DEV Community

Yasser Addadi
Yasser Addadi

Posted on • Originally published at lumesend.com

SPF, DKIM, and DMARC Explained — The 3 DNS Records Every Developer Needs

#webdev #email #dns #security

Every developer sends email. Most do it wrong.

If you deploy a SaaS, you send transactional email — welcome messages, password resets, notifications. Without SPF, DKIM, and DMARC, those emails land in spam.

Here's what each record does and how to set it up.

SPF (Sender Policy Framework)

What it does: Tells receiving servers which IPs are allowed to send email from your domain.

DNS record type: TXT record on your root domain

v=spf1 include:_spf.google.com include:send.resend.com ~all
Enter fullscreen mode Exit fullscreen mode

What this means:

  • v=spf1 — This is an SPF record
  • include:_spf.google.com — Google Workspace can send from this domain
  • include:send.resend.com — Resend can send from this domain
  • ~all — Soft-fail everything else

Common mistake: Using -all (hard fail) before listing all your senders.

DKIM (DomainKeys Identified Mail)

What it does: Cryptographically signs every email so the receiver can verify it wasn't tampered with in transit.

DNS record type: TXT record at selector._domainkey.yourdomain.com

How it works:

  1. Your email provider generates a public/private key pair
  2. The public key goes in DNS
  3. Every outgoing email gets signed with the private key
  4. The receiving server verifies using the public key

Provider selectors:

  • Google: google._domainkey
  • Resend: resend._domainkey
  • SendGrid: s1._domainkey
  • Microsoft 365: selector1._domainkey

DMARC (Domain-based Message Authentication)

What it does: Tells receivers what to do when SPF or DKIM fails.

DNS record type: TXT record at _dmarc.yourdomain.com

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100
Enter fullscreen mode Exit fullscreen mode

Recommended rollout:

  1. Start with p=none (monitor only)
  2. After 2 weeks, move to p=quarantine
  3. After confidence, move to p=reject

Check Your Setup in 5 Seconds

I built a free Domain Health Checker that checks all three records instantly. It scans 40+ DKIM provider selectors — Google, Resend, SendGrid, Mailchimp, and more.

No signup required. Enter your domain, get results.

Check your domain now

More Free Tools

Tool What It Does
Domain Health Checker SPF + DKIM + DMARC verification
Blacklist Checker Check 25+ spam blacklists
Email Header Analyzer Decode email routing and auth results
All tools Free hub, no signup

Built with Lume — a self-hosted email engine for founders who want to own their email infrastructure.

Top comments (0)