DEV Community

Dhiraj Chatpar
Dhiraj Chatpar

Posted on • Originally published at postmta.com

Email Authentication 2026: The Complete Setup Checklist

#email #authentication #security #deliverability

Email Authentication 2026: The Complete Setup Checklist

Gmail and Yahoo now block emails from senders without proper authentication. If you are not fully configured, your emails are going to spam or not arriving at all. Here is exactly what to set up.

The Three Pillars

Email authentication has three components that work together:

  • SPF: Authorizes which servers can send for your domain
  • DKIM: Cryptographically signs emails to prove they came from you
  • DMARC: Tells receivers what to do with emails that fail authentication

All three are required for full deliverability in 2026.

SPF Setup

Add an SPF record to your DNS:

v=spf1 include:_spf.postmta.com ip4:YOUR_SERVER_IP -all
Enter fullscreen mode Exit fullscreen mode

The -all means hard fail. If an unauthorized server tries to send for your domain, receivers will reject it.

For KumoMTA, the SPF record authorizes the PostMTA relay servers. Your application server IP also needs to be included.

DKIM Setup

KumoMTA generates DKIM keys automatically. Add the public key to DNS:

mail._domainkey.postmta.com IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQ..."
Enter fullscreen mode Exit fullscreen mode

Rotate keys every 90 days by publishing a new selector before retiring the old one.

DMARC Setup

Start with monitoring mode:

_dmarc.postmta.com IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@postmta.com"
Enter fullscreen mode Exit fullscreen mode

After 2 weeks of data, move to quarantine mode:

v=DMARC1; p=quarantine; rua=mailto:dmarc@postmta.com; pct=100
Enter fullscreen mode Exit fullscreen mode

After 4 weeks of clean data, enable reject mode:

v=DMARC1; p=reject; rua=mailto:dmarc@postmta.com; pct=100
Enter fullscreen mode Exit fullscreen mode

MTA-STS (Required for Enterprise)

MTA-STS forces TLS encryption when other servers deliver to your domain:

_mta-sts.postmta.com IN TXT "v=STSv1; id=20260101Z"
Enter fullscreen mode Exit fullscreen mode

This prevents downgrade attacks on your inbound mail.

TLS Reporting

Add TLS reporting so you know when delivery fails due to encryption issues:

_dmarc.postmta.com IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@postmta.com; ruf=mailto:dmarc@postmta.com; fo=1"
Enter fullscreen mode Exit fullscreen mode

The Authentication Checklist

Run through this before any major send:

  1. SPF record published and resolves
  2. DKIM key generated and published
  3. DKIM selector points to correct domain
  4. DMARC record in monitoring mode
  5. MTA-STS policy published
  6. TLS 1.2+ supported on receiving end
  7. Google Postmaster Tools verified
  8. Test send to Gmail, Yahoo, Outlook

PostMTA handles all of this automatically, including daily DMARC report analysis and automatic key rotation.

Top comments (0)