Skip to content
InboxAPI

Email Deliverability Demystified: SPF, DKIM, and DMARC

For developers building applications that send email, writing the code is only half the battle. The other half is ensuring that your messages actually reach the recipient’s inbox rather than getting silently discarded or routed to the spam folder.

Understanding how email deliverability works and implementing core authentication protocols is essential. This guide demystifies the technical standards that control modern inbox placement.

What is Email Deliverability?

Email deliverability is the measure of how successfully your emails reach the recipient’s inbox. It is distinct from delivery rate (which simply checks if the recipient’s mail server accepted the message). A message can have 100% delivery but 0% deliverability if every single email lands in the spam folder.

Deliverability is determined by two main factors:

  1. Domain and IP Reputation: How mailbox providers (Gmail, Outlook) view your sending history and user interactions (spam reports, open rates).
  2. Email Authentication: Cryptographic proof that your email is genuinely from the domain it claims to represent.

The Three Pillars of Email Authentication

To prevent spoofing and ensure high deliverability, you must configure three DNS authentication standards:

1. SPF (Sender Policy Framework)

SPF is a DNS record that lists all the IP addresses authorized to send emails on behalf of your domain.

  • How it works: The receiving server checks the SPF record of the sender’s domain and verifies if the sending server’s IP address is listed.
  • Example Record: v=spf1 include:mailgun.org ~all

2. DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to the headers of your outgoing emails.

  • How it works: You generate a public/private key pair. You configure the public key as a DNS record. Your sending server signs each outgoing message with the private key. The receiver retrieves the public key from your DNS to verify the signature.
  • Why it matters: DKIM proves that the email content was not altered in transit.

3. DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC ties SPF and DKIM together. It tells receivers how to handle emails that fail SPF or DKIM checks.

  • How it works: You specify a policy (none, quarantine, or reject) and an email address to receive XML reports of authentication failures.
  • Example Record: v=DMARC1; p=quarantine; rua=mailto:[email protected]

Dynamic Deliverability with InboxAPI

Setting up SPF, DKIM, and DMARC records for custom domains is a tedious task that requires access to DNS managers and registrar settings.

InboxAPI handles this configuration automatically. When you create an account, you receive a unique subdomain under inboxapi.ai. InboxAPI manages the DNS infrastructure, automatically generating and maintaining SPF records, DKIM public keys, and DMARC policies for your subdomain. This ensures your emails are authenticated and ready to be delivered to the inbox from the very first send.