SPF, DKIM, and DMARC are the three DNS records that tell receiving mail servers whether your email is legitimate. A single mistake in any one of them, a broken selector, an SPF record with too many lookups, a DMARC policy stuck at monitoring-only, can silently drop your inbox placement without ever showing up as an error in your sending platform.
SPF: The Most Commonly Broken Record
SPF has a hard limit of 10 DNS lookups. Every third-party sending tool you add, your email platform, a marketing tool, a CRM, adds more lookups through nested include statements. Once you cross 10, receiving servers are supposed to fail the entire SPF check, and many silently do, even though the record looks valid in a basic checker. We flatten SPF records to stay under this limit and verify the exact provider strings needed for whichever platform you send through.
DKIM: Selector and Key Length Issues
DKIM failures are almost always caused by a mismatched selector between what your sending platform expects and what is actually published in DNS, or a key that was generated correctly but never fully propagated before sending began. We verify the DKIM signature is present, correctly selector-matched, and using a minimum 1024-bit key, with 2048-bit recommended for any domain sending meaningful volume.
DMARC: Moving Past Monitoring-Only
Most domains we audit have DMARC published at p=none, which only monitors and reports, it does not protect against spoofing or improve deliverability on its own. We review your DMARC aggregate reports to confirm SPF and DKIM are passing consistently, then move the policy to p=quarantine and eventually p=reject once verified clean, which is often the single change that most improves inbox placement.
What You Receive
A full breakdown of every DNS record found, exactly what is broken versus what is correctly configured, and the precise replacement record values to publish, not a vague instruction to “check your SPF.”