SPFWise
Guides

Email authentication guides

Practical, no-nonsense guides to SPF, DKIM and DMARC. Fix what is broken and keep your mail out of spam.

dkim

SendGrid Domain Authentication: SPF, DKIM & DMARC Setup (Automated vs Manual Security)

SendGrid Domain Authentication publishes CNAME records on a delegated em1234 subdomain so SPF and DKIM pass without touching your root SPF. This guide explains the delegated-subdomain model, contrasts Automated Security (CNAME) versus Manual (TXT), and shows how to add the DMARC policy SendGrid will not create for you, then confirm every CNAME resolves.

Jul 3, 20266 min read
dkim

How to Set Up SPF, DKIM, and DMARC for Mailchimp (2026 Step-by-Step)

Mailchimp authentication in 2026 is simpler than most guides claim: two CNAME records for DKIM and one TXT record for DMARC, with no SPF include to edit. This guide shows the exact records to paste, how to verify them with a free checker, and how to read your first DMARC report so campaigns align and stop landing in spam.

Jul 3, 20267 min read
dkim

Klaviyo SPF and DKIM Setup: Authenticate Your Sending Domain Correctly

Klaviyo does not want you to add its servers to your root SPF record. You point a branded sending subdomain at Klaviyo with CNAME records, and Klaviyo hosts SPF and DKIM for you. This guide gives the exact records for a Klaviyo branded sending domain, explains why a raw SPF include is a mistake, and shows how to add and validate the one record Klaviyo will not create for you: your DMARC policy.

Jul 3, 20267 min read
spf

SPF PermError vs TempError: What Each One Means and How to Fix It

SPF PermError and TempError are two distinct results, not versions of "fail." PermError means a permanent misconfiguration you must fix now, usually more than 10 DNS lookups or two v=spf1 records. TempError means a transient DNS problem that self-resolves but signals trouble if it repeats. This guide gives a side-by-side decision table, a root-cause checklist for each, and shows how to read the exact cause.

Jul 3, 20267 min read
dkim

DKIM CNAME vs TXT Record: Which Should You Use (and Why It Matters)

A DKIM public key always lives in a TXT record. A CNAME at your selector is just a pointer that delegates that TXT record to your email provider so they can rotate keys for you. This guide explains the real difference, gives a side-by-side of manual TXT control versus CNAME auto-rotation, covers nested-CNAME resolution gotchas, and shows how to check what actually resolves at selector._domainkey.

Jul 3, 20267 min read
dkim

DKIM Body Hash (bh=) Mismatch: Why It Fails and How to Fix It

A DKIM body hash mismatch means the message body changed after signing, so the bh= value no longer matches what the receiver computes. This guide explains the difference between the body hash and the header signature, walks through the usual culprits (footer appenders, link rewriters, MIME re-encoding, canonicalization), and gives you a raw-body compare method plus the golden rule: sign at the last content-changing hop.

Jul 3, 20268 min read
dmarc

DMARC Relaxed vs Strict Alignment Explained (and Which to Use)

DMARC alignment decides whether the domain in your visible From address matches the domain SPF or DKIM authenticated. Relaxed mode allows subdomains of the same organizational domain to align, and it is the default. Strict mode demands an exact match. This guide shows the difference with a mail.brand.com example, gives the literal aspf and adkim syntax, and walks through moving to strict only after your reports are clean.

Jul 3, 20267 min read
dmarc

How to Move DMARC From p=none to p=reject Safely: A Phased Enforcement Roadmap

Moving DMARC from p=none to p=reject protects your domain from spoofing, but rushing it blocks real mail. This roadmap gives you gated exit criteria for each phase, a realistic multi-week timeline, the pct ramp, sp handling for subdomains, and a checklist you run against your own DMARC aggregate reports before you advance a single step.

Jul 3, 20268 min read
dmarc

The DMARC pct Tag Explained: How to Ramp Enforcement Without Blocking Real Mail

The DMARC pct tag controls what fraction of your failing mail gets your policy applied, so you can enforce gradually. The catch most guides miss: unselected mail is not skipped, it drops down one policy level, so p=reject with pct=50 rejects half and quarantines the rest. This guide gives a 10/25/50/100 ramp tied to reading reports, and flags that DMARCbis deprecates pct.

Jul 3, 20267 min read
security

How to Set Up MTA-STS: Step-by-Step Guide with Policy File and DNS Records

A copy-paste walkthrough of all three MTA-STS parts: the _mta-sts TXT record, the mta-sts.txt policy file served over HTTPS at the well-known path, and the mx, mode, and max_age directives. Includes dig and curl validation steps to confirm each piece resolves before you switch from testing to enforce mode, plus how MTA-STS relates to TLS-RPT, DANE, and DMARC.

Jul 3, 20268 min read
security

MTA-STS vs DANE: Which Email Transport Security Standard Should You Use?

MTA-STS and DANE both force encrypted SMTP delivery, but they trust different things. MTA-STS uses HTTPS and the public CA system with a trust-on-first-use gap. DANE uses DNSSEC-signed TLSA records with no first-use window. Gmail and Outlook honor MTA-STS as senders but do not validate DANE when receiving, so publish MTA-STS for reach and add DANE where your DNS and receivers support it.

Jul 3, 20267 min read
deliverability

Email Warm-Up Schedule: How to Warm a New Domain or IP Without Landing in Spam

A copy-paste 4 to 6 week warm-up schedule for a new sending domain or IP, with the exact daily volumes, segment targeting, and engagement tactics that Gmail and Outlook reward. Verify SPF, DKIM and DMARC alignment first, then ramp slowly and read your progress in Postmaster Tools.

Jul 3, 20268 min read
PreviousPage 1 of 2Next