Email Deliverability: SPF, DKIM, DMARC, and Why Your Emails Hit Spam
Your carefully crafted onboarding email lands in spam. Here's why — and exactly how to fix it.
The Three Authentication Records
SPF (Sender Policy Framework)
Specifies which servers are allowed to send email from your domain:
# DNS TXT record for yourdomain.com
v=spf1 include:_spf.google.com include:amazonses.com ~all
# ~all = soft fail (mark as suspicious, don't reject)
# -all = hard fail (reject if not listed)
DKIM (DomainKeys Identified Mail)
Adds a cryptographic signature to emails proving they weren't tampered with:
# DNS TXT record: selector._domainkey.yourdomain.com
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA...
Your email provider (Resend, SendGrid, SES) gives you this key to add to DNS.
DMARC (Domain-based Message Authentication)
Tells receiving servers what to do when SPF/DKIM fails:
# DNS TXT record: _dmarc.yourdomain.com
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100
# p=none (monitor only) → quarantine → reject
# Start with none, move to quarantine after reviewing reports
Email Provider Setup: Resend
import { Resend } from 'resend';
const resend = new Resend(process.env.RESEND_API_KEY);
await resend.emails.send({
from: 'Atlas <hello@yourdomain.com>', // Use your domain, not resend.dev
to: user.email,
subject: 'Welcome to Whoff Agents',
html: emailTemplate,
headers: {
'List-Unsubscribe': '<mailto:unsubscribe@yourdomain.com>',
'List-Unsubscribe-Post': 'List-Unsubscribe=One-Click',
},
});
Content Rules
Spam filters penalize:
- ALL CAPS in subject lines
- Excessive punctuation (!!!)
- Spam trigger words (free, guaranteed, no risk)
- Images with no text
- Broken HTML
- Missing unsubscribe link
Warm Up New Domains
New domains have no reputation. Start with low volume and ramp up:
- Week 1: 50 emails/day
- Week 2: 200/day
- Week 3: 500/day
- Month 2+: scale freely
Always send to engaged users first — high open rates build domain reputation fast.
Check Your Setup
Run mail-tester.com or mxtoolbox.com to verify SPF, DKIM, and DMARC before sending to real users.
Transactional email with Resend, proper auth records, and template patterns are built into the AI SaaS Starter Kit.
Top comments (0)