Inbox providers want proof that you are you. SPF lists who may send on your behalf, DKIM signs the mail, and DMARC tells receivers how to treat failures (none/quarantine/reject).
Related: Blacklist Monitoring · Check If Your Domain Is on a Blacklist
SPF: who is allowed to send
- TXT at root:
v=spf1 include:... ip4:... ~all - Keep it short (DNS lookup limit ≈ 10)
- Prefer
-allonce confident; start with~allif migrating
DKIM: the cryptographic signature
- Each sender publishes a selector (e.g.,
s1._domainkey) - Use 2048‑bit keys and rotate annually
- Validate that headers and body are signed
DMARC: policy & reporting
- TXT at
_dmarc:v=DMARC1; p=none; rua=mailto:...; ruf=mailto:...; pct=100 - Start with
p=none, then move to quarantine/reject - Review aggregate reports and fix misaligned senders
Monitoring that closes the loop
Watch SPF/DKIM record health, parse DMARC XML to find unknown senders, and alert when policy is too lax for too long.
See features: Email Auth · Blacklist Monitoring.
Common pitfalls
- SPF lookup limit → consolidate vendors; consider sub‑domains for niche senders
- DKIM selector mismatch after provider changes
- DMARC reports ignored — route to a mailbox/processor you read
From observation to enforcement
- Inventory senders (marketing, CRM, product)
- Fix SPF includes/DKIM for each
- Move DMARC to quarantine for a week
- Move to reject and keep watching
Put this into practice
Start monitoring in minutes. Email, Slack, Teams, Discord, PagerDuty, and SMS alerts.