Client Onboarding
DNS & Email Authentication
SPF, DKIM, DMARC, and BIMI configuration. Authentication is mandatory — unauthenticated mail is rejected by major ISPs.
Authentication is not optional. Gmail and Yahoo now reject unauthenticated mail from high-volume senders. SPF, DKIM, and DMARC are required before full production sending.
1SPF record
Add or update the TXT record on your root domain.
If you have an existing SPF record, add the include before the final mechanism. Note: SPF has a 10-lookup limit — contact support if you're near the limit.
The ~all mechanism (softfail) is the right choice during initial setup because it tells receivers to suspect unauthorised senders without outright rejecting them. After 30 days of clean DMARC reports showing no legitimate failures, you can tighten to -all (hardfail).
The 10-lookup limit is a common operational issue. SPF flattening tools (Easydmarc, dmarcian) consolidate the lookup chain to stay under the limit. Worth checking before deploying multi-ESP setups.
2DKIM record
Get your DKIM public key from the portal under Services → DKIM Management. Publish the TXT record shown there:
Allow up to 24 hours for DNS propagation. Verify with MXToolbox DKIM Lookup or by checking the headers of a test message.
The selector name (cse-2048 in this example) identifies which key to use among potentially several. CSE uses 2048-bit RSA keys by default; this is the current production recommendation.
1024-bit keys still work. They are increasingly flagged as weak by security-conscious receivers.
The two-key rotation pattern is the standard for production: active key plus secondary key in DNS simultaneously, with rotation handled by switching which selector is used for signing. Both keys publish to DNS; only one signs at a time.
3DMARC record
Start with a monitoring policy. After 30 days of clean data, escalate to quarantine then reject.
The progression matters more than the initial policy. p=none is observation-only. p=quarantine sends failing mail to spam at supporting receivers. p=reject instructs receivers to bounce failing mail outright.
Most domains never reach reject. The EasyDMARC 2026 Adoption Report found only 7.6% of domains with DMARC records enforce p=reject; the rest stay at p=none, providing no actual anti-spoofing protection.
The rua= address receives aggregate XML reports daily. Reading these reports surfaces alignment problems before they damage reputation. Postmark DMARC Monitoring, dmarcian, and Easydmarc parse the XML into readable dashboards for free.
4Verifying authentication
In a Gmail test message header (More → Show original), all three should pass:
All three need to pass; one failure is enough to degrade placement. The dkim=pass header.i=@yourdomain.com line is particularly important — the domain after the @ must match the From: address domain. Otherwise DMARC alignment fails even though DKIM technically passed.
If DMARC shows fail with passing SPF and DKIM, check alignment — your From address domain must match the signing domain.