shipmail

How to set up SPF, DKIM, and DMARC for shipmail

SPF, DKIM, and DMARC are DNS records that authenticate your email. They tell receiving mail servers that your messages are legitimate and not forged. Without them, your email is more likely to land in spam or be rejected entirely.

SPF (Sender Policy Framework)

SPF tells receiving mail servers which servers are authorized to send email for your domain. When a server receives an email claiming to be from your domain, it checks your SPF record for a list of allowed senders. If the sending server is not on the list, the email fails authentication.

TypeHostValue
TXT@v=spf1 include:spf.shipmail.to -all

How it works

  1. You publish a TXT record listing authorized sending servers.
  2. Receiving servers look up this record when they get an email from your domain.
  3. The "-all" suffix means "reject anything not explicitly listed."
  4. The "include:spf.shipmail.to" directive authorizes shipmail's mail servers.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to every outgoing email. shipmail signs each message with a private key. The DKIM DNS record publishes the matching public key. Receiving servers use this public key to verify that the message was not modified in transit and genuinely came from your domain.

TypeHostValue
TXTshipmail._domainkeyv=DKIM1; k=rsa; p=MIGf...

How it works

  1. shipmail signs outgoing email with a private key.
  2. You publish the corresponding public key as a TXT record.
  3. Receiving servers verify the signature against the public key.
  4. If the signature is invalid, the email fails DKIM authentication.

The DKIM public key is unique to your domain. Copy the exact value shown in your shipmail dashboard. Do not use the example value above.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

DMARC ties SPF and DKIM together with a policy. It tells receiving servers what to do when an email fails both SPF and DKIM checks. Reporting addresses are optional and can be added later if you want DMARC aggregate reports.

TypeHostValue
TXT_dmarcv=DMARC1; p=reject

How it works

  1. You publish a TXT record with your desired policy.
  2. Receiving servers check the policy when SPF or DKIM fails.
  3. "p=reject" instructs receivers to reject unauthenticated email entirely.
  4. Optional fields like "rua=mailto:..." specify where aggregate reports are sent.

Common mistakes and how to fix them

Multiple SPF records on the same domain

Problem: DNS allows only one SPF TXT record per domain. Adding a second one causes both to fail.

Fix: Merge all include statements into a single SPF record. For example: v=spf1 include:spf.shipmail.to include:_spf.google.com -all

Using ~all instead of -all in SPF

Problem: ~all (soft fail) tells receivers to accept unauthenticated email but flag it. This weakens your policy and can hurt deliverability.

Fix: Use -all (hard fail) unless you are in the middle of a migration and need temporary flexibility.

Copying the DKIM example value instead of the real key

Problem: The DKIM public key is generated per domain. Using a placeholder or another domain's key will cause all DKIM checks to fail.

Fix: Copy the exact DKIM value from your shipmail dashboard after adding your domain.

Wrong host for DKIM record

Problem: Most DNS providers automatically append your domain to the host field. Entering "shipmail._domainkey.example.com" as the host creates "shipmail._domainkey.example.com.example.com".

Fix: Enter just shipmail._domainkey as the host. Your DNS provider appends the domain automatically.

Starting DMARC with p=reject before testing

Problem: If you have other services sending email from your domain (newsletters, transactional email) and they are not covered by your SPF/DKIM setup, p=reject will block their email.

Fix: Keep p=reject if ShipMail is your only sender. If other services still send from your domain, use a custom DMARC policy while you validate their SPF and DKIM alignment.

How to verify your records

shipmail verifies records automatically when you add a domain. You can also check manually using dig (Linux/macOS) or nslookup (Windows). Replace example.com with your domain.

Check SPF

dig TXT example.com +short

You should see a record containing "v=spf1 include:spf.shipmail.to".

Check DKIM

dig TXT shipmail._domainkey.example.com +short

You should see a record starting with "v=DKIM1; k=rsa; p=".

Check DMARC

dig TXT _dmarc.example.com +short

You should see a record starting with "v=DMARC1;".

Frequently asked questions

Is DMARC required?

Yes for the default ShipMail setup flow. ShipMail expects a DMARC record before a domain can finish verification, although advanced users can explicitly choose to manage their own DMARC policy. Without DMARC, receiving servers decide on their own what to do with email that fails SPF or DKIM. With DMARC, you control the policy.

Can I use shipmail alongside Google Workspace or Microsoft 365?

Yes. Merge the SPF include statements into a single record. DKIM records use different selectors, so they do not conflict. If you need a gradual DMARC rollout, switch to ShipMail's custom DMARC mode and publish your own policy while you verify both services are authenticating correctly.

How long does DNS propagation take?

Most changes propagate within a few minutes. Some DNS providers cache records for up to 48 hours. Use a low TTL (300 seconds) on new records to speed this up.

What does a DMARC aggregate report look like?

DMARC reports are XML files sent daily by receiving mail servers. They show how many emails passed or failed SPF and DKIM for your domain. You can use free tools like DMARC Analyzer or Postmark's DMARC tool to parse them into readable dashboards.

My emails are going to spam. What should I check?

Verify all three records are correctly configured using the dig commands above. Check that you have not published multiple SPF records. Make sure your DKIM key matches the one in your dashboard. If everything looks correct, check your DMARC report for clues. Also verify your sending domain is not on any blocklists.