DEV Community

Yasser Addadi
Yasser Addadi

Posted on • Originally published at lumesend.com

SPF, DKIM, and DMARC Explained — The 3 DNS Records Every Developer Needs

#webdev #email #dns #security

If you send emails from your domain, you need these 3 records.

Whether you're using Resend, SendGrid, AWS SES, or your own SMTP server — if you haven't set up SPF, DKIM, and DMARC, your emails are landing in spam. Here's what each one does and how to fix it.

SPF (Sender Policy Framework)

What it does: Tells receiving servers which IPs are allowed to send email from your domain.

DNS record type: TXT record on your root domain

Example:

v=spf1 include:_spf.google.com include:send.resend.com ~all
Enter fullscreen mode Exit fullscreen mode

What this means:

  • v=spf1 — This is an SPF record
  • include:_spf.google.com — Google Workspace can send from this domain
  • include:send.resend.com — Resend can send from this domain
  • ~all — Soft-fail everything else (mark as suspicious)

Common mistake: Using -all (hard fail) before you've listed all your senders. This will block legitimate emails from services you forgot to include.

DKIM (DomainKeys Identified Mail)

What it does: Cryptographically signs every email so the receiver can verify it wasn't tampered with in transit.

DNS record type: TXT record at selector._domainkey.yourdomain.com

How it works:

  1. Your email provider generates a public/private key pair
  2. The public key goes in DNS as a TXT record
  3. Every outgoing email gets signed with the private key
  4. The receiving server verifies the signature using the public key

Pro tip: Different providers use different selectors:

  • Google Workspace: google._domainkey
  • Resend: resend._domainkey
  • SendGrid: s1._domainkey, s2._domainkey
  • Microsoft 365: selector1._domainkey, selector2._domainkey

DMARC (Domain-based Message Authentication, Reporting & Conformance)

What it does: Tells receivers what to do when SPF or DKIM fails, and where to send reports.

DNS record type: TXT record at _dmarc.yourdomain.com

Example:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100
Enter fullscreen mode Exit fullscreen mode

What this means:

  • p=quarantine — Failed emails go to spam (not rejected)
  • rua=mailto:... — Send aggregate reports to this address
  • pct=100 — Apply policy to 100% of emails

Recommended rollout:

  1. Start with p=none (monitor only)
  2. After 2 weeks, check reports → move to p=quarantine
  3. After confidence, move to p=reject

Check Your Setup in 5 Seconds

I built a free Domain Health Checker that checks all three records instantly:

  • ✅ SPF record found and valid
  • ✅ DKIM detected (checks 40+ provider selectors)
  • ✅ DMARC policy set

No signup required. Enter your domain, get results.

👉 Check your domain now →

Bonus Tools

Tool What It Does
Domain Health Checker SPF + DKIM + DMARC verification
Blacklist Checker Check 25+ spam blacklists
Email Header Analyzer Decode email routing and auth results

All free at lumesend.com/tools.

Built with Lume — a self-hosted email engine for founders who want to own their email infrastructure.

Top comments (0)