Sending & Deliverability
How to Set Up SPF, DKIM, and DMARC Records
Why Email Authentication Matters
Email authentication prevents spoofing and improves deliverability. Without it, ISPs are more likely to send your emails to spam.
SPF (Sender Policy Framework)
SPF tells receiving servers which IPs are allowed to send email for your domain.
Setup
Add a TXT record to your domain's DNS:
yourdomain.com TXT "v=spf1 include:amazonses.com include:sendgrid.net ~all"
Key Rules
- Only ONE SPF record per domain
- Use
include:for each sending service - End with
~all(softfail) or-all(hardfail) - Max 10 DNS lookups (keep includes minimal)
Verify
dig TXT yourdomain.com | grep spf
DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to your emails proving they haven't been tampered with.
Setup
Your sending service provides DKIM records. Add them as CNAME or TXT records:
selector1._domainkey.yourdomain.com CNAME selector1.dkim.amazonses.com
Verify
dig CNAME selector1._domainkey.yourdomain.com
DMARC (Domain-based Message Authentication)
DMARC ties SPF and DKIM together and tells ISPs what to do with unauthenticated messages.
Setup (Start with monitoring)
_dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100"
Enforcement Levels
| Policy | Action | When to Use |
|---|---|---|
p=none |
Monitor only | Starting out |
p=quarantine |
Send to spam | After monitoring |
p=reject |
Block entirely | Full enforcement |
Gradual Enforcement
- Start with
p=nonefor 2-4 weeks - Review DMARC reports (aggregate reports sent to
ruaaddress) - Fix any legitimate senders failing authentication
- Move to
p=quarantinewithpct=25(25% enforcement) - Gradually increase
pctto 100 - Finally move to
p=reject
Warning: Never jump straight to
p=reject— you might block legitimate email from services you forgot to authenticate.