Email, Demystified (SPF, DKIM, DMARC)
You sent a perfectly normal email and it landed in spam. Or worse: someone sent mail as you - your domain, your name - and your customers got it. Email feels like one of the oldest, simplest things on the internet, yet the moment deliverability breaks, the advice you find is a wall of acronyms with no model underneath. SPF, DKIM, DMARC, "soft fail," "alignment" - what are these things?
This guide gives you the model first. You'll follow one email on its real journey, see exactly why spoofing was so easy for so long, and then meet the three DNS records that fix it - what each one actually proves, the literal text you put in DNS, and why you need all three working together. By the end, "it's going to spam" will be a problem you can diagnose, not a curse.
How to read this
- Deliverability is on fire right now? Skip to Phase 3 - it's the cure, the record-by-record checklist, and how to read a DMARC report.
- Want it to actually make sense? Read in order. The journey (Phase 1) explains why spoofing works; the three records (Phase 2) only make sense once you've seen the hole they plug.
The phases
- The Journey of One Email - what SMTP really is, the hop-by-hop trip from your app to the recipient's inbox, and the open door that lets anyone claim to be you.
- The Three Proofs: SPF, DKIM, DMARC - the three DNS records that authenticate your mail: who may send, a tamper-proof signature, and the policy that ties them together. The actual records, line by line.
- Fixing Deliverability - why mail still goes to spam after you "set up SPF," the alignment trap, reading a DMARC report, and a working checklist.
This guide assumes you're comfortable with the basics of how machines find each other. If DNS records and ports feel fuzzy, read IP Addresses, DNS & Ports first - email leans hard on DNS, and that foundation makes everything here click.