These three DNS records tell receiving servers your email is legitimate. Formitor checks them and, when a test email gets through, reads the real authentication results from the message headers.
- SPF lists which servers may send mail for your domain. A softfail means the sending service isn't included — add it to your SPF record.
- DKIM is a cryptographic signature proving the message wasn't tampered with. We can't always see your DKIM selector from DNS alone, so it may show as "can't confirm" — which is not the same as broken.
- DMARC ties SPF and DKIM together and tells receivers what to do with mail that fails.
Safe order for DMARC
Always start at p=none (monitor only) and watch the reports for a few weeks before moving to stricter policies. Jumping straight to p=reject can block your own legitimate mail.