08 Integration

Hetk + Domain-verified Privacy Policy

How IT admins enforce domain-wide privacy policy for calendar syncs. DNS-verified, provider-agnostic, no OAuth scopes required.

Hero

What this does

Domain-verified privacy policy allows IT admins to enforce that all calendar events leaving their organisation are marked private when synced via Hetk. Configuration is a single TXT DNS record at _hetk.<your-domain>. No admin login, no OAuth approval, no Hetk admin portal — the admin controls policy in the same way they control DMARC or SPF.

When policy is active, all sync relationships that source events from a user’s @yourdomain email address will automatically mark those events as private during sync, regardless of the user’s individual privacy settings. The user sees a banner in the Hetk app explaining that policy is in effect; they cannot disable it (policy is enforced server-side).

The policy is DNS-verified, provider-agnostic, and applies to both Google Workspace and Microsoft 365 users at your organisation.

How to enable

Add a single TXT record to your domain’s DNS. Replace yourdomain.com with your actual domain:

SettingValue
Host_hetk.yourdomain.com
TypeTXT
Valuev=hetk1; policy=private

Example in common DNS providers:

_hetk.yourdomain.com  TXT  "v=hetk1; policy=private"

If your organisation uses multiple subdomains for email (e.g. @eu.yourdomain.com, @us.yourdomain.com), add the record for each subdomain separately:

_hetk.eu.yourdomain.com  TXT  "v=hetk1; policy=private"
_hetk.us.yourdomain.com  TXT  "v=hetk1; policy=private"

Once the DNS record is in place, Hetk will read it within 60 seconds. New sync relationships will enforce the policy immediately. Existing syncs will enforce policy the next time their events are updated.

How to verify

Use the Hetk Policy Setup page to verify your DNS record is in place and readable by Hetk. Enter your domain, and the page will attempt to read the TXT record and show the current policy state. There is also a Force Refresh button if you’ve just added or changed the record and want to check immediately.

How to disable

To turn off policy, either:

  1. Delete the TXT record from your DNS.
  2. Or change the record value from policy=private to policy=none:
_hetk.yourdomain.com  TXT  "v=hetk1; policy=none"

The change takes effect within 60 seconds plus DNS propagation time. After that, the user’s individual privacy settings take effect again.

What it doesn’t do

  • No retroactive rewrite. Past events that were already synced are not rewritten. Policy applies only to events updated after the policy is first read by Hetk. If you want to rewrite past events, that is a manual action and a separate conversation with support.
  • No per-user audit log. Hetk does not track which syncs had policy applied to them, or maintain a per-admin dashboard of user activity. This is intentional — Hetk is not a directory or governance tool. If you need audit detail, that is a post-MVP feature.
  • No consumer email providers. Policy is rejected for consumer domains like gmail.com, outlook.com, icloud.com, etc. This avoids spurious policy on personal email and aligns with the Hetk model (consumer sync, not organisation-wide management).
  • Source-side only. The policy enforces privacy on events leaving your domain. Incoming events (events into your domain calendars from external sources) are not affected by your policy. Only @yourdomain email addresses trigger the policy.

Troubleshooting

Record isn’t being read

  • Check the domain. The TXT record must be at _hetk.<yourdomain>, not at the root domain.
  • Check the format. The value must start with v=hetk1;. Anything else is ignored.
  • Wait for DNS propagation. New records can take a few minutes to propagate to Hetk’s DNS resolver.
  • Try Force Refresh. Use the Policy Setup page and click Force Refresh to clear Hetk’s cache and re-read immediately.

Policy appears to apply to the wrong email address

  • Exact-match only. Hetk looks up policy for the exact email domain. [email protected] will look for _hetk.eu.yourdomain.com, not _hetk.yourdomain.com. Multi-subdomain organisations must add records for each subdomain.

Users aren’t seeing the policy banner

  • Check the sync source. The policy applies only if the source identity of the sync is under policy. A sync to an @yourdomain calendar from an external email does not trigger policy.
  • Check the email domain. The user’s email in Hetk must match the domain with the policy record. If they signed up with [email protected] and later changed their work email to [email protected], they may need to re-authenticate for the policy to apply.

See also

← All integrations