> ## Documentation Index > Fetch the complete documentation index at: https://developer.upsun.com/llms.txt > Use this file to discover all available pages before exploring further. # SPF, DKIM, DMARC, what are those for anyway? > Finally understand what SPF, DKIM, and DMARC actually do, why email needs them, and how to set them up without wanting to flip a table. export const PostMeta = ({data = {}}) => { const {author, date, image} = data; const authors = Array.isArray(author) ? author : author ? [author] : []; const resolveAuthor = slug => { const entry = AUTHOR_MAP[slug] || ({}); const name = entry.name || slug; const github = entry.github || null; const linkedin = entry.linkedin || null; const url = github ? `https://github.com/${github}` : linkedin || null; const avatarUrl = github ? `https://github.com/${github}.png?size=64` : null; return { name, url, avatarUrl }; }; const formattedDate = date ? new Date(date).toLocaleDateString('en-US', { year: 'numeric', month: 'long', day: 'numeric' }) : null; if (!image && authors.length === 0 && !formattedDate) return null; const AUTHOR_MAP = { "aaron-collier": { "name": "Aaron Collier" }, "aaron-dudenhofer": { "name": "Aaron Dudenhofer" }, "aaron-porter": { "name": "Aaron Porter" }, "adriaan-odendaal": { "name": "Adriaan Odendaal" }, "ajmal": { "name": "Ajmal Siddiqui" }, "akalipetis": { "name": "Antonis Kalipetis" }, "alexander-varwijk": { "name": "Alexander Varwijk" }, "alicia-bevilacqua": { "name": "Alicia Bevilacqua" }, "amelie-deguerry": { "name": "Amelie Deguerry" }, "anacidre": { "name": "Ana Cidre", "linkedin": "https://www.linkedin.com/in/ana-cidre" }, "andoni": { "name": "Andoni Auzmendi" }, "andrei-taranu": { "name": "Andrei (Alex) Taranu", "linkedin": "https://www.linkedin.com/in/andrei-alex-taranu/" }, "andrew-baxter": { "name": "Andrew Baxter" }, "andrew-melck": { "name": "Andrew Melck" }, "antoine-crochet-damais": { "name": "Antoine Crochet Damais" }, "augustin-delaporte": { "name": "Augustin Delaporte", "linkedin": "https://www.linkedin.com/in/augustindelaporte/" }, "branislav-bujisic": { "name": "Branislav Bujisic" }, "carl-smith": { "name": "Carl Smith" }, "caroline-leroy": { "name": "Caroline Leroy" }, "cati-mayer": { "name": "Cati Mayer" }, "catplat": { "name": "C Trinkwon" }, "ceelolulu": { "name": "Celeste van der Watt" }, "chadwcarlson": { "name": "Chad Carlson", "github": "chadwcarlson", "linkedin": "https://www.linkedin.com/in/chadwcarlson" }, "chris-ward": { "name": "Chris Ward" }, "chris-yates": { "name": "Chris Yates" }, "christian-sieber": { "name": "Christian Sieber" }, "christopher-lockheardt": { "name": "Christopher Lockheardt" }, "christopher-skene": { "name": "Christopher Skene" }, "chuck-morgan": { "name": "Chuck Morgan" }, "corey-dockendorf": { "name": "Corey Dockendorf" }, "crell": { "name": "Crell" }, "damz": { "name": "Damz" }, "dan-morrison": { "name": "Dan Morrison" }, "davidbonachera": { "name": "David Bonachera", "github": "davidbonachera", "linkedin": "https://www.linkedin.com/in/davidbonachera" }, "dereliahmet1": { "name": "Ahmet Faruk Dereli" }, "devicezero": { "name": "Jonas Kröger", "github": "devicezero", "linkedin": "https://www.linkedin.com/in/jonaskroeger/" }, "doug-goldberg": { "name": "Doug Goldberg" }, "duncan-naves": { "name": "Duncan Naves", "github": "duncannaves", "linkedin": "https://www.linkedin.com/in/duncan-naves-a94423aa" }, "erika-bustamante": { "name": "Erika Bustamante" }, "fabpot": { "name": "Fabien Potencier" }, "flovntp": { "name": "Florent Huck", "github": "flovntp", "linkedin": "https://www.linkedin.com/in/florenthuck" }, "fred-plais": { "name": "Fred Plais" }, "gauthier-garnier": { "name": "Gauthier Garnier" }, "gilzow": { "name": "Paul Gilzow" }, "gmoigneu": { "name": "Guillaume Moigneu", "github": "gmoigneu", "linkedin": "https://www.linkedin.com/in/guillaumemoigneu/" }, "gregqualls": { "name": "Greg Qualls" }, "guguss": { "name": "Augustin Delaporte" }, "haylee-millar": { "name": "Haylee Millar" }, "ivana-kotur": { "name": "Ivana Kotur" }, "jackrabbithanna": { "name": "Mark Hanna" }, "jared-wright": { "name": "Jared Wright", "github": "jww-sh", "linkedin": "https://www.linkedin.com/in/jaredwaynewright" }, "jessica-orozco": { "name": "Jessica Orozco" }, "joey-stanford": { "name": "Joey Stanford" }, "john-grubb": { "name": "John Grubb" }, "jonas-kruger": { "name": "Jonas Kruger" }, "kathryn-frazer": { "name": "Kathryn Frazer" }, "kemiojo": { "name": "Kemi Elizabeth Ojogbede" }, "kieronsambrook-smith": { "name": "Kieronsambrook Smith" }, "laurent-arnoud": { "name": "Laurent Arnoud" }, "letoya-boyne": { "name": "Letoya Boyne" }, "lolautruche": { "name": "Jérôme Vieilledent" }, "lyly-lepinay": { "name": "Lyly Lepinay" }, "manauwar-alam": { "name": "Manauwar Alam" }, "marc-antoine-porri": { "name": "Marc Antoine Porri" }, "maria-antinkaapo": { "name": "Maria Antinkaapo" }, "maria-de-anton": { "name": "Maria De Anton" }, "mark-dorison": { "name": "Mark Dorison" }, "markus-hausammann": { "name": "Markus Hausammann" }, "mary-thomas": { "name": "Mary Thomas" }, "mathias-bolt-lesniak": { "name": "Mathias Bolt Lesniak" }, "mathieu-strauch": { "name": "Mathieu Strauch" }, "matthias-van-woensel": { "name": "Matthias Van Woensel", "linkedin": "https://www.linkedin.com/in/matthias-van-woensel-267a069" }, "michael-sharp": { "name": "Michael Sharp" }, "mupsi": { "name": "Marine Gandy" }, "natalie-harper": { "name": "Natalie Harper" }, "ngommenginger": { "name": "Nicolas Gommenginger", "linkedin": "https://www.linkedin.com/in/nicolas-gommenginger" }, "nicholas-bennison": { "name": "Nicholas Bennison" }, "nicholas-vahalik": { "name": "Nicholas Vahalik" }, "nick-hardiman": { "name": "Nick Hardiman" }, "nickanderegg": { "name": "Nickanderegg" }, "nicolas-grekas": { "name": "Nicolas Grekas", "github": "nicolas-grekas", "linkedin": "https://www.linkedin.com/in/nicolasgrekas/" }, "niti-malwade": { "name": "Niti Malwade" }, "opensocialteam": { "name": "Opensocialteam" }, "ori-pekelman": { "name": "Ori Pekelman" }, "otavio-santana": { "name": "Otavio Santana" }, "palwandi": { "name": "Pawan Alwandi", "github": "pawpy", "linkedin": "https://www.linkedin.com/in/pawanalwandi" }, "patrick-boest": { "name": "Patrick Boest" }, "patrick-dawkins": { "name": "Patrick Dawkins", "github": "pjcdawkins", "linkedin": "https://www.linkedin.com/in/patrickdawkins" }, "patrick-klima": { "name": "Patrick Klima" }, "pjcdawkins": { "name": "Pjcdawkins" }, "prineet-kaurbhurji": { "name": "Prineet Kaurbhurji" }, "quentin-sinig": { "name": "Quentin Sinig" }, "ralt": { "name": "Florian Margaine", "github": "ralt", "linkedin": "https://www.linkedin.com/in/florian-margaine-43971136" }, "ramanathanramakrishnamurthy": { "name": "Ramanathanramakrishnamurthy" }, "remi-lejeune": { "name": "Rémi Lejeune" }, "ribel": { "name": "Taras Kruts" }, "robert-douglass": { "name": "Robert Douglass" }, "rudy-weber": { "name": "Rudy Weber" }, "ryan-hicks": { "name": "Ryan Hicks" }, "sabri-helal": { "name": "Sabri Helal" }, "savannah-bergeron": { "name": "Savannah Bergeron" }, "shannon-vettes": { "name": "Shannon Vettes" }, "shawn-ogasawara": { "name": "Shawn Ogasawara", "linkedin": "https://www.linkedin.com/in/shawn-ogasawara-83a9a0/" }, "shawna-spoor": { "name": "Shawna Spoor" }, "shedrack-akintayo": { "name": "Shedrack Akintayo" }, "simon-ruggier": { "name": "Simon Ruggier" }, "sophie-van-der-kindere": { "name": "Sophie Van Der Kindere" }, "stefanos-thampis": { "name": "Stefanos Thampis" }, "stephen-weinberg": { "name": "Stephen Weinberg" }, "sukhman-virk": { "name": "Sukhman Virk" }, "sumaira-nazir": { "name": "Sumaira Nazir" }, "sumer": { "name": "Sümer Cip" }, "syed-raza": { "name": "Syed Raza" }, "tamara-bacchia": { "name": "Tamara Bacchia" }, "tara-arnold": { "name": "Tara Arnold" }, "theosakamg": { "name": "Mickael Gaillard", "github": "theosakamg" }, "thomasdiluccio": { "name": "Thomas di Luccio" }, "tim-anderson": { "name": "Tim Anderson" }, "tom-helmer-hansen": { "name": "Tom Helmer Hansen" }, "tylermills": { "name": "Tyler Mills" }, "upsun": { "name": "Upsun" }, "veronika-tolkachova": { "name": "Veronika Tolkachova", "linkedin": "https://www.linkedin.com/in/veronika-tolkachova-169167a2" }, "vince-parker": { "name": "Vince Parker" }, "vinnie-russo": { "name": "Vincenzo Russo" }, "vrobert78": { "name": "Vincent Robert", "github": "vrobert78", "linkedin": "https://www.linkedin.com/in/vincent-robert-498a883" }, "yuriy-babenko": { "name": "Yuriy Babenko" }, "yuriy-gerasimov": { "name": "Yuriy Gerasimov" } }; return
{(authors.length > 0 || formattedDate) &&
{authors.length > 0 &&
{authors.map(slug => { const {name, url, avatarUrl} = resolveAuthor(slug); const inner = <> {avatarUrl && {name}} {name} ; return url ? {inner} : {inner}; })}
} {authors.length > 0 && formattedDate && } {formattedDate && {formattedDate}}
} {image && }
; }; If you're anything like me until a few weeks ago, you've heard of SPF, DKIM, and DMARC. You know they're "email things." You know that without them, your emails end up in spam. And that's about where your knowledge stops. Most guides online take the helpful approach of "here's how to set up SPF" without ever explaining *why* it exists. Congratulations, you've copy-pasted a DNS record. Do you understand what it does? Of course not. But it works, so who cares? Well, I finally cared enough to figure it out. And since you're hosting applications and sending emails from them, you probably should too. ## The fundamental problem with email Here's the thing about email that makes all of this necessary: it's asynchronous and decentralized. When you visit a website, *you* initiate the connection. You type the domain, TLS kicks in, certificates get verified, and you know you're talking to who you think you're talking to. The whole authentication flow is baked into the protocol. Email doesn't work that way. With email, some random server connects to *your* server and says "hey, I have a message for you from bank.com." And your server has to decide whether to believe it or not. Without any verification, anyone could claim to be sending email from your bank, your employer, or that Nigerian prince who's been trying to reach you. This is the problem SPF, DKIM, and DMARC try to solve. ## SPF: "Is this server even allowed to talk?" SPF (Sender Policy Framework) answers a straightforward question: is the server sending this email actually authorized to send email for this domain? It's a DNS TXT record that says "these IP addresses and these servers are allowed to send email on behalf of my domain." When an email arrives claiming to be from `example.com`, the receiving server checks the SPF record for `example.com` and verifies that the sending server is on the list. Think of it as a bouncer with a guest list. No list, no entry. ## DKIM: "Has this email been tampered with?" DKIM (DomainKeys Identified Mail) solves a different problem. Even if an email comes from an authorized server, how do you know the content hasn't been modified in transit? DKIM adds a cryptographic signature to each email. You publish the public key in a DNS record, and every email gets signed with the private key. The receiving server can then verify that the email content is exactly what the sender intended. It's like a wax seal on a letter. If the seal is broken, you know someone's been messing with it. ## DMARC: "What should I do when things fail?" DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties the other two together with a policy layer. It tells receiving servers what to do when an email fails SPF or DKIM checks. Your options are: * **none**: Do nothing (useful for testing) * **quarantine**: Put suspicious emails in spam * **reject**: Drop them entirely You can enable reports alongside any of these policies. The reporting feature is genuinely useful. When other mail servers receive emails claiming to be from your domain, they check SPF and DKIM. If those checks fail, they send you a report. This means you get notified when someone is trying to spoof your domain, or when you've misconfigured something and your legitimate emails are failing authentication. Without DMARC reports, you'd have no idea that someone's been sending phishing emails pretending to be you. With them, you can see exactly which IPs are sending mail on your behalf (legitimately or not) and whether your authentication is working as intended. ## The practical bit: multiple email providers Here's where this gets relevant for actual application development. Most applications need to send different types of email. You have transactional emails (password resets, order confirmations) and marketing emails (newsletters, promotions). These typically come from different providers because transactional email services don't want you sending bulk marketing through them. So you end up with at least two email providers, both needing to send from your domain. Your SPF and DKIM records need to authorize both. But here's the pro tip: use different domains for different email types. Why? Reputation isolation. If your marketing provider does something weird (or gets used by spammers on the same IP range), it can tank your sender reputation. If that reputation is shared with your transactional emails, suddenly your password reset emails aren't getting delivered. Your users can't log in. Support tickets pile up. Your weekend is ruined. Keep `transactional.example.com` separate from `marketing.example.com`. If one reputation takes a hit, the other survives. ## DKIM on Upsun If you're hosting on Upsun and want DKIM for emails sent from your application, the process is straightforward. Open a support ticket requesting DKIM activation for your domain, and support will provide you with the DNS records you need to add (a CNAME and TXT record). Once your DNS is configured, validation checks run every 15 minutes. After validation completes, Upsun automatically signs your outgoing emails with DKIM through SendGrid's infrastructure. You don't manage the keys yourself; it's handled for you. See the [Upsun email documentation](https://docs.upsun.com/development/email.html#3-optional-validate-your-email) for the full setup process. ## Wrapping up That's it. Three DNS records: * **SPF**: Which servers can send email for your domain * **DKIM**: Cryptographic proof that emails haven't been tampered with * **DMARC**: What to do when the first two fail All three exist because email is fundamentally a "stranger walks up to you" protocol, and we need ways to verify they are who they claim to be. Unlike HTTPS, where you initiate the connection, email authentication is a series of workarounds for the fact that someone else is connecting to you. Now you actually know what those acronyms mean. You're welcome.