Guide

Email Deliverability: A Developer's Guide to SPF, DKIM & DMARC

July 1, 202611 min readThe Trigger Engage team

Email deliverability is the difference between a message that lands in the inbox and one that nobody ever sees. You can write the perfect onboarding sequence, but if it drops into the spam folder — or gets rejected at the door — none of that work matters. The good news for developers: most spam-folder problems are technical, and technical problems are fixable. This is the practical guide to the DNS records, reputation signals, and list habits that keep your email arriving.

How email authentication reaches the inbox: your app, then SPF, DKIM, DMARC, then delivered
SPF, DKIM, and DMARC authenticate your mail on the way to the inbox.

What "deliverability" actually means

People use "deliverability" loosely, but there are really two separate questions. The first is delivery: did the receiving server accept the message at all, or did it bounce it back? The second is placement: once accepted, did it land in the inbox or get filed as spam? A message can be delivered and still be invisible.

Mailbox providers — Gmail, Outlook, Yahoo, Apple Mail — make the placement decision, and they make it in milliseconds using three broad inputs:

  • Authentication — can they cryptographically confirm the mail really came from your domain?
  • Reputation — what's the track record of your sending domain and IP address?
  • Engagement — do recipients open, click, and reply, or delete and complain?

You control the first outright, influence the second over time, and earn the third with good content and clean lists. Let's take them in order.

Authenticate your mail: SPF, DKIM, DMARC

Authentication is table stakes. Without it, providers can't tell your mail from a spoofer's, and modern filters treat unauthenticated bulk mail as guilty until proven innocent. Three DNS records do the work, and they build on each other.

SPF — authorize your sending servers

Sender Policy Framework (SPF) is a published list of the servers allowed to send mail for your domain. It lives in a single TXT record at the domain root. The receiver checks the connecting server's IP against that list — usually resolved through your provider's include: — and passes or fails the message on the MAIL FROM (envelope) domain.

example.com.  IN TXT  "v=spf1 include:amazonses.com include:mailgun.org -all"

The -all at the end is a hard fail: "if the sender isn't in this list, reject it." Prefer -all over the softer ~all once you're confident every legitimate source is included. One caveat: SPF permits at most ten DNS lookups, so don't stack endless include: entries.

DKIM — sign your mail cryptographically

DomainKeys Identified Mail (DKIM) adds a digital signature to every message. Your sending service holds a private key and signs a hash of the headers and body; you publish the matching public key in DNS under a selector. The receiver fetches the public key, verifies the signature, and confirms the message wasn't altered in transit and genuinely originated from your domain.

s1._domainkey.example.com.  IN TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEB..."

The s1 is the selector, so you can rotate keys or run several providers side by side, each with its own record. Your ESP generates the key pair and gives you the public half to publish — you never handle the private key yourself.

DMARC — tie it together and get reports

DMARC is the policy layer. It tells receivers what to do when a message fails authentication, and — crucially — it requires alignment: the domain in the visible From: header must match the domain validated by SPF or DKIM. That alignment check is what actually stops spoofing, because SPF and DKIM on their own validate envelope and signing domains the recipient never sees.

_dmarc.example.com.  IN TXT  "v=DMARC1; p=none; rua=mailto:dmarc@example.com; adkim=s; aspf=s"

Roll DMARC out in stages. Start at p=none — this enforces nothing but sends you daily aggregate reports (rua) so you can see who's sending as you and confirm your legitimate streams pass. Once the reports look clean, move to p=quarantine (failing mail goes to spam), then to p=reject (failing mail is refused outright).

PolicyWhat receivers do on failureUse it when
p=noneNothing — deliver and reportMonitoring; discovering your real senders
p=quarantineRoute to spam/junkReports are clean; ready to filter spoofers
p=rejectReject at SMTP timeFull confidence; maximum protection

Since February 2024, Gmail and Yahoo require SPF, DKIM, and a DMARC record (at least p=none) from anyone sending bulk mail, along with one-click unsubscribe and a complaint rate kept under 0.3%. These are no longer nice-to-haves.

Tip: Stand up all three records and sit at p=none for two to four weeks before enforcing. The aggregate reports almost always surface a forgotten sender — a billing system, a helpdesk, an old marketing tool — that you'll want aligned before quarantine starts filtering it.

Reputation and warmup

Once you're authenticated, providers track how your domain and IP behave over time. Send wanted mail that people engage with and your reputation climbs; generate bounces and complaints and it sinks — dragging inbox placement down with it.

New sending identities start with no reputation, which filters treat with suspicion. A brand-new domain that suddenly blasts 50,000 messages looks exactly like a compromised account. So you warm up: start with a few hundred sends a day to your most engaged recipients, then roughly double the volume every few days over two to four weeks, watching bounce and complaint rates as you go.

Whether you need a dedicated IP depends on volume. Dedicated IPs give you full control of your own reputation but must be warmed and fed consistent volume — below roughly 50,000–100,000 messages a month they often perform worse than a well-managed shared pool, because there isn't enough traffic to establish a stable signal. Most senders should stay on their provider's shared IPs until volume justifies the move. Either way, consistency matters: steady daily volume reads as healthy; erratic spikes read as spam.

List hygiene

Your list is the single biggest lever on reputation, and a bad one will sink you no matter how clean your DNS is. The rules are simple and non-negotiable:

  • Use confirmed opt-in. Only mail people who explicitly asked to hear from you. Never send to purchased or scraped lists — they're full of spam traps that get you blocklisted.
  • Remove hard bounces immediately. A hard bounce means the address doesn't exist. Continuing to send to it signals that you don't clean your list, which is a classic spammer tell.
  • Suppress complainers instantly. If someone marks you as spam, never mail them again. Wire up your provider's feedback loop so this happens automatically.
  • Prune the chronically unengaged. Recipients who haven't opened anything in six months drag down your engagement average. Try a re-engagement campaign, then let the rest go.

Content and engagement

Content filters are less about magic "spam words" than they used to be, but patterns still hurt: all-caps subject lines, link shorteners, a single giant image with no text, mismatched or hidden links. Always include a plain, visible unsubscribe link — hiding it drives people to hit "report spam" instead, which is far more damaging than a quiet opt-out.

Engagement is the real currency. Opens, clicks, and replies tell providers your mail is wanted, and that feedback loops straight back into reputation. This is exactly why subject lines are worth obsessing over — a better subject lifts opens, and higher opens lift placement. It's a good candidate for A/B testing so you're optimizing on data, not hunches.

Separate your streams

Don't send password resets from the same reputation as your weekly newsletter. Transactional mail is expected and heavily engaged; marketing mail gets more complaints and unsubscribes. Mixing them lets marketing's noise pollute the reputation your critical transactional mail depends on. The fix is to split them onto separate subdomains — say mail.example.com for marketing and notify.example.com for transactional — each with its own authentication and its own reputation. Our guide on transactional vs marketing email covers where to draw the line. Triggering transactional mail directly from application events also keeps it timely and consistent, which is exactly the steady, wanted signal that builds a strong sending reputation.

Monitor it

Deliverability isn't set-and-forget; it drifts, and you want to catch it early. Watch your bounce rate (keep it under ~2%) and complaint rate (under 0.1%, and well under Gmail's 0.3% ceiling). Enroll in Google Postmaster Tools for a direct read on your domain reputation and spam rate at Gmail. Run periodic seed tests to see where you land across providers. And actually read your DMARC aggregate reports — they're the early-warning system for spoofing and for legitimate senders quietly failing alignment.

What about SMS and push?

Reputation isn't unique to email. Carriers score the sender IDs and short codes behind SMS, and push platforms track how often users disable your notifications. The same discipline applies everywhere: send wanted, well-targeted messages and honor opt-outs. This is one reason a single marketing automation platform that tracks delivery across every channel beats stitching together per-channel point tools — you see the whole picture in one place. Trigger Engage takes that approach: it's open source, self-hostable, and free, and it sends email over any SMTP provider you choose — SES, Mailgun, Postmark, and the rest — so the sending reputation you build stays entirely yours.

Frequently asked questions

Why are my emails going to spam?
Almost always one of three things: missing or broken authentication (SPF, DKIM, DMARC), poor domain or IP reputation from bounces and complaints, or low engagement because the list is stale or the content is unwanted. Start by confirming all three DNS records pass, then audit your list and bounce handling.
What are SPF, DKIM, and DMARC?
They're three DNS records that authenticate your mail. SPF lists which servers may send for your domain. DKIM cryptographically signs each message so receivers can verify it's genuine and unaltered. DMARC ties the two to your visible From: address, tells receivers what to do when authentication fails, and sends you reports. You want all three — they're required for bulk senders at Gmail and Yahoo.
Do I need a dedicated IP address?
Only at scale. Dedicated IPs make sense above roughly 50,000–100,000 messages a month, where there's enough consistent volume to build a stable reputation. Below that, a warmed shared IP pool from your provider almost always delivers better, because a low-volume dedicated IP never accumulates enough signal.
How do I warm up a new sending domain?
Authenticate it first, then ramp volume gradually. Begin with a few hundred messages a day to your most engaged recipients, roughly doubling every few days over two to four weeks. Watch bounce and complaint rates and slow down if either climbs. Consistent daily volume to people who open your mail is what builds reputation fastest.