<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Podcastwala</title>
    <description>The latest articles on DEV Community by Podcastwala (@podcastwala_80ecee7262a43).</description>
    <link>https://dev.to/podcastwala_80ecee7262a43</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4012611%2F7f9f3b95-e624-4cc4-b365-293c36cf01c1.png</url>
      <title>DEV Community: Podcastwala</title>
      <link>https://dev.to/podcastwala_80ecee7262a43</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/podcastwala_80ecee7262a43"/>
    <language>en</language>
    <item>
      <title>Why Your Emails Land in Spam - A Developer's Guide to SPF, DKIM, and DMARC</title>
      <dc:creator>Podcastwala</dc:creator>
      <pubDate>Thu, 02 Jul 2026 17:37:32 +0000</pubDate>
      <link>https://dev.to/podcastwala_80ecee7262a43/why-your-emails-land-in-spam-a-developers-guide-to-spf-dkim-and-dmarc-8ji</link>
      <guid>https://dev.to/podcastwala_80ecee7262a43/why-your-emails-land-in-spam-a-developers-guide-to-spf-dkim-and-dmarc-8ji</guid>
      <description>&lt;p&gt;You deployed your SaaS. Wired up SendGrid. Sent your first welcome email.&lt;/p&gt;

&lt;p&gt;It landed in spam.&lt;/p&gt;

&lt;p&gt;Not because your content was bad. Not because your list was dirty. Because your DNS isn't configured correctly, and inbox providers don't yet trust your domain.&lt;/p&gt;

&lt;p&gt;Here's what SPF, DKIM, and DMARC actually do, why they fail, and how to fix them.&lt;/p&gt;




&lt;h2&gt;
  
  
  The problem: inbox providers don't know who you are
&lt;/h2&gt;

&lt;p&gt;When your server sends an email, the receiving server (Gmail, Outlook, Yahoo, etc.) has no reliable way to verify that you actually own the domain you're sending from—unless you've published authentication records in your DNS.&lt;/p&gt;

&lt;p&gt;Those records are:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;SPF&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;DKIM&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;DMARC&lt;/strong&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Miss any one of them and your emails become harder to trust. At best, they'll have lower deliverability. At worst, they'll be treated as spoofed mail.&lt;/p&gt;




&lt;h2&gt;
  
  
  SPF — Sender Policy Framework
&lt;/h2&gt;

&lt;p&gt;SPF answers one question:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;"Which servers are allowed to send email for this domain?"&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;You publish a TXT record on your root domain listing the services authorized to send mail on your behalf.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;v=spf1 include:sendgrid.net include:amazonses.com ~all
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;When Gmail receives an email from &lt;code&gt;hello@yourdomain.com&lt;/code&gt;, it looks up your SPF record and checks whether the sending IP is authorized.&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;code&gt;~all&lt;/code&gt; vs &lt;code&gt;-all&lt;/code&gt;
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;code&gt;~all&lt;/code&gt; → &lt;strong&gt;SoftFail&lt;/strong&gt; — unauthorized senders are accepted but marked as suspicious.&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;-all&lt;/code&gt; → &lt;strong&gt;HardFail&lt;/strong&gt; — unauthorized senders fail SPF completely.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Start with &lt;code&gt;~all&lt;/code&gt;. Move to &lt;code&gt;-all&lt;/code&gt; only after you've verified every legitimate sender is included.&lt;/p&gt;

&lt;h3&gt;
  
  
  Common SPF mistake
&lt;/h3&gt;

&lt;p&gt;Too many &lt;code&gt;include:&lt;/code&gt; statements.&lt;/p&gt;

&lt;p&gt;SPF has a hard limit of &lt;strong&gt;10 DNS lookups&lt;/strong&gt;. Each &lt;code&gt;include:&lt;/code&gt; directive counts toward that limit.&lt;/p&gt;

&lt;p&gt;If you exceed it, SPF returns a &lt;strong&gt;PermError&lt;/strong&gt;, even if the sending IP is otherwise valid.&lt;/p&gt;

&lt;p&gt;Check your SPF record:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;dig TXT yourdomain.com | &lt;span class="nb"&gt;grep &lt;/span&gt;spf
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h2&gt;
  
  
  DKIM — DomainKeys Identified Mail
&lt;/h2&gt;

&lt;p&gt;SPF verifies the sending server.&lt;/p&gt;

&lt;p&gt;DKIM verifies that the signed portions of the email haven't been modified after they were sent.&lt;/p&gt;

&lt;p&gt;Your email provider signs every outgoing message with a private key. The receiving server retrieves the corresponding public key from your DNS and validates the signature.&lt;/p&gt;

&lt;p&gt;Example:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;mail._domainkey.yourdomain.com IN TXT
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ..."
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The record lives at:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;{selector}._domainkey.{yourdomain}
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The selector (&lt;code&gt;mail&lt;/code&gt; in this example) is chosen by your email provider.&lt;/p&gt;

&lt;h3&gt;
  
  
  What can break DKIM?
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Some email forwarding services that modify headers&lt;/li&gt;
&lt;li&gt;Email gateways that alter message content&lt;/li&gt;
&lt;li&gt;Incorrectly formatted DNS records&lt;/li&gt;
&lt;li&gt;Public keys split incorrectly across multiple DNS strings&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Rotate your DKIM keys
&lt;/h3&gt;

&lt;p&gt;Rotate DKIM keys every &lt;strong&gt;6–12 months&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;A typical rotation process looks like this:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Generate a new key pair.&lt;/li&gt;
&lt;li&gt;Publish the new selector.&lt;/li&gt;
&lt;li&gt;Update your email provider.&lt;/li&gt;
&lt;li&gt;Remove the old selector after propagation (usually 48 hours).&lt;/li&gt;
&lt;/ol&gt;




&lt;h2&gt;
  
  
  DMARC — The policy layer
&lt;/h2&gt;

&lt;p&gt;SPF and DKIM work independently.&lt;/p&gt;

&lt;p&gt;DMARC ties them together and tells receiving servers what to do when authentication fails.&lt;/p&gt;

&lt;p&gt;Example:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;_dmarc.yourdomain.com IN TXT
"v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100"
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  DMARC policies
&lt;/h3&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Policy&lt;/th&gt;
&lt;th&gt;Behavior&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;none&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Monitor only. No enforcement.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;quarantine&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Failed messages are sent to spam.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;reject&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Failed messages are rejected outright.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Start with &lt;code&gt;p=none&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;Review your aggregate reports (&lt;code&gt;rua=&lt;/code&gt;), verify every sending source passes authentication, then gradually move to &lt;code&gt;quarantine&lt;/code&gt; and eventually &lt;code&gt;reject&lt;/code&gt;.&lt;/p&gt;

&lt;h3&gt;
  
  
  DMARC alignment—the part most developers miss
&lt;/h3&gt;

&lt;p&gt;Imagine you're sending from:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight email"&gt;&lt;code&gt;&lt;span class="nt"&gt;hello@yourdomain.com
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;But your email provider uses:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight email"&gt;&lt;code&gt;&lt;span class="nt"&gt;bounce@sendgrid.net
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;SPF passes for &lt;code&gt;sendgrid.net&lt;/code&gt;, but it doesn't align with your visible &lt;strong&gt;From&lt;/strong&gt; domain.&lt;/p&gt;

&lt;p&gt;As a result, DMARC can still fail.&lt;/p&gt;

&lt;p&gt;The fix is to configure a custom return-path (bounce) domain such as:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;bounce.yourdomain.com
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This keeps SPF aligned with your own domain.&lt;/p&gt;




&lt;h2&gt;
  
  
  The warm-up problem
&lt;/h2&gt;

&lt;p&gt;Even with perfect SPF, DKIM, and DMARC, a brand-new sending domain has no reputation.&lt;/p&gt;

&lt;p&gt;Inbox providers evaluate much more than authentication:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Historical engagement&lt;/li&gt;
&lt;li&gt;Spam complaints&lt;/li&gt;
&lt;li&gt;Bounce rates&lt;/li&gt;
&lt;li&gt;Sending consistency&lt;/li&gt;
&lt;li&gt;Domain reputation&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Sending hundreds of emails from a brand-new domain looks suspicious, regardless of how well your DNS is configured.&lt;/p&gt;

&lt;p&gt;The solution is gradual warm-up.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Week&lt;/th&gt;
&lt;th&gt;Daily Volume&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Week 1&lt;/td&gt;
&lt;td&gt;20–50&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Week 2&lt;/td&gt;
&lt;td&gt;50–200&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Week 3&lt;/td&gt;
&lt;td&gt;200–500&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Week 4+&lt;/td&gt;
&lt;td&gt;Scale gradually&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;For low-volume transactional email, warm-up is generally less critical. For newsletters and cold outreach, it's essential.&lt;/p&gt;

&lt;p&gt;MailPilot automates this with AI-driven warm-up across real peer inboxes, DNS health monitoring, and inbox placement tracking.&lt;/p&gt;




&lt;h2&gt;
  
  
  Quick checklist before your next send
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;✅ SPF record exists&lt;/li&gt;
&lt;li&gt;✅ SPF uses fewer than 10 DNS lookups&lt;/li&gt;
&lt;li&gt;✅ DKIM selector is published&lt;/li&gt;
&lt;li&gt;✅ DMARC record exists at &lt;code&gt;_dmarc.yourdomain.com&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;✅ DMARC policy is at least &lt;code&gt;p=none&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;✅ Aggregate reporting (&lt;code&gt;rua=&lt;/code&gt;) is configured&lt;/li&gt;
&lt;li&gt;✅ Custom bounce domain is configured for SPF alignment&lt;/li&gt;
&lt;li&gt;✅ Domain has aged for at least 2–4 weeks before high-volume sending&lt;/li&gt;
&lt;li&gt;✅ Warm-up is running before scaling outbound email&lt;/li&gt;
&lt;/ul&gt;




&lt;h2&gt;
  
  
  Validate your setup
&lt;/h2&gt;

&lt;h3&gt;
  
  
  SPF
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;dig TXT yourdomain.com | &lt;span class="nb"&gt;grep &lt;/span&gt;spf
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  DKIM
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;dig TXT mail._domainkey.yourdomain.com
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Replace &lt;code&gt;mail&lt;/code&gt; with your DKIM selector.&lt;/p&gt;

&lt;h3&gt;
  
  
  DMARC
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;dig TXT _dmarc.yourdomain.com
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Or use the free tools at &lt;strong&gt;&lt;a href="//mailpilots.in/free-tools"&gt;mailpilots.in/free-tools&lt;/a&gt;&lt;/strong&gt; to generate and validate your SPF, DKIM, and DMARC records in one place.&lt;/p&gt;




&lt;h2&gt;
  
  
  TL;DR
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;SPF&lt;/strong&gt; defines which servers can send email for your domain.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;DKIM&lt;/strong&gt; proves your email hasn't been modified after it was sent.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;DMARC&lt;/strong&gt; tells receiving servers how to handle authentication failures.&lt;/li&gt;
&lt;li&gt;For DMARC to pass, either SPF or DKIM must align with your visible &lt;strong&gt;From&lt;/strong&gt; domain.&lt;/li&gt;
&lt;li&gt;Authentication improves trust, but reputation still has to be earned through consistent, gradual sending.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Fix your DNS. Build your sender reputation. Keep your emails out of spam.&lt;/p&gt;

</description>
      <category>webdev</category>
      <category>emailwarmup</category>
      <category>devops</category>
      <category>tutorial</category>
    </item>
  </channel>
</rss>
