SPF, DKIM, and DMARC
Deep technical guide to email authentication standards and how AgentPost configures them
SPF, DKIM, and DMARC
Email authentication is the process of proving that an email was actually sent by the domain it claims to come from. Three complementary standards work together to prevent email spoofing and phishing: SPF (who can send), DKIM (message integrity), and DMARC (policy and reporting).
AgentPost configures SPF and DKIM automatically when you add a custom domain. This guide explains how each standard works so you can verify your configuration, troubleshoot issues, and set up DMARC.
SPF: Sender Policy Framework
SPF lets domain owners specify which mail servers are authorized to send email on behalf of their domain. Receiving mail servers check the SPF record to verify that the sending server is allowed.
How SPF Works
- Your agent sends an email from
support@acmeco.comthrough AgentPost (which uses AWS SES) - The recipient's mail server looks up the SPF DNS record for
acmeco.com - The SPF record lists authorized sending servers (including SES)
- If the sending server's IP matches, SPF passes; otherwise, it fails
DNS Record Format
SPF records are published as DNS TXT records on your domain:
v=spf1 include:amazonses.com ~all| Component | Meaning |
|---|---|
v=spf1 | SPF version identifier |
include:amazonses.com | Authorize all AWS SES IP addresses to send for this domain |
~all | Soft-fail for any server not listed (recommended default) |
Include mechanism: The include: directive delegates SPF validation to another domain's SPF record. include:amazonses.com adds all AWS SES sending IPs to your authorized list.
AgentPost Setup
When you add a custom domain in AgentPost, the domain verification process provides the exact SPF record to add. If you already have an SPF record, add the include:amazonses.com directive to your existing record:
# Before (existing SPF record)
v=spf1 include:_spf.google.com ~all
# After (with AgentPost/SES added)
v=spf1 include:_spf.google.com include:amazonses.com ~allImportant: You can only have one SPF record per domain. Multiple SPF records cause validation failures. Merge all include: directives into a single record.
SPF Lookup Limit
SPF has a maximum of 10 DNS lookups per evaluation. Each include:, a:, mx:, and redirect: counts as one lookup. If your SPF record exceeds this limit, SPF validation fails entirely.
If you are hitting the lookup limit, consider using SPF flattening tools that resolve include: directives to IP addresses.
DKIM: DomainKeys Identified Mail
DKIM uses public-key cryptography to sign outgoing emails. The receiving server verifies the signature against the public key published in DNS, confirming that the email was not modified in transit and was sent by an authorized system.
How DKIM Works
- AgentPost (via SES) signs your outgoing email with a private key
- The signature is added as a
DKIM-Signatureheader on the email - The recipient's mail server looks up the DKIM public key from your domain's DNS
- The server verifies the signature against the email content
- If the signature is valid, DKIM passes
DNS Record Format
DKIM uses CNAME records that point to AWS SES's DKIM key servers:
selector1._domainkey.acmeco.com CNAME selector1-acmeco-com.dkim.amazonses.com
selector2._domainkey.acmeco.com CNAME selector2-acmeco-com.dkim.amazonses.com
selector3._domainkey.acmeco.com CNAME selector3-acmeco-com.dkim.amazonses.comSES uses three DKIM selectors for key rotation. When SES rotates keys, the CNAME records automatically resolve to the new public keys.
AgentPost Setup
When you add a custom domain, AgentPost provides the three DKIM CNAME records to add to your DNS. The domain verification process validates that all three records are properly configured.
# Verify DKIM records are in place
dig selector1._domainkey.acmeco.com CNAME +short
# Expected: selector1-acmeco-com.dkim.amazonses.comWhat DKIM Signs
The DKIM signature covers specific email headers and the body:
From,To,SubjectheadersDate,Message-IDheaders- Email body content
If any of these are modified after signing (e.g., by a mailing list manager), DKIM verification fails. This is expected behavior -- it means the message was altered.
DMARC: Domain-based Message Authentication, Reporting, and Conformance
DMARC builds on SPF and DKIM to give domain owners control over what happens when authentication fails. It also provides reporting so you can monitor authentication results.
How DMARC Works
- The recipient's mail server checks SPF and DKIM results
- It then looks up the DMARC record for the sender's domain
- DMARC checks alignment: does the SPF/DKIM authenticated domain match the From: header domain?
- Based on the DMARC policy, the server decides to deliver, quarantine, or reject the message
- The server sends aggregate reports to the address specified in the DMARC record
Alignment Modes
DMARC requires that the domain authenticated by SPF or DKIM aligns with the domain in the From: header. There are two alignment modes:
| Mode | Requirement | Example |
|---|---|---|
| Strict | Exact domain match | From: a@acmeco.com must match SPF/DKIM for acmeco.com exactly |
| Relaxed | Organizational domain match (subdomains allowed) | From: a@mail.acmeco.com matches SPF/DKIM for acmeco.com |
Recommendation: Use relaxed alignment (the default) unless you have a specific reason for strict. Relaxed alignment allows subdomains like mail.acmeco.com to pass when the organizational domain acmeco.com is authenticated.
Policy Options
| Policy | DNS Value | Behavior |
|---|---|---|
| None (monitor) | p=none | Deliver all messages, send reports |
| Quarantine | p=quarantine | Send failing messages to spam/junk folder |
| Reject | p=reject | Reject failing messages entirely |
DNS Record Format
DMARC records are published as TXT records on _dmarc.yourdomain.com:
# Start with monitoring only (recommended)
v=DMARC1; p=none; rua=mailto:dmarc-reports@acmeco.com; pct=100
# After monitoring confirms everything works, upgrade to quarantine
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@acmeco.com; pct=100
# Full enforcement (ultimate goal)
v=DMARC1; p=reject; rua=mailto:dmarc-reports@acmeco.com; pct=100| Tag | Description |
|---|---|
v | DMARC version (always DMARC1) |
p | Policy: none, quarantine, or reject |
rua | Reporting URI for aggregate reports |
pct | Percentage of messages to apply policy to (use 100) |
aspf | SPF alignment: r (relaxed) or s (strict) |
adkim | DKIM alignment: r (relaxed) or s (strict) |
Recommended Rollout
- Week 1-2: Deploy
p=noneand monitor aggregate reports - Week 3-4: Review reports, fix any authentication issues
- Week 5-6: Move to
p=quarantine(failing messages go to spam) - Week 7+: Move to
p=rejectonce you're confident all legitimate mail passes
DMARC Reports
DMARC aggregate reports are XML files sent daily by receiving mail servers to the address in your rua tag. They contain:
- Volume of messages seen from your domain
- SPF and DKIM pass/fail counts
- Which IP addresses sent mail claiming to be from your domain
- Alignment results
Use a DMARC report analyzer (many free services exist) to parse these XML reports into readable dashboards.
Verifying Your Configuration
After setting up all DNS records, verify them through the AgentPost API or command line:
# Check SPF
dig acmeco.com TXT +short | grep spf
# Expected: "v=spf1 include:amazonses.com ~all"
# Check DKIM
dig selector1._domainkey.acmeco.com CNAME +short
# Expected: selector1-acmeco-com.dkim.amazonses.com
# Check DMARC
dig _dmarc.acmeco.com TXT +short
# Expected: "v=DMARC1; p=none; rua=mailto:dmarc-reports@acmeco.com"AgentPost's domain verification automatically checks SPF and DKIM. When all checks pass, the domain status changes to verified and a domain.verified webhook event is emitted.
Common Issues
| Issue | Cause | Fix |
|---|---|---|
SPF fails with permerror | Multiple SPF records on domain | Merge into a single TXT record |
SPF fails with temperror | DNS lookup limit exceeded (>10) | Use SPF flattening or remove unused includes |
| DKIM fails | CNAME records not propagated yet | Wait up to 48 hours for DNS propagation |
| DMARC alignment fails | Subdomain mismatch with strict alignment | Switch to relaxed alignment (aspf=r) |
| Legitimate emails quarantined | DMARC policy too strict too early | Roll back to p=none and investigate |