Skip to content
RelayPost Docs

SPF, DKIM & DMARC

Email authentication protocols help receiving mail servers verify that an email actually came from who it claims to be from. This is critical for deliverability — without proper authentication, your emails are more likely to land in spam.

What Is SPF (Sender Policy Framework)?

Section titled “What Is SPF (Sender Policy Framework)?”

SPF (Sender Policy Framework) is an email authentication protocol that specifies which mail servers are authorized to send email on behalf of your domain. Receiving servers check the SPF record in your DNS to verify that incoming email originates from an approved source, helping prevent spoofing and phishing attacks.

What you add:

v=spf1 include:relaypost.dev ~all

This says: “RelayPost’s servers are authorized to send email for my domain. Soft-fail anything else.”

How it works:

  1. You send an email from hello@yourapp.com
  2. The receiving server looks up the SPF record for yourapp.com
  3. It checks if the sending IP is in RelayPost’s authorized range
  4. If yes → SPF passes

What Is DKIM (DomainKeys Identified Mail)?

Section titled “What Is DKIM (DomainKeys Identified Mail)?”

DKIM (DomainKeys Identified Mail) is an email authentication protocol that adds a cryptographic signature to outgoing messages. The receiving mail server verifies this signature against a public key published in the sender’s DNS records, confirming the email was sent by an authorized server and was not altered in transit.

What you add:

A TXT record at {selector}._domainkey.yourapp.com containing your DKIM public key.

How it works:

  1. RelayPost signs each outgoing email with your domain’s private key
  2. The receiving server fetches the public key from your DNS
  3. It verifies the signature matches the email content
  4. If yes → DKIM passes

RelayPost generates the DKIM key pair for you when you add a domain. The private key is stored securely on our servers and never exposed.

What Is DMARC (Domain-based Message Authentication, Reporting & Conformance)?

Section titled “What Is DMARC (Domain-based Message Authentication, Reporting & Conformance)?”

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication policy that ties SPF and DKIM together and tells receiving servers what to do when authentication fails. It lets domain owners specify whether unauthenticated email should be monitored, quarantined, or rejected, and provides aggregate reports on authentication results.

Recommended DMARC record:

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourapp.com
TagMeaning
p=noneMonitor only — don’t take action on failures
p=quarantineSend failing emails to spam
p=rejectReject failing emails entirely
rua=mailto:...Where to send aggregate reports

Recommended approach:

  1. Start with p=none to monitor without affecting delivery
  2. Review DMARC reports for a few weeks
  3. Move to p=quarantine once you’re confident
  4. Optionally move to p=reject for maximum protection

Verification status

Section titled “Verification status”

After setting up DNS records, your domain dashboard shows:

StatusMeaning
✅ DKIM VerifiedDKIM public key found and matches
✅ DMARC SetDMARC record found with valid policy
✅ Fully VerifiedDKIM passes — best deliverability
❌ Not VerifiedDKIM check failed — check your DNS records

Note: SPF is handled automatically by RelayPost’s sending infrastructure via the MAIL FROM domain. You do not need to add an SPF record — RelayPost manages SPF alignment for you.

Best practices

Section titled “Best practices”
  • Set up DKIM — most providers check it and it’s required for DMARC alignment
  • Add a DMARC record even if you start with p=none
  • SPF is managed by RelayPost’s infrastructure — no action needed on your part
  • Keep your DKIM key secure — if compromised, regenerate it from the dashboard

Frequently Asked Questions

Section titled “Frequently Asked Questions”

What is DKIM and why do I need it?

Section titled “What is DKIM and why do I need it?”

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your outgoing emails. Receiving servers verify this signature to confirm the email was sent by an authorized server and was not altered in transit. Without DKIM, your emails are more likely to land in spam.

How do I set up SPF for my domain?

Section titled “How do I set up SPF for my domain?”

Add a TXT record to your domain’s DNS with the value v=spf1 include:relaypost.dev ~all. If you already have an SPF record, add include:relaypost.dev to the existing record. You can only have one SPF record per domain.

Do I need DMARC?

Section titled “Do I need DMARC?”

DMARC is strongly recommended. It ties SPF and DKIM together and tells receiving servers what to do when authentication fails. Start with p=none to monitor, then move to p=quarantine after reviewing reports.

What if domain verification fails?

Section titled “What if domain verification fails?”

Check that your DNS records match exactly what RelayPost provided. Common issues include extra quotes around TXT values, incorrect selector names, and DNS propagation delays. Wait 15–30 minutes and try again.