Email deliverability: the four DNS records every sender needs

Most email goes to spam for one of two reasons: the message looks like spam, or the sender looks like a spammer. The first is a content problem; the second is a DNS problem. This post is about the second one.

There are four DNS records every sender needs. Without all four, even a perfectly-written email from a clean list will get filtered.

What is SPF?

SPF (Sender Policy Framework) is a TXT record that lists the IPs and services allowed to send mail as your domain. Receiving servers check the envelope — MAIL FROM — against this list. SES needs:

v=spf1 include:amazonses.com ~all

The 10-DNS-lookup limit is real. If you nest too many include: directives, validators silently fail-soft. Always test with an SPF validator before going live.

What is DKIM?

DKIM (DomainKeys Identified Mail) is a cryptographic signature on every outgoing message. The signing key lives on your sending infrastructure; the public key is published as a DNS record. The receiving server verifies the signature using the public key.

2048-bit minimum in 2026. 1024-bit keys still work but Gmail will increasingly down-rank them, and they fall out of compliance with several enterprise security policies. SES generates 2048-bit keys by default; rotate them annually.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receivers what to do when SPF and DKIM both fail. Three policies:

• p=none — report only. Don't actually filter anything.
• p=quarantine — failed messages go to spam.
• p=reject — failed messages are rejected at the gateway.

Start at p=quarantine. Don't linger on p=none — spammers spoofing your domain will keep getting through. Move to p=reject after 30 days of clean DMARC reports.

Why does MAIL FROM matter?

SES sends from a default amazonses.com envelope address unless you configure a custom MAIL FROM. The custom MAIL FROM ties the bounce-handling and SPF alignment back to your own domain. Set up a subdomain like mail.yourdomain.com with its own MX and SPF records.

What about ARC and BIMI?

Both are optional. ARC (Authenticated Received Chain) preserves authentication results when an email passes through a forwarder — useful for newsletters but not table-stakes. BIMI (Brand Indicators for Message Identification) shows your logo next to messages in Gmail, but requires an SVG and a Verified Mark Certificate (VMC), which costs around $1,500/year. Worth doing once you're sending millions of messages a month, not on day one.

What goes wrong if you skip any of these?

Gmail will route to spam. Outlook will route to junk. Yahoo will mark as suspicious. None of these will tell you why — you'll just see your open rate stay flat while your competitor with the same content sees 30%. Before you blame the copy, check your DNS.

How does SEMAOS handle this?

On the platform-shared sending domain (semaos.io), all four records are pre-configured. When you bring your own custom domain, SEMAOS guides the verification flow: SPF, DKIM (2048-bit), DMARC, and MAIL FROM. Domain warmup enforces a 21-day ramp (100 / 500 / 2,000 sends per day) before plan limits apply — we don't let new domains burn their reputation.