# SPF, DKIM, DMARC: The Deliverability Stack Explained for Outbound Teams URL: https://warmerly.com/blog/spf-dkim-dmarc-deliverability-stack-outbound Published: 2026-04-08 Reading time: 9 minutes Tags: DNS, Authentication, DMARC > A practical walkthrough of the three core authentication standards, alignment modes, common configuration mistakes, and how to read DMARC aggregate (RUA) and forensic (RUF) reports. Authentication is the layer underneath everything else in deliverability. Warmup, copy, list hygiene, and pacing all matter, but they matter less if SPF, DKIM, and DMARC are misconfigured. This guide explains what each record actually does, how alignment works, the mistakes that bite outbound teams hardest, and how to read the reports DMARC sends you. ## What each record does SPF authorises sending sources. It is a TXT record at the apex of your domain that lists IPs and includes for every system permitted to send mail using your domain in the envelope-from (also called Return-Path or MAIL FROM). Receivers check the envelope-from against the SPF record and pass, soft-fail, hard-fail, or neutral depending on the result and your qualifier. DKIM signs messages. The sending system generates a cryptographic signature over selected headers and (usually) the body, then publishes the public key as a TXT record at ._domainkey.yourdomain.com. Receivers fetch the key, verify the signature, and conclude whether the message was tampered with in transit and whether it was actually signed by the claimed domain. DMARC ties the two together. It tells receivers what to do when neither SPF nor DKIM passes with alignment, and it asks them to send you reports. The policy lives at _dmarc.yourdomain.com. The three policy values are p=none (monitor only), p=quarantine (junk it), and p=reject (refuse delivery). ## Alignment, the bit everyone gets wrong Passing SPF or DKIM is not enough for DMARC. The passing record must also align with the From header, which is the address recipients actually see. SPF alignment compares the envelope-from domain to the From header domain. DKIM alignment compares the d= tag in the DKIM signature to the From header domain. Alignment has two modes, relaxed (the default) and strict. Relaxed permits an organisational match, so mail.yourdomain.com aligns with yourdomain.com. Strict requires an exact match, so mail.yourdomain.com would fail strict alignment against yourdomain.com. For cold outreach, relaxed is almost always the right choice. Configure it explicitly with aspf=r and adkim=r in your DMARC record so future-you knows what was intended. The trap: many outbound vendors set the envelope-from to their own bounce domain, which means SPF passes but does not align. If DKIM is also misconfigured, DMARC fails despite SPF showing PASS in the headers. Always check alignment, not just the underlying pass result. ## Common mistakes outbound teams make - Multiple SPF records on the same domain. Receivers must treat this as a permerror, which is a hard fail. Always consolidate to one. - More than 10 DNS lookups in the SPF chain. Each include and a, mx, ptr counts. Tools like dmarcian's SPF surveyor will count for you. - 1024-bit DKIM keys. Considered weak in 2026. Regenerate at 2048-bit and rotate annually. - Same DKIM selector across multiple providers. Each vendor must use a unique selector so key rotation does not break anyone else. - p=reject from day one. Always start at p=none and watch reports for at least 30 days before tightening. - Treating DMARC PASS in the headers as proof of alignment. Read the aggregate reports, they show alignment explicitly. - Forgetting that the bounce vendor in your campaign tool needs to be listed in SPF too. ## Reading DMARC reports DMARC reports come in two flavours. Aggregate reports (RUA) are XML files sent daily by major receivers. Forensic reports (RUF) are individual failure samples and are rarely sent by major providers because of privacy concerns. Most useful intelligence comes from RUA. An aggregate report includes, per sending source IP, the volume of messages, the SPF result, the DKIM result, and the alignment result. If you see significant volume from an IP you do not recognise with both checks failing, somebody is spoofing your domain. If you see volume from your own vendor with one of the checks failing, your configuration with that vendor is wrong. Reading raw XML is painful. Use a free tool like dmarcian, EasyDMARC, or Postmark's DMARC Digests to convert reports into a dashboard. The investment is two minutes, the payoff is months of clearer diagnostics. ## A sensible deployment plan 1. Publish SPF and DKIM. Send a test message and verify both pass with alignment. 2. Publish DMARC at p=none with rua reporting to a monitored mailbox. 3. Watch reports for 30 days. Identify every legitimate sending source and bring each one into compliance. 4. Move to p=quarantine with pct=10, increasing the percentage weekly as reports stay clean. 5. Move to p=reject once quarantine at 100% has run cleanly for 14 days. 6. Once at p=reject, publish a BIMI record if you have a Verified Mark Certificate. Gmail and Yahoo display the logo, and it contributes a small positive signal. > **The single hour** — An hour spent reading your DMARC aggregate reports will teach you more about your sending posture than a week of guessing at copy changes. **Click-by-click setup guides** - [What is DKIM? (And how to set it up)](https://warmerly.com/docs/guides/dkim) - [What are SPF & DMARC? (And how to set them up)](https://warmerly.com/docs/guides/spf-dmarc) - [The click-by-click setup tutorial for SPF, DKIM & DMARC](https://warmerly.com/blog/spf-dkim-dmarc-cold-email) --- Source: https://warmerly.com/blog/spf-dkim-dmarc-deliverability-stack-outbound Full content index: https://warmerly.com/llms-full.txt Site index: https://warmerly.com/llms.txt