Skip to content
RelayPost Docs

SPF, DKIM & DMARC

Email authentication protocols help receiving mail servers verify that an email actually came from who it claims to be from. This is critical for deliverability — without proper authentication, your emails are more likely to land in spam.

SPF (Sender Policy Framework)

Section titled “SPF (Sender Policy Framework)”

SPF tells receiving servers which IP addresses are allowed to send email for your domain.

What you add:

v=spf1 include:relaypost.dev ~all

This says: “RelayPost’s servers are authorized to send email for my domain. Soft-fail anything else.”

How it works:

  1. You send an email from [email protected]
  2. The receiving server looks up the SPF record for yourapp.com
  3. It checks if the sending IP is in RelayPost’s authorized range
  4. If yes → SPF passes

DKIM (DomainKeys Identified Mail)

Section titled “DKIM (DomainKeys Identified Mail)”

DKIM adds a cryptographic signature to every email, proving it hasn’t been tampered with in transit.

What you add:

A TXT record at {selector}._domainkey.yourapp.com containing your DKIM public key.

How it works:

  1. RelayPost signs each outgoing email with your domain’s private key
  2. The receiving server fetches the public key from your DNS
  3. It verifies the signature matches the email content
  4. If yes → DKIM passes

RelayPost generates the DKIM key pair for you when you add a domain. The private key is stored securely on our servers and never exposed.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

Section titled “DMARC (Domain-based Message Authentication, Reporting & Conformance)”

DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails.

Recommended DMARC record:

v=DMARC1; p=quarantine; rua=mailto:[email protected]
TagMeaning
p=noneMonitor only — don’t take action on failures
p=quarantineSend failing emails to spam
p=rejectReject failing emails entirely
rua=mailto:...Where to send aggregate reports

Recommended approach:

  1. Start with p=none to monitor without affecting delivery
  2. Review DMARC reports for a few weeks
  3. Move to p=quarantine once you’re confident
  4. Optionally move to p=reject for maximum protection

Verification status

Section titled “Verification status”

After setting up DNS records, your domain dashboard shows:

StatusMeaning
✅ SPF VerifiedSPF record found and includes RelayPost
✅ DKIM VerifiedDKIM public key found and matches
✅ Fully VerifiedBoth SPF and DKIM pass — best deliverability
❌ Not VerifiedOne or both checks failed — check your DNS records

Best practices

Section titled “Best practices”
  • Always set up both SPF and DKIM — most providers check both
  • Add a DMARC record even if you start with p=none
  • Don’t use multiple SPF records on the same domain — merge them into one
  • Keep your DKIM key secure — if compromised, regenerate it from the dashboard