Understanding SPF, DKIM, and DMARC: A Simple Guide

Original Article ↗ Hacker News Discussion ↗

Need for Better, Implementation-Focused Guidance

  • Several posts ask for practical guides aimed at app/platform developers sending mail “on behalf of” customer domains.
  • Common mistakes:
    • Third-party platforms demanding SPF includes even when they correctly use their own envelope domain.
    • Using the customer’s domain in both envelope and header addresses, breaking bounce handling and DMARC alignment.
  • Strong advice: if you’re not a customer’s primary mail provider, avoid touching their SPF; rely on DKIM and appropriate subdomains instead.

SPF, DKIM, DMARC Nuances and Pitfalls

  • Confusion over DMARC alignment: “strict vs relaxed” controls subdomain alignment only; you cannot require both SPF and DKIM to pass via DMARC.
  • Operational pain:
    • Misconfigured or outdated SPF records cause quarantines; some admins proactively contact senders with step‑by‑step fix instructions.
    • SPF macros are rarely seen and often misunderstood.
    • Hitting SPF’s 10‑lookup limit is common; suggested fix is moving each SaaS sender to its own subdomain SPF.
    • Return-Path / envelope-from domain alignment is critical but often overlooked.
  • Forwarding issues:
    • DMARC + SPF break naive forwarding; SRS and ARC are discussed as workarounds.
    • Gmail in particular is described as strict and opaque; some registrars’ forwarders don’t implement ARC or proper spam handling.

Tools, Automation, and Learning Resources

  • Multiple validators and analyzers are recommended (DMARC/SPF/DKIM testers, DMARC monitoring dashboards), with mixed views on flashy “learn” UIs vs simple reports.
  • Some argue guides have limited impact; automation that configures DNS for users (via Domain Connect–style services) is seen as more effective.

Running Your Own Mail Server

  • Options mentioned: Mail-in-a-Box, docker-mailserver, Mailcow, NixOS-based setups, integrated mail servers (e.g., maddy/mox, Stalwart).
  • Big hurdles: IP reputation, PTR records, matching HELO/A/MX, and large providers’ opaque blocklists.
  • Experiences vary:
    • Some report long-term success with careful setup and low volume.
    • Others find Gmail/Microsoft essentially force use of big providers or relays.
  • Debate over email’s future: some see it declining for person-to-person use but still central for accounts, notifications, and newsletters.

Policy, Ecosystem, and Diversity

  • Concern about an “SMTP cartel” of major providers deciding deliverability, sometimes ignoring standards or giving little recourse.
  • Calls for more email diversity: self-hosting or using smaller providers, though many ultimately choose hosted services (e.g., Fastmail) for reliability.