SPF, DKIM, and DMARC
What the three authentication standards do, and what myagentmail needs from each.
DKIM — required
DKIM signs every outbound message with your domain's private key. Receiving servers fetch the public key from DNS and verify the signature, proving the mail really came from an authorized sender for that domain.
When you register a custom domain, we generate a keypair and return the public key as a TXT record. You add it to DNS; we sign every send with the matching private key. Without DKIM, recipient servers like Gmail and Outlook will either spam-filter or reject your mail outright.
SPF — recommended
SPF lists the IP addresses authorized to send mail for your domain. A Gmail server receiving mail from your domain checks: "is this sending IP on the SPF list?"
For myagentmail you want an SPF record that includes our relay. The exact include: depends on which upstream provider your tenant is on (check the dnsRecords array in your domain verify response). A typical value:
v=spf1 include:zeptomail.eu ~allDMARC — strongly recommended
DMARC tells receiving servers what to do when SPF or DKIM fails: reject, quarantine, or just report. It also sets up aggregate reports so you can see who's sending mail claiming to be from your domain.
A good starting DMARC record:
_dmarc.yourcompany.com. TXT "v=DMARC1; p=none; rua=mailto:[email protected]"Start with p=none (report only), monitor the reports for a week, then tighten to p=quarantine and eventually p=reject once you've confirmed everything legitimate is passing.
Order of operations
- Add DKIM (we give you the record) — required for sends to work at all
- Add SPF — improves deliverability
- Add DMARC with
p=none— unlocks reporting - Tighten DMARC to
quarantine→rejectafter a monitoring period