The Complete SPF, DKIM and DMARC Setup Guide for Founders.

Direct Answer

SPF, DKIM, and DMARC are DNS records that tell inbox providers which services can send email for your domain and how to verify those messages. Without them, founder emails, product notifications, password resets, and launch sequences are more likely to land in spam or fail authentication.

What SPF Does

SPF lists the mail servers allowed to send email for your domain. If you use Google Workspace, Resend, Mailgun, Postmark, HubSpot, or another sender, that service usually gives you an SPF include value. The mistake is adding multiple SPF records. You should have one SPF record that includes all approved senders.

What DKIM Does

DKIM signs outgoing email cryptographically. Inbox providers use the public DNS key to verify that the message was not modified and that the sender is authorized. Each email platform usually gives you one or more DKIM records to add.

What DMARC Does

DMARC tells inbox providers what to do when SPF or DKIM checks fail. Start with a monitoring policy, then move toward stricter enforcement once legitimate senders are passing.

Setup Order

• Add or consolidate SPF for all legitimate senders.
• Add DKIM records from each sending platform.
• Add a DMARC record with a reporting address.
• Send test emails and check authentication results.
• Tighten the DMARC policy after monitoring.

Founder Mistakes

The most common mistake is launching email automations before domain authentication is correct. The second is using too many sending platforms without tracking which DNS records belong to each one. Keep a simple email infrastructure document so future changes do not break deliverability.

The main point: email setup is launch infrastructure. If users cannot receive password resets, receipts, onboarding emails, or booking confirmations, the product feels broken even when the app code works.