Require that calendar events leaving your organisation through Hetk are marked private. The control is a single TXT record at _hetk.<your-domain>, configured in the same place as your DMARC and SPF records. There is no Hetk admin portal to log in to and no additional OAuth scope to approve.
What this does
When the policy record is in place, every sync sourced from a user’s @yourdomain email address has its events marked private as Hetk writes them to the destination calendar. The title becomes “Busy”; description, location, and attendee list are cleared. The user’s per-sync privacy setting is bypassed when policy says so; the policy wins.
Inside the Hetk app, the user sees a banner above the privacy controls naming the domain the policy comes from and showing when Hetk last read the record. They can see which sync is policy-managed, but they cannot turn enforcement off from inside Hetk. To exit the policy, the user removes the affected identity from Hetk; their other identities are unaffected.
The mechanism is provider-agnostic. The same TXT record covers users on Google Workspace and Microsoft 365 at your domain.
How to enable
Add a single TXT record to your domain’s DNS. Replace yourdomain.com with your actual domain:
| Setting | Value |
|---|---|
| Host | _hetk.yourdomain.com |
| Type | TXT |
| Value | v=hetk1; policy=private |
Example in common DNS providers:
_hetk.yourdomain.com TXT "v=hetk1; policy=private"
If your organisation uses multiple subdomains for email (e.g. @eu.yourdomain.com, @us.yourdomain.com), add the record for each subdomain separately:
_hetk.eu.yourdomain.com TXT "v=hetk1; policy=private"
_hetk.us.yourdomain.com TXT "v=hetk1; policy=private"
Once the DNS record is in place, Hetk will read it within 60 seconds. New sync relationships will enforce the policy immediately. Existing syncs will enforce policy the next time their events are updated.
How to verify
Use the Hetk Policy Setup page to verify your DNS record is in place and readable by Hetk. Enter your domain, and the page will attempt to read the TXT record and show the current policy state. There is also a Force Refresh button if you’ve just added or changed the record and want to check immediately.
How to disable
To turn off policy, either:
- Delete the TXT record from your DNS.
- Or change the record value from
policy=privatetopolicy=none:
_hetk.yourdomain.com TXT "v=hetk1; policy=none"
The change takes effect within 60 seconds plus DNS propagation time. After that, the user’s individual privacy settings take effect again.
What your users see
The first time policy applies to a sync, the affected user gets a one-time email from Hetk:
Your work calendar
@yourdomain.comis now under domain-wide private-sync policy, set by your IT administrator via DNS. Existing syncs from this address will mark events as “Busy” with details stripped.
Inside the Hetk app, a banner appears above their privacy controls naming the domain the policy comes from and showing the timestamp of Hetk’s last successful policy read. The banner stays visible while policy is in effect and disappears within 60 seconds of the record being removed or changed to policy=none.
The user has no opt-out from inside Hetk. If they want to remove a specific calendar from policy entirely, they unlink that identity from their Hetk account; their other connected identities are unaffected.
How Hetk handles DNS failures
Hetk reads your _hetk.<domain> record via DNS-over-HTTPS to Cloudflare 1.1.1.1, bypassing the host’s stub resolver. Successful reads are cached for 60 seconds. If a read fails (network error, upstream timeout, signed-response failure), Hetk falls back to the last successful answer for up to 24 hours.
If 24 hours pass with no successful read, Hetk pages on-call and emails the address listed as the admin contact for the affected domain. Policy enforcement does not silently flip on or off in either direction — an operator decides the safe action with full context, and the default action is to pause syncs for the affected organisation until DNS resolution recovers.
For a domain that has never had a successful policy read (cold start during a DoH outage), Hetk treats the policy as absent. This avoids spurious enforcement on a domain that may never have had a Hetk policy in the first place.
What it doesn’t do
- No retroactive rewrite. Past events that were already synced are not rewritten. Policy applies only to events updated after the policy is first read by Hetk. If you want to rewrite past events, that is a manual action and a separate conversation with support.
- No per-user audit log. Hetk does not track which syncs had policy applied to them, or maintain a per-admin dashboard of user activity. This is intentional — Hetk is not a directory or governance tool. If you need audit detail, that is a post-MVP feature.
- No consumer email providers. Policy is rejected for consumer domains like
gmail.com,outlook.com,icloud.com, etc. This avoids spurious policy on personal email and aligns with the Hetk model (consumer sync, not organisation-wide management). - Source-side only. The policy enforces privacy on events leaving your domain. Incoming events (events into your domain calendars from external sources) are not affected by your policy. Only
@yourdomainemail addresses trigger the policy.
Troubleshooting
Record isn’t being read
- Check the domain. The TXT record must be at
_hetk.<yourdomain>, not at the root domain. - Check the format. The value must start with
v=hetk1;. Anything else is ignored. - Wait for DNS propagation. New records can take a few minutes to propagate to Hetk’s DNS resolver.
- Try Force Refresh. Use the Policy Setup page and click Force Refresh to clear Hetk’s cache and re-read immediately.
Policy appears to apply to the wrong email address
- Exact-match only. Hetk looks up policy for the exact email domain.
alice@eu.yourdomain.comwill look for_hetk.eu.yourdomain.com, not_hetk.yourdomain.com. Multi-subdomain organisations must add records for each subdomain.
Users aren’t seeing the policy banner
- Check the sync source. The policy applies only if the source identity of the sync is under policy. A sync to an
@yourdomaincalendar from an external email does not trigger policy. - Check the email domain. The user’s email in Hetk must match the domain with the policy record. If they signed up with
alice@oldomain.comand later changed their work email toalice@yourdomain.com, they may need to re-authenticate for the policy to apply.
See also
- /integrations/google-workspace/
- /integrations/microsoft-365/
- /security/
- /blog/microsoft-admin-consent-outlook-calendar/ — separate Microsoft admin question (OAuth approval), not domain policy
- Hetk Policy Setup — Check your policy status