SPF, DKIM & DMARC explained


Updated June 10, 2026 · also available in the in-app Help center

These three DNS records tell receiving servers your email is legitimate. Formitor checks them and, when a test email gets through, reads the real authentication results from the message headers.

  • SPF lists which servers may send mail for your domain. A softfail means the sending service isn't included — add it to your SPF record.
  • DKIM is a cryptographic signature proving the message wasn't tampered with. We can't always see your DKIM selector from DNS alone, so it may show as "can't confirm" — which is not the same as broken.
  • DMARC ties SPF and DKIM together and tells receivers what to do with mail that fails.

Safe order for DMARC

Always start at p=none (monitor only) and watch the reports for a few weeks before moving to stricter policies. Jumping straight to p=reject can block your own legitimate mail.

Questions the docs didn't answer?

The in-app assistant knows your own sites, or reach us directly.