SPF, DKIM, and DMARC Setup Guide
A practical setup for SPF, DKIM, and DMARC alignment when sending transactional email through Postscale.
TL;DR
SPF authorizes the envelope sender, DKIM signs the message, and DMARC checks whether SPF or DKIM aligns with the visible From domain. For production transactional mail, configure all three, monitor with p=none first, then enforce once legitimate streams pass.
What you will learn
- Understand what SPF, DKIM, and DMARC each prove
- Configure aligned authentication records for Postscale sending
- Move from DMARC monitoring to enforcement without blocking legitimate mail
How the three records work together
SPF, DKIM, and DMARC solve related but different problems:
| Record | What it checks | Common failure |
|---|---|---|
| SPF | Is the sending server authorized for the envelope sender? | Multiple SPF records or too many DNS lookups |
| DKIM | Was the message signed by the domain and not modified? | Missing selector, weak key, or broken signing |
| DMARC | Does SPF or DKIM align with the visible From domain? | Mail passes SPF for a different bounce domain |
DMARC is the policy layer. It only becomes useful after SPF and DKIM are configured correctly.
Configure SPF
Publish one SPF TXT record on the domain used in the envelope sender. If Postscale gives you a Return-Path subdomain, SPF belongs on that subdomain.
ps-bounces.example.com. TXT "v=spf1 include:_spf.postscale.io -all"
Copy the underscore form exactly: include:_spf.postscale.io.
Keep the record short. SPF has a 10 DNS lookup limit across include, a, mx, ptr, exists, and redirect mechanisms.
Configure DKIM
Postscale signs mail with a selector under your domain. Add the provided TXT record:
ps2026._domainkey.example.com. TXT "v=DKIM1; k=rsa; p=..."
Use a 2048-bit key where possible. Rotate DKIM keys by adding the new selector, waiting for verification, switching signing, and only then removing the old selector.
Configure DMARC
Start with reporting:
_dmarc.example.com. TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com; adkim=s; aspf=s"
Use strict alignment (adkim=s; aspf=s) when you control the full sending setup. Use relaxed alignment only when legitimate subdomain patterns require it.
Read authentication results
Send a test message and inspect headers for:
Authentication-Results:
spf=pass
dkim=pass
dmarc=pass
If SPF passes but DMARC fails, the SPF domain probably does not align with the visible From domain. If DKIM passes but DMARC fails, check the d= domain in the DKIM signature.
Move to enforcement
Use this sequence:
- Publish
p=noneand collect reports. - Identify every legitimate sender.
- Fix senders that fail DKIM or SPF alignment.
- Move to
p=quarantine; pct=25. - Increase
pctgradually. - Move to
p=rejectwhen reports are clean.
Pair this guide with the DMARC reports guide so policy changes are based on evidence.
Frequently asked questions
- Does DMARC require both SPF and DKIM to pass?
- No. DMARC passes when either SPF or DKIM passes and aligns with the visible From domain.
- Can I have more than one SPF record?
- No. Merge all authorized senders into one TXT record that starts with v=spf1.
Put the guide into production
Postscale brings sending, inbound processing, DMARC reporting, and masked addresses behind one API so the operational pieces stay connected.