Short guides for getting DMARC, SPF, and DKIM right, from your first record to full enforcement. No certifications, no jargon, no ten-page primers.
Start here.
The 5-minute version. Why mailbox providers care, what gets blocked when it's wrong, and how DMARC fits with SPF and DKIM.
Step-by-step: publish the record, point reports somewhere, watch what mail providers say about your domain.
Why a message can pass SPF but still fail DMARC. Identifier alignment, the difference between authentication and alignment, and why DKIM is usually the easier fix.
You set up DMARC, mailbox providers started sending you XML reports, and now you're staring at one wondering what it means. Here's what each section says, and the three patterns to actually look for.
How to step from monitor-only to actual enforcement without breaking real mail. The 4-week ramp most domains should follow.
The two layers underneath.
SPF caps DNS lookups at 10. Cross it and mailbox providers return permerror. What counts, what doesn't, and how to come back under.
RFC 7208 says a domain MUST have only one v=spf1 record. Multiple records are an SPF permerror, so receivers treat all your authorized senders as unauthorized. Here's how to merge them safely.
NIST deprecated 1024-bit RSA in 2013, Google now warns about it. Here's the rotation playbook to 2048-bit without breaking current mail.
When a DKIM selector publishes p= with an empty value it's signaling revocation per RFC 6376. Receivers will keep failing your mail until you delete the record (or republish the key). Here's how to tell which.
If a DKIM selector that used to be in DNS stops resolving, your alignment will start failing. The cause is usually one of three things: an in-progress rotation, a manual delete, or a DNS provider hiccup. Here's how to tell them apart and fix it.
Step-by-step DNS edits.
Auto-fix that touches your authoritative DNS is risky if you do it wrong. Here are the four safety layers we use (5-minute cancel window, paper-trail email, read-back verify, 24h undo) and why each one is there.
Connect your AWS account and the DMARC, SPF, DKIM, and TLS-RPT fixes trustyourinbox recommends become one click, with a 5-minute cancel window, an email paper trail, and 24-hour undo. The five-minute setup: a scoped API-only IAM user, the least-privilege policy, and an access key. Plus how to rotate or revoke it later.
When trustyourinbox doesn't have a one-click integration with your DNS provider, you can still apply every fix yourself. Here's the universal walkthrough: how to find which provider hosts your DNS, where the TXT-record editor lives in the most common ones, what to paste for each fix type (DMARC, SPF, DKIM, MTA-STS), and how to verify the change took effect.
GoDaddy hosts your DNS at ns01/ns02.domaincontrol.com. trustyourinbox can recommend the right DMARC, SPF, DKIM, and MTA-STS records but can't apply them for you on GoDaddy yet. The exact path through the current GoDaddy panel: where the editor lives, GoDaddy's quirks (per-record TTL, Domain Protection 2SV, ASCII-only values), and how to verify the record published.
Namecheap hosts your DNS at dns1/dns2.registrar-servers.com (FreeDNS) or pdns1/pdns2 (PremiumDNS). The exact path through Namecheap's Advanced DNS panel: where the editor lives, the @-vs-blank apex quirk, and how to verify the record published. Same flow on FreeDNS, BasicDNS, and PremiumDNS.
Route 53 hosts your DNS at four nameservers across .com / .net / .co.uk / .org TLDs. The exact path through the Route 53 console: Route 53's mandatory double-quote rule, multi-string handling for long DKIM keys, IAM permission requirements, and how to verify the record published.
Google Cloud DNS hosts your DNS at four ns-cloud-[a-d]N.googledomains.com nameservers. The exact path through the Cloud Console: the apex-blank-NOT-@ quirk, multi-string handling for long DKIM keys, IAM roles you need, and how to verify the record published.
Azure DNS hosts your DNS at four nsN-NN.azure-dns.{com,net,org,info} nameservers. The exact path through the Azure portal: how Azure auto-segments long values (easiest for DKIM keys), RBAC roles you need, and how to verify the record published.
Once you're past p=none.
Some rows in your DMARC reports won't have a vendor name attached. Just a bare source IP marked Unknown. Here's the triage guide: what aligned-vs-not means, how to figure out who the IP actually belongs to, and when an Unknown is safe to ignore.
DMARC tells you who's allowed to send as you. MTA-STS tells receivers your inbound mail must be encrypted in transit, with no downgrade attacks. TLS-RPT is how receivers tell you when the encryption fails. Here's when to bother, and why it's harder to set up than DMARC.
BIMI is the brand logo that shows up next to your sender name in supporting inboxes. It needs DMARC at p=quarantine or stricter, a published BIMI record, and either a free SVG or a Verified Mark Certificate. Here's what each piece costs, who actually displays it, and whether the upgrade is worth it.
Email forwarders break SPF because the connecting IP changes when a forward kicks in. DKIM usually survives. DMARC's alignment rule means DKIM-aligned mail still passes even when SPF fails, which is why your forwarded reports look mostly fine. Here's what's happening, when it breaks, and what to do about ARC.
Point Claude, Cursor, or any MCP client at your workspace and ask questions in plain language, like "how much spoof mail did my domain get last week". Create a read-only token, paste it into your client, and get answers from your real DMARC reports. Here's the setup for the common clients, what it can and can't do, and how the access is scoped.
Once your AI assistant is connected over MCP, you can ask about your DMARC data the way you'd ask a colleague. Here are the questions that actually help, the prompts to paste, and what the answers look like, from "is my failure forwarding or real?" to "how does Gmail see me vs Outlook?".
Free for one domain. Set up in five minutes. We parse the reports; you read plain-English summaries.