You can write the perfect email sequence and lose everything at the last mile: the inbox. Gmail, Yahoo, and Microsoft now enforce authentication requirements for bulk senders that used to be optional best practices — unauthenticated marketing mail is increasingly rejected outright, not just filtered. For affiliate marketers, whose category already draws extra scrutiny, three DNS records decide whether your emails exist: SPF, DKIM, and DMARC.
We set up and hardened this exact stack for klaroon.com/ — taking our mail-tester score to 9.5/10 — so this guide is written from configuration screens, not theory.
The Three Records, in Plain English
SPF: The Guest List
SPF (Sender Policy Framework) is a TXT record on your domain listing which servers are allowed to send mail on your behalf. When a mailbox receives a message claiming to be from you, it checks whether the sending server is on your list. A typical record looks like:
v=spf1 include:_spf.yourhost.com ~all
Two practical rules: keep the record tight (only include providers that genuinely send for you — every include: is attack surface and lookup budget), and know that SPF has a hard limit of ten DNS lookups, which bloated records silently exceed and fail.
DKIM: The Wax Seal
DKIM (DomainKeys Identified Mail) cryptographically signs each outgoing message. Your server signs with a private key; the world verifies with the public key you publish in DNS under a named selector. If the message is altered in transit or the signature does not verify, authentication fails.
One trap we hit in practice: hosts often publish multiple DKIM selectors (CNAME sets plus a TXT key), and only one is the live signer. Do not assume — send a real message to a Gmail address, open “Show original,” and read which selector actually signed it. That is your source of truth.
DMARC: The Enforcement Policy
SPF and DKIM authenticate; DMARC decides what happens when authentication fails, and — critically — requires alignment: the authenticated domain must match the From address your reader sees. A hardened policy looks like:
v=DMARC1; p=quarantine; pct=100; adkim=s; aspf=s; rua=mailto:dmarc@yourdomain.com
Translated: quarantine everything that fails (p=quarantine), apply to 100% of mail, require strict alignment for both DKIM and SPF (adkim=s; aspf=s), and send aggregate XML reports to your dmarc@ mailbox. Start at p=none for two to four weeks while you read the reports, then escalate. And keep that reporting mailbox alive — those XML digests are how you discover a legitimate service silently failing before your subscribers do.
The Strict-Alignment Trade-off Every Affiliate Must Know
Strict alignment (adkim=s) is excellent security with one sharp edge: when you connect an ESP for bulk sending — Brevo, Kit, Mailchimp — the ESP must sign with DKIM as your exact From domain. If it signs as its own domain or a subdomain while your policy demands strict alignment, your campaigns fail DMARC and quarantine silently: no bounce, no error, just vanishing open rates.
The correct onboarding path for an ESP under strict DMARC: complete the ESP’s domain authentication by adding its DKIM records for your domain, and avoid stuffing the ESP into your SPF record — DKIM alignment is what DMARC needs from an ESP, and extra SPF includes only spend your lookup budget.
Verify, Then Monitor
- Test a real send with mail-tester.com — aim for 9+ and read every deduction.
- Inspect headers in Gmail’s “Show original”: you want spf=pass, dkim=pass, dmarc=pass, all on your domain.
- Register with Google Postmaster Tools to watch your domain reputation and spam-complaint rate over time.
- Feed DMARC reports to an analyzer (raw XML is unreadable) and review weekly during your first months of bulk sending.
Ignore third-party checkers that complain your domain is missing another provider’s MX or DKIM records when you deliberately use different infrastructure — tools built around one ecosystem produce false positives against everyone else’s.
The Payoff
Authentication is a one-time setup that pays on every email you ever send. Combined with the list hygiene from our affiliate email marketing guide, it puts you in the small minority of senders mailbox providers actively trust — which, in 2026, is the entire deliverability game.
The Warm-Up Schedule for a New Sending Domain
Mailbox providers treat sudden volume from an unknown domain as a spam signature — even with perfect authentication. If you are starting bulk sends on a fresh domain, ramp deliberately: week one, send to your 50–100 most engaged subscribers only (recent openers and clickers); weeks two and three, roughly double the audience each send while watching complaint and bounce rates; week four onward, full list — provided bounces stay under 2% and complaints under 0.1%. Engagement during warm-up teaches providers that recipients want your mail; front-load your best content accordingly. Skipping warm-up to blast a cold list is the most common way new senders destroy a domain’s reputation in a single afternoon.
Troubleshooting: Symptoms and Causes
| Symptom | Most likely cause | First fix |
|---|---|---|
| Campaigns land in spam at one provider only | Reputation issue with that provider | Check Postmaster Tools (Google) or SNDS (Microsoft); slow volume, boost engagement |
| Open rates collapsed after connecting an ESP | DMARC alignment failure — ESP signing wrong domain | Complete the ESP’s domain authentication; verify with a header check |
| dmarc=fail but spf=pass and dkim=pass | Alignment: passing domain ≠ From domain | Ensure DKIM d= matches your From domain exactly under strict alignment |
| SPF permerror in headers | Over the 10-DNS-lookup limit | Flatten the record; remove unused includes |
| Sudden bounce spike | List decay or a blocklist listing | Prune aggressively; check major blocklists for your sending IP/domain |
| Everything passes but engagement is dismal | Content/list problem, not technical | Revisit the strategy in our email marketing guide |
Reading a DMARC Report Without Losing Your Mind
Aggregate reports arrive as XML attachments listing, per sending source: the IP, message volume, and SPF/DKIM results with alignment. Run them through a free analyzer rather than reading raw XML, and look for exactly two things. First, legitimate sources failing — your own ESP or a form plugin showing dkim=fail means quarantined mail you did not know about. Second, unknown sources sending as your domain — typically spoofing attempts, which your quarantine/reject policy is now correctly stopping. Everything else in the report is noise; these two patterns are the signal.
Frequently Asked Questions
Should I send bulk email from my root domain or a subdomain?
Established practice for higher-volume senders is a dedicated subdomain (e.g., mail.yourdomain.com) so campaign reputation is compartmentalized away from your transactional and personal mail. For a solopreneur sending modest volumes, the root domain with strict authentication is fine to start — revisit when volume grows past a few tens of thousands of emails monthly.
Do I need BIMI (the logo in the inbox)?
Need, no; want eventually, probably. BIMI displays your logo beside authenticated messages but requires DMARC at enforcement, a Verified Mark Certificate, and — the real barrier — a registered trademark with usage history. Treat it as a year-two branding project, not a launch requirement.
Will p=reject break my email forwarding?
Forwarding can break SPF (the forwarder becomes the sender), but DKIM signatures survive forwarding intact — which is why DMARC passes if either check aligns. With solid DKIM, enforcement policies are safe for the overwhelming majority of forwarded mail; the aggregate reports will show you the exceptions before they matter.