page never feels arbitrary.
On this page
Question 1: Can we reach your DNS host?
Writing a DNS record always needs the cooperation of whoever hosts your DNS. There is no way around that, so the first thing that decides auto-fix is where your domain's nameservers point.
| Where your DNS is hosted | What you get |
|---|---|
| Cloudflare or Porkbun | "Fix this for me" - you create a scoped API key, approve each change, and we write the record. We never see your password and never delete anything. |
| GoDaddy and similar hosts | We show you the exact records to paste, with host-specific steps, usually about two minutes. One-click apply for these hosts is in the works. |
| We could not tell | The fix wizard helps you find where your DNS is managed, then shows the exact records for that host. |
If your host is in a manual row today and you want one-click fixes, the fastest path is to move your DNS to a host that supports them. See Move your DNS to Cloudflare, which walks through copying your records first so nothing breaks.
Question 2: Is the fix safe to apply without your input?
Reaching your host is only half of it. Some changes are safe to make from a template; others can quietly break your mail or simply cannot be guessed. Here is every fix, grouped by the reason it is automatic or not.
| Fix | How we handle it | Why |
|---|---|---|
| Missing SPF, a starter DMARC record (p=none), MX for a known provider, or tightening a too-soft SPF all-qualifier | Auto-fix | The correct value is deterministic and evidenced by your own DNS, and we never overwrite a stronger record you already have. |
| Raising your DMARC policy from p=none to quarantine or reject | Guided | This is the single biggest deliverability lever, but doing it before SPF and DKIM are aligned can send legitimate mail to junk. We explain it and let you decide. |
| DMARC and TLS-RPT reporting addresses | You provide the destination | Reports have to go somewhere you control. We cannot invent a mailbox or a reporting service for you. |
| MTA-STS | Advisory only | The DNS record is easy, but MTA-STS also needs a policy file hosted at a special URL on your domain. Publishing only the DNS half creates a broken policy, which is worse than not having it. |
| DKIM keys, a BIMI logo, or Google and Microsoft verification tokens | Copy from your provider | These are generated by your email or brand provider and are unique to you. There is nothing for us to invent. |
| Merging, repairing, or flattening an existing SPF record | Your judgment | Deciding which senders are real and which to drop is a human call. Rewriting SPF automatically could silently stop a service you actually use. |
What this means on your results page
Every fixable finding on your report follows the same rule:
- When a fix is safe and your host is reachable, you get "Fix this for me" next to "I'll fix it myself".
- When a fix is safe but your host is manual, you get the exact records to paste and host-specific steps.
- When a fix needs your judgment or a provider value, we explain what to do and link the relevant guide instead of a one-click button.
None of this changes what your scan reports. It only changes how the fix is delivered: the records and explanations are the same whether you apply them yourself or let us do it.
For the background on the records themselves, see SPF vs DKIM vs DMARC and the DMARC record checker.
Quick checklist
- Auto-fixed when safe and your host is reachable: missing SPF, a starter DMARC, known-provider MX, and SPF all-qualifier tightening.
- Guided, never automatic: raising DMARC to quarantine or reject - confirm SPF and DKIM align first.
- You provide: DMARC and TLS-RPT reporting addresses, a destination only you choose.
- Advisory only: MTA-STS, because it also needs a hosted policy file, not just a DNS record.
- Copy from your provider: DKIM keys, BIMI logos, and verification tokens, which we cannot invent.