Help Scout signs your replies as helpscout.net “on behalf of” your domain until you add two DKIM CNAMEs — the one step that makes those tickets authenticate as you.
Help Scout stopped needing an SPF include in 2024 — it now passes SPF automatically through a VERP return-path on helpscout.net — so the only records you add are two DKIM CNAMEs: strong1._domainkey → strong1._domainkey.helpscout.net and strong2._domainkey → strong2._domainkey.helpscout.net. Because mail is sent “on behalf of” your domain from helpscout.net, DKIM is the only route to DMARC alignment. Source: docs.helpscout.com · verified 2026-07-15
p=none and a rua address, watch reports for a week, confirm this sender shows 100% pass.No. Adding SPF includes and DKIM records only adds authentication — it never blocks existing mail. The only risky step is tightening your DMARC policy, and that comes later, after reports confirm everything passes.
Send yourself a test email and inspect the headers for spf=pass, dkim=pass and dmarc=pass — or just watch your DMARCKeeper dashboard: the sender's pass rate should hit 100% within a day or two.
Yes. SPF and DKIM authenticate mail; DMARC is what tells receivers to BLOCK mail that fails, and it's the piece Gmail, Yahoo and Outlook now check for explicitly.