Blog

The Email Authentication Checklist — SPF, DKIM, DMARC Before You Send

Order: inventory senders → publish SPF → enable DKIM → add DMARC p=none with rua → read reports → tighten. Skipping inventory means surprise sources when you go to quarantine.

  1. SPF: one TXT, under 10 lookups.
  2. DKIM: 2048-bit key live at selector._domainkey.
  3. DMARC: v=DMARC1; p=none; rua=mailto:you@domain.
  4. Test mail + headers.
  5. DMARC XML in inbox within 24-48h.

Deep dives: DNS records for email.

FAQ

What order should I fix things?

SPF/DKIM first — then DMARC reporting — then policy.

Do I need all three?

For modern inbox placement at scale — yes. DMARC can be p=none initially.

What tool runs the checks?

<a href="https://domainpreflight.dev/">DNS Preflight</a> for DNS-side authentication.

What about PTR?

Required for dedicated/self-hosted IPs — less relevant for pure ESP sending.

How do I track drift?

DMARC aggregate reports to rua= — see <a href="/learn/dmarc-reporting/">reporting guide</a>.

← All posts