Email authentication,
in plain English.
Short guides for getting DMARC, SPF, and DKIM right, from your first record to full enforcement. No certifications, no jargon, no ten-page primers.
DMARC basics
Start here.
What is DMARC?
The 5-minute version. Why mailbox providers care, what gets blocked when it's wrong, and how DMARC fits with SPF and DKIM.
Setting up DMARC for the first time
Step-by-step: publish the record, point reports somewhere, watch what mail providers say about your domain.
DMARC alignment, in plain English
Why a message can pass SPF but still fail DMARC. Identifier alignment, the difference between authentication and alignment, and why DKIM is usually the easier fix.
Reading your first DMARC report
You set up DMARC, mailbox providers started sending you XML reports, and now you're staring at one wondering what it means. Here's what each section says, and the three patterns to actually look for.
Progressing past p=none safely
How to step from monitor-only to actual enforcement without breaking real mail. The 4-week ramp most domains should follow.
What changed in DMARCbis (RFC 9989)
DMARC became a real internet standard in May 2026. Your v=DMARC1 records keep working. What's new (np, test mode t=, the DNS tree walk), what was removed (pct), and the one change actually worth making.
What does DMARC monitoring cost?
DMARC itself is free. Monitoring is what costs. What drives the price, real market ranges, and when $0 is genuinely enough.
SPF + DKIM
The two layers underneath.
Counting your SPF lookups (and why you might be at 11)
SPF caps DNS lookups at 10. Cross it and mailbox providers return permerror. What counts, what doesn't, and how to come back under.
Merging multiple SPF records into one
RFC 7208 says a domain MUST have only one v=spf1 record. Multiple records are an SPF permerror, so receivers treat all your authorized senders as unauthorized. Here's how to merge them safely.
Why 1024-bit DKIM keys are being phased out
NIST deprecated 1024-bit RSA in 2013, Google now warns about it. Here's the rotation playbook to 2048-bit without breaking current mail.
Removing a revoked DKIM selector
When a DKIM selector publishes p= with an empty value it's signaling revocation per RFC 6376. Receivers will keep failing your mail until you delete the record (or republish the key). Here's how to tell which.
When a DKIM selector stops resolving
If a DKIM selector that used to be in DNS stops resolving, your alignment will start failing. The cause is usually one of three things: an in-progress rotation, a manual delete, or a DNS provider hiccup. Here's how to tell them apart and fix it.
One-click DNS fixes
How automated DNS changes stay safe.
How we update DNS records on your behalf, safely
Auto-fix that touches your authoritative DNS is risky if you do it wrong. Here are the four safety layers we use (5-minute cancel window, paper-trail email, read-back verify, 24h undo) and why each one is there.
Connecting AWS Route 53 for one-click DNS fixes
Connect your AWS account and the DMARC, SPF, DKIM, and TLS-RPT fixes trustyourinbox recommends become one click, with a 5-minute cancel window, an email paper trail, and 24-hour undo. The five-minute setup: a scoped API-only IAM user, the least-privilege policy, and an access key. Plus how to rotate or revoke it later.
Going further
Once you're past p=none.
Which subdomains are sending email as your domain
Spoofers and forgotten tools send from your subdomains too. How to see every subdomain sending as you, tell a real one from a forgery, and close the gap with np and sp.
What to do when a report shows Unknown senders
Some rows in your DMARC reports won't have a vendor name attached. Just a bare source IP marked Unknown. Here's the triage guide: what aligned-vs-not means, how to figure out who the IP actually belongs to, and when an Unknown is safe to ignore.
MTA-STS / TLS-RPT for the security-curious
DMARC tells you who's allowed to send as you. MTA-STS tells receivers your inbound mail must be encrypted in transit, with no downgrade attacks. TLS-RPT is how receivers tell you when the encryption fails. Here's when to bother, and why it's harder to set up than DMARC.
BIMI in plain English
BIMI is the brand logo that shows up next to your sender name in supporting inboxes. It needs DMARC at p=quarantine or stricter, a published BIMI record, and either a free SVG or a Verified Mark Certificate. Here's what each piece costs, who actually displays it, and whether the upgrade is worth it.
Why forwarded mail still passes DMARC (sometimes)
Email forwarders break SPF because the connecting IP changes when a forward kicks in. DKIM usually survives. DMARC's alignment rule means DKIM-aligned mail still passes even when SPF fails, which is why your forwarded reports look mostly fine. Here's what's happening, when it breaks, and what to do about ARC.
Connecting AI assistants to your data (MCP)
Point Claude, Cursor, or any MCP client at your workspace and ask questions in plain language, like "how much spoof mail did my domain get last week". Create a read-only token, paste it into your client, and get answers from your real DMARC reports. Here's the setup for the common clients, what it can and can't do, and how the access is scoped.
Ask your DMARC data anything, in plain English
Once your AI assistant is connected over MCP, you can ask about your DMARC data the way you'd ask a colleague. Here are the questions that actually help, the prompts to paste, and what the answers look like, from "is my failure forwarding or real?" to "how does Gmail see me vs Outlook?".
Put it into practice.
Free.
Free for one domain. Set up in five minutes. We parse the reports; you read plain-English summaries.