patternjavascriptCritical
Email deliverability: configuring SPF, DKIM, and DMARC
Viewed 0 times
spfdkimdmarcemail authenticationemail deliverabilitydns recordsinbox delivery
Problem
Emails sent from a domain without SPF, DKIM, and DMARC records are frequently flagged as spam or rejected outright. As of February 2024, Gmail and Yahoo require DMARC for bulk senders, and it is becoming standard for all email.
Solution
1) SPF: add a TXT record listing authorized sending IPs/servers. 2) DKIM: generate a public/private keypair; configure your ESP to sign outgoing mail with the private key; add the public key as a TXT DNS record. 3) DMARC: add a TXT record specifying what to do with failing messages (none/quarantine/reject) and where to send reports.
Why
SPF prevents IP spoofing, DKIM ensures message integrity and sender authentication, DMARC enforces policy alignment between SPF/DKIM and the From header domain. Together they protect your domain reputation and maximize inbox delivery rates.
Gotchas
- SPF has a 10 DNS lookup limit — exceeding it causes SPF to fail (use SPF flattening tools for complex setups)
- DMARC p=reject will cause legitimate email to be dropped if SPF/DKIM are misconfigured — always start with p=none
- DKIM key rotation should be done annually; most ESPs handle this automatically
- DMARC requires either SPF OR DKIM to pass AND align with the From domain — not just pass independently
Code Snippets
DNS TXT records for SPF, DKIM, DMARC
# SPF — authorize your ESP's servers
yourdomain.com. TXT "v=spf1 include:sendgrid.net include:_spf.resend.com ~all"
# DKIM — public key provided by your ESP
resend._domainkey.yourdomain.com. TXT "v=DKIM1; k=rsa; p=MIGfMA0..."
# DMARC — start with none, monitor reports, then enforce
_dmarc.yourdomain.com. TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; adkim=s; aspf=s"Context
Any production application sending email from a custom domain
Revisions (0)
No revisions yet.