this is the section you print out and tape to your wall. every item here is non-negotiable if you want emails landing in Primary instead of spam.

1. DNS authentication

these are the records that prove to email providers you're actually allowed to send from your domain. skip any one of them and you're flagged before your email is even read.

SPF (Sender Policy Framework) tells receiving servers which IP addresses are authorised to send email on behalf of your domain.

how to check: run your domain through an SPF checker (MXToolbox or similar). you should see a valid SPF record that includes your email provider's sending IPs.

what correct looks like: v=spf1 include:_spf.google.com ~all

• [ ] SPF record is published for every sending domain
• [ ] SPF record includes your email provider's authorised IPs
• [ ] SPF record is not failing or producing errors on lookup

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your emails so the receiving server can verify the message wasn't tampered with in transit.

how to check: send a test email to a DKIM verification tool. the signature should validate successfully against your published DKIM key.

• [ ] DKIM is enabled and signing outgoing emails
• [ ] DKIM key is published in your DNS
• [ ] DKIM signature validates on test sends

DMARC (Domain-based Message Authentication, Reporting & Conformance) tells receiving servers what to do with emails that fail SPF or DKIM checks. without it, providers make their own call, and it's usually "send to spam."

what correct looks like: v=DMARC1; p=quarantine; rua=mailto:[email protected]

• [ ] DMARC record is published
• [ ] DMARC policy is set to at least p=quarantine (not p=none)
• [ ] DMARC reporting email is configured so you can see failures

2. domain strategy