DEV Community: Yasser Addadi

SPF, DKIM, and DMARC Explained — The 3 DNS Records Every Developer Needs

Yasser Addadi — Fri, 13 Mar 2026 09:00:11 +0000

Every developer sends email. Most do it wrong.

If you deploy a SaaS, you send transactional email — welcome messages, password resets, notifications. Without SPF, DKIM, and DMARC, those emails land in spam.

Here's what each record does and how to set it up.

SPF (Sender Policy Framework)

What it does: Tells receiving servers which IPs are allowed to send email from your domain.

DNS record type: TXT record on your root domain

v=spf1 include:_spf.google.com include:send.resend.com ~all

What this means:

v=spf1 — This is an SPF record
include:_spf.google.com — Google Workspace can send from this domain
include:send.resend.com — Resend can send from this domain
~all — Soft-fail everything else

Common mistake: Using -all (hard fail) before listing all your senders.

DKIM (DomainKeys Identified Mail)

What it does: Cryptographically signs every email so the receiver can verify it wasn't tampered with in transit.

DNS record type: TXT record at selector._domainkey.yourdomain.com

How it works:

Your email provider generates a public/private key pair
The public key goes in DNS
Every outgoing email gets signed with the private key
The receiving server verifies using the public key

Provider selectors:

Google: google._domainkey
Resend: resend._domainkey
SendGrid: s1._domainkey
Microsoft 365: selector1._domainkey

DMARC (Domain-based Message Authentication)

What it does: Tells receivers what to do when SPF or DKIM fails.

DNS record type: TXT record at _dmarc.yourdomain.com

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100

Recommended rollout:

Start with p=none (monitor only)
After 2 weeks, move to p=quarantine
After confidence, move to p=reject

Check Your Setup in 5 Seconds

I built a free Domain Health Checker that checks all three records instantly. It scans 40+ DKIM provider selectors — Google, Resend, SendGrid, Mailchimp, and more.

No signup required. Enter your domain, get results.

Check your domain now

More Free Tools

Tool	What It Does
Domain Health Checker	SPF + DKIM + DMARC verification
Blacklist Checker	Check 25+ spam blacklists
Email Header Analyzer	Decode email routing and auth results
All tools	Free hub, no signup

Built with Lume — a self-hosted email engine for founders who want to own their email infrastructure.

SPF, DKIM, and DMARC Explained — The 3 DNS Records Every Developer Needs

Yasser Addadi — Fri, 13 Mar 2026 08:27:52 +0000

If you send emails from your domain, you need these 3 records.

Whether you're using Resend, SendGrid, AWS SES, or your own SMTP server — if you haven't set up SPF, DKIM, and DMARC, your emails are landing in spam. Here's what each one does and how to fix it.

SPF (Sender Policy Framework)

What it does: Tells receiving servers which IPs are allowed to send email from your domain.

DNS record type: TXT record on your root domain

Example:

v=spf1 include:_spf.google.com include:send.resend.com ~all

What this means:

v=spf1 — This is an SPF record
include:_spf.google.com — Google Workspace can send from this domain
include:send.resend.com — Resend can send from this domain
~all — Soft-fail everything else (mark as suspicious)

Common mistake: Using -all (hard fail) before you've listed all your senders. This will block legitimate emails from services you forgot to include.

DKIM (DomainKeys Identified Mail)

What it does: Cryptographically signs every email so the receiver can verify it wasn't tampered with in transit.

DNS record type: TXT record at selector._domainkey.yourdomain.com

How it works:

Your email provider generates a public/private key pair
The public key goes in DNS as a TXT record
Every outgoing email gets signed with the private key
The receiving server verifies the signature using the public key

Pro tip: Different providers use different selectors:

Google Workspace: google._domainkey
Resend: resend._domainkey
SendGrid: s1._domainkey, s2._domainkey
Microsoft 365: selector1._domainkey, selector2._domainkey

DMARC (Domain-based Message Authentication, Reporting & Conformance)

What it does: Tells receivers what to do when SPF or DKIM fails, and where to send reports.

DNS record type: TXT record at _dmarc.yourdomain.com

Example:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100

What this means:

p=quarantine — Failed emails go to spam (not rejected)
rua=mailto:... — Send aggregate reports to this address
pct=100 — Apply policy to 100% of emails

Recommended rollout:

Start with p=none (monitor only)
After 2 weeks, check reports → move to p=quarantine
After confidence, move to p=reject

Check Your Setup in 5 Seconds

I built a free Domain Health Checker that checks all three records instantly:

✅ SPF record found and valid
✅ DKIM detected (checks 40+ provider selectors)
✅ DMARC policy set

No signup required. Enter your domain, get results.

👉 Check your domain now →

Bonus Tools

Tool	What It Does
Domain Health Checker	SPF + DKIM + DMARC verification
Blacklist Checker	Check 25+ spam blacklists
Email Header Analyzer	Decode email routing and auth results

All free at lumesend.com/tools.

Built with Lume — a self-hosted email engine for founders who want to own their email infrastructure.

How to Check If Your Domain Is on an Email Blacklist (And What to Do About It)

Yasser Addadi — Fri, 13 Mar 2026 08:27:10 +0000

Your emails might be silently dying.

You set up SPF, DKIM, and DMARC. You warm up your IP. You write clean, non-spammy content. But your emails still land in spam — or worse, get silently dropped.

The hidden killer? Email blacklists.

What Are Email Blacklists?

Email blacklists (technically called DNSBLs — DNS-based Blackhole Lists) are real-time databases of IP addresses and domains known to send spam. Every major email provider — Gmail, Outlook, Yahoo — queries these lists before accepting your email.

If your IP or domain is on a blacklist, your emails get:

❌ Silently rejected (no bounce, no error — just gone)
📁 Routed straight to spam
🚫 Blocked entirely by corporate email servers

The worst part? You won't know it's happening. There's no notification. Your emails just... stop arriving.

The Major Blacklists You Should Know

Blacklist	What It Does	Impact
Spamhaus ZEN	Combines SBL, XBL, PBL	🔴 Getting listed here is catastrophic
Barracuda	IP reputation list	🔴 Used by millions of corporate servers
SpamCop	User-reported spam sources	🟡 Temporary, but painful
SORBS	Open relay and spam sources	🟡 Common false positives
SURBL	Spam-linked domain names	🔴 Catches domain-level abuse
UCEPROTECT	3-tier escalation system	🟡 Can list entire IP ranges

There are 25+ major blacklists, and each one is checked independently by different email providers.

How to Check If You're Blacklisted

I built a free blacklist checker that queries all 25+ major DNSBLs in parallel:

Resolves your domain to its IP
Checks against Spamhaus, Barracuda, SpamCop, SORBS, SURBL, UCEPROTECT, and 19 more
Shows a clean/listed status for each
Gives you an overall score

No signup required. Just enter your domain and get results in ~5 seconds.

👉 Check your domain now →

How You End Up on a Blacklist

Common causes:

High bounce rates — Sending to invalid addresses signals spam behavior
Spam complaints — Even 0.1% complaint rate can trigger listing
Missing authentication — No SPF/DKIM/DMARC = suspicious sender
Shared IP reputation — Your VPS's previous tenant was a spammer
Sending too fast — Blasting 10k emails from a cold IP

How to Get Removed

Fix the root cause first — Stop the bounces, set up authentication
Check your SPF/DKIM/DMARC — Use the Domain Health Checker to verify
Submit delisting requests — Most blacklists have removal forms:
- Spamhaus: spamhaus.org/lookup
- Barracuda: barracudacentral.org/rbl/removal-request
- SpamCop: Auto-expires after 24-48 hours of no reports
Monitor continuously — Re-listing happens fast if the cause isn't fixed

Prevention Checklist

✅ Use double opt-in for all subscribers
✅ Clean your list regularly (remove bounces)
✅ Set up SPF, DKIM, and DMARC (check yours here)
✅ Warm up new IPs gradually (start with 50/day, scale up over 2 weeks)
✅ Keep complaint rate below 0.08%
✅ Monitor blacklists weekly

Free Tools

I've built 3 free tools for email deliverability — no signup, no ads:

Tool	What It Does
Blacklist Checker	Check 25+ DNSBLs instantly
Domain Health Checker	Verify SPF, DKIM, DMARC setup
Email Header Analyzer	Decode routing, auth results, spam scores

All tools are also embeddable — grab the iframe code from the tools hub and add them to your own site.

Built with Lume — an autonomous email engine for founders who want to own their infrastructure. If you're tired of Mailchimp's subscriber tax, check it out.