Throughout my previous posts on SPF, DKIM, and DMARC, I gave pieces of advice on what to do and not do. I figured I should write up one final post that lists all of these in a single place.

Background bullet points.

  • Email has two “from” addresses.
  • One address is practically invisible; this is the envelope address.
  • The “From” address in the message headers is what people actually see.
  • The envelope and “From” addresses do not need to match.
  • Bounces go to the envelope address.

SPF bullet points.

  • Never touch any existing SPF records.
  • SPF only cares about the envelope address.
  • You can probably just use your own domain in the envelope address.
    • Alternative: have client create a subdomain with your platform’s SPF and MX records.
  • Don’t try to “verify” the SPF record, it may not work.
  • Clients can only add so many platforms to an SPF record.
    • If you never touch the existing record this isn’t a problem.

DKIM bullet points.

  • Every account on your platform should have dedicated DKIM keys.
  • Hosting the public keys in your DNS and having the client publish CNAME entries allows you to perform key rotation easily.
  • Clients can publish virtually unlimited DKIM public keys.

DMARC bullet points.

  • DMARC passes if either SPF or DKIM pass, and that passing result is aligned with the “From” address.
  • You only need 1 passing mechanism - SPF or DKIM. DMARC never requires both.
  • Creating subdomains (outlined above) for the envelope address allows you to pass SPF relaxed alignment.
  • Assume DKIM is in strict alignment and you’ll pass DMARC, as well as most local policies.

Misc bullet points.

  • SPF and DKIM should be tackled separately.
  • DKIM signing should not depend on verifying SPF.

Thanks again!

Please reach out and let me know your thoughts. I’m hoping to maintain these posts as a sort-of living document.