Emails sent from authenticated domain with SPF, DKIM, and DMARC records

Why it matters

Sending transactional email from a Gmail or Yahoo address violates DKIM-RFC6376, SPF-RFC7208, and DMARC-RFC7489 — the three DNS standards that inbox providers use to decide whether your mail is legitimate. Without all three records configured on a custom domain, confirmation emails land in spam or are silently rejected. Once DMARC policy is set to p=none, enforcement is disabled and spoofing your From address becomes trivial: an attacker can impersonate your booking system to phish your customers with zero DNS friction. Operators who skip domain authentication also undermine their own deliverability over time as spam-complaint rates accumulate against the shared sending IP.

Remediation

Configure SPF, DKIM, and DMARC at your DNS provider and switch the From address to your verified custom domain. Using SendGrid, Postmark, or Resend, navigate to their domain authentication wizard — it generates the exact TXT records to add:

# SPF — TXT record at yourdomain.com
v=spf1 include:sendgrid.net ~all

# DKIM — TXT record at default._domainkey.yourdomain.com
v=DKIM1; k=rsa; p=MIGf...

# DMARC — TXT record at _dmarc.yourdomain.com
v=DMARC1; p=reject; rua=mailto:postmaster@yourdomain.com

Set p=reject on DMARC, not p=none. Update your email config to use noreply@yourdomain.com as the From address.

Detection

ID: booking-notifications-reminders.confirmation-email.auth-domain-spf-dkim-dmarc
Severity: high
What to look for: Check the email service configuration (SendGrid, Postmark, Resend, AWS SES, or custom SMTP). Identify the "From" address by searching for from:, FROM_EMAIL, or sender configuration in the email sending code. Verify the domain is not a generic freemail domain (gmail.com, yahoo.com, outlook.com, hotmail.com). Check for evidence of domain authentication: (1) Email provider's domain verification setup (SendGrid domain authentication, Postmark sender signatures, Resend domain verification), (2) DNS records configuration or documentation mentioning SPF, DKIM, DMARC, (3) Verified domain status in provider configuration. Count how many of the 3 records (SPF, DKIM, DMARC) have evidence of configuration.
Pass criteria: Count all 3 authentication records (SPF, DKIM, DMARC). ALL of the following: (1) From address uses a custom domain (not gmail.com/yahoo.com/etc.) — quote the From address or config variable. A freemail domain does NOT count as pass even if other records exist. (2) At least 2 of 3 DNS authentication records (SPF, DKIM, DMARC) have evidence of configuration — report the count even on pass (e.g., "3 of 3 configured"). (3) If DMARC is present, policy is not p=none (must be p=quarantine or p=reject).
Fail criteria: Emails sent from a freemail domain. No evidence of domain verification in the email provider setup. Fewer than 2 of 3 authentication records evidenced. DMARC policy is p=none (no enforcement).
Skip (N/A) when: Email is disabled or system uses only webhook-based communication (no outbound email sending code found). No email provider dependency and no SMTP configuration present.
Detail on fail: State the From address found. For each of SPF, DKIM, DMARC: state "CONFIGURED" with evidence or "NOT FOUND" with what was searched. Example: "From: noreply@gmail.com (freemail domain). SPF: NOT FOUND. DKIM: NOT FOUND. DMARC: NOT FOUND.".

Remediation: Add SPF, DKIM, and DMARC records to your domain's DNS:

# SPF record (TXT)
v=spf1 include:sendgrid.net ~all

# DKIM record (TXT) — public key provided by SendGrid
default._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGf..."

# DMARC record (TXT)
_dmarc.yourdomain.com TXT "v=DMARC1; p=reject; rua=mailto:admin@yourdomain.com"

If using SendGrid, Postmark, or Resend, use their domain verification tools — they automate DNS record creation. Update your From address to use your verified custom domain (e.g., noreply@yourdomain.com).

Cross-reference: Email/SMS Compliance audit checks CAN-SPAM email-authentication requirements. Security Headers audit checks DNS-related security. SEO Advanced audit checks domain authority signals.

Why it matters

Remediation

# SPF — TXT record at yourdomain.com
v=spf1 include:sendgrid.net ~all

# DKIM — TXT record at default._domainkey.yourdomain.com
v=DKIM1; k=rsa; p=MIGf...

# DMARC — TXT record at _dmarc.yourdomain.com
v=DMARC1; p=reject; rua=mailto:postmaster@yourdomain.com

Set p=reject on DMARC, not p=none. Update your email config to use noreply@yourdomain.com as the From address.

Detection

ID: booking-notifications-reminders.confirmation-email.auth-domain-spf-dkim-dmarc
Severity: high
What to look for: Check the email service configuration (SendGrid, Postmark, Resend, AWS SES, or custom SMTP). Identify the "From" address by searching for from:, FROM_EMAIL, or sender configuration in the email sending code. Verify the domain is not a generic freemail domain (gmail.com, yahoo.com, outlook.com, hotmail.com). Check for evidence of domain authentication: (1) Email provider's domain verification setup (SendGrid domain authentication, Postmark sender signatures, Resend domain verification), (2) DNS records configuration or documentation mentioning SPF, DKIM, DMARC, (3) Verified domain status in provider configuration. Count how many of the 3 records (SPF, DKIM, DMARC) have evidence of configuration.
Pass criteria: Count all 3 authentication records (SPF, DKIM, DMARC). ALL of the following: (1) From address uses a custom domain (not gmail.com/yahoo.com/etc.) — quote the From address or config variable. A freemail domain does NOT count as pass even if other records exist. (2) At least 2 of 3 DNS authentication records (SPF, DKIM, DMARC) have evidence of configuration — report the count even on pass (e.g., "3 of 3 configured"). (3) If DMARC is present, policy is not p=none (must be p=quarantine or p=reject).
Fail criteria: Emails sent from a freemail domain. No evidence of domain verification in the email provider setup. Fewer than 2 of 3 authentication records evidenced. DMARC policy is p=none (no enforcement).
Skip (N/A) when: Email is disabled or system uses only webhook-based communication (no outbound email sending code found). No email provider dependency and no SMTP configuration present.
Detail on fail: State the From address found. For each of SPF, DKIM, DMARC: state "CONFIGURED" with evidence or "NOT FOUND" with what was searched. Example: "From: noreply@gmail.com (freemail domain). SPF: NOT FOUND. DKIM: NOT FOUND. DMARC: NOT FOUND.".

Remediation: Add SPF, DKIM, and DMARC records to your domain's DNS:

# SPF record (TXT)
v=spf1 include:sendgrid.net ~all

# DKIM record (TXT) — public key provided by SendGrid
default._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGf..."

# DMARC record (TXT)
_dmarc.yourdomain.com TXT "v=DMARC1; p=reject; rua=mailto:admin@yourdomain.com"

Cross-reference: Email/SMS Compliance audit checks CAN-SPAM email-authentication requirements. Security Headers audit checks DNS-related security. SEO Advanced audit checks domain authority signals.

Emails sent from authenticated domain with SPF, DKIM, and DMARC records

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Emails sent from authenticated domain with SPF, DKIM, and DMARC records

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History