Home Products About Blog Contact
Products Contact
Email Delivery Email Authentication

DKIM, SPF, and DMARC: A Developer's Setup Guide

Devicode Team
3 min read

Email authentication is the foundation of deliverability. Without it, receiving mail servers have no reliable way to verify your mail is legitimate, and reputation-based filtering will treat your messages with suspicion. SPF, DKIM, and DMARC are the three DNS-based mechanisms that solve this.

SPF: who can send from your domain

SPF (Sender Policy Framework) is a TXT record that lists the IP addresses and services authorized to send mail on behalf of your domain.

1

v=spf1 include:sendpromptly.com include:_spf.google.com ~all

Key rules:

  • Use ~all (soft fail) while testing, then switch to -all (hard fail) once validated
  • Include every sending service your domain uses — ESPs, CRMs, marketing tools
  • Avoid exceeding 10 DNS lookups (SPF has a hard lookup limit)

DKIM: signing messages with a cryptographic key

DKIM (DomainKeys Identified Mail) attaches a signature to each outgoing message. Receivers verify the signature using a public key published in your DNS.

Your sending provider generates the key pair. You publish the public key as a TXT record at a selector subdomain:

1

mail._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=<public key>"

Recommendations:

  • Use a 2048-bit RSA key
  • Rotate keys annually
  • Use a dedicated selector per sending service so rotation does not affect all services at once

DMARC: enforcement and reporting

DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receivers what to do when a message fails SPF or DKIM and where to send reports.

1

_dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com"

Start with p=none so failures are reported but not acted on. Once your reports show consistent alignment, move to p=quarantine (failed mail goes to spam), then p=reject (failed mail is dropped).

DMARC alignment explained

DMARC alignment is the detail most guides skip. For a message to pass DMARC, either:

  • the SPF-authenticated domain must match the From: domain (SPF alignment), or
  • the DKIM-signing domain must match the From: domain (DKIM alignment)

If you send through a third-party ESP using their sending infrastructure, check whether they sign with your domain or their own. Only signing with your domain passes DMARC.

How to verify your setup

Use a tool like dig to check your published records:

1
2
3

dig TXT yourdomain.com | grep spf
dig TXT mail._domainkey.yourdomain.com
dig TXT _dmarc.yourdomain.com

Send a test message and review the Authentication-Results header in the delivered mail. You should see spf=pass, dkim=pass, and dmarc=pass.

What to do when alignment fails

Common causes:

  • The From domain and DKIM signing domain do not match
  • SPF record is missing the ESP’s include
  • DKIM selector is pointing to the wrong key
  • TXT record has formatting errors (trailing spaces, broken quotes)

Check each layer in isolation before assuming the issue is systemic.

If you need a delivery platform that handles authentication configuration and gives you clear delivery logs, SendPromptly is built for that workflow.