SPF, DKIM, and DMARC explained for SaaS founders
Every mailbox provider (Gmail, Outlook, Yahoo) runs the same basic question against every message that arrives: is this sender who they claim to be? SPF, DKIM, and DMARC are the three DNS records that answer that question. Get them wrong and your password-reset emails land in spam. Get them right and they're invisible, which is exactly the point.
SPF: who's allowed to send
SPF (Sender Policy Framework) is a DNS TXT record listing which mail servers are allowed to send email claiming to be from your domain. When a receiving server gets a message from acme.eu, it checks whether the sending IP is on acme.eu's approved list.
A typical record looks like: v=spf1 include:_spf.envello.dev ~all. The include tells receivers to also trust our sending IPs. The ~all at the end is a soft-fail: messages from unlisted servers get flagged, not outright rejected.
DKIM: a cryptographic signature
DKIM (DomainKeys Identified Mail) signs each outgoing message with a private key. The receiving server looks up your public key in DNS and verifies the signature matches. If anything in the message changed in transit, the signature breaks and the receiver knows.
Unlike SPF, which checks the sending server, DKIM checks the message itself, so it survives forwarding in a way SPF doesn't.
DMARC: the enforcement policy
DMARC ties SPF and DKIM together and tells receivers what to do when a message fails both: quarantine it, reject it outright, or do nothing and just report on it. It also gives you an aggregate report of who's sending email as your domain, including anyone spoofing you.
Start with p=none while you confirm your legitimate senders pass, then move to p=quarantine and eventually p=reject once you're confident.
Why this got stricter in 2024
Google and Yahoo's 2024 bulk-sender requirements made all three effectively mandatory for anyone sending meaningful volume: valid SPF and DKIM, a DMARC policy, and a one-click unsubscribe header even on some transactional mail. Providers that handle this configuration for you (generating the records, verifying propagation, monitoring DMARC reports) save you from finding out the hard way that a typo in a TXT record quietly tanked your delivery rate.