Skip to content
PROJECT-SCOPED · 24 HOURS

The full authentication stack published correctly.
Six records, one fee, validated end-to-end.

SPF authorisation set up correctly under the 10-lookup ceiling. DKIM keypair generated at 2048-bit RSA with a predictable selector naming convention. DMARC published at p=none with rua= reporting active to a destination that actually parses. MTA-STS policy file deployed at the well-known path with mode=testing. TLS-RPT companion. BIMI eligibility bootstrap if you have a registered trademark.

Each record is validated against the relevant RFCs and our own tooling before handover. You get a written deliverable showing the exact record content published, with the rationale for each choice (hard-fail vs soft-fail SPF, p=none vs p=quarantine starting policy, MTA-STS testing vs enforce mode).

Order on Telegram See sample records
price €99
delivery 24 hours
records published 6-7
validation end-to-end tested
why authentication is six records, not three

The 2024 Gmail and Yahoo bulk-sender requirements changed the floor.

Until early 2024, you could get away with SPF and DKIM. Maybe a DMARC record at p=none for show. The receivers wanted authentication; they tolerated incomplete authentication; mail mostly delivered.

February 2024 changed that. Gmail and Yahoo announced bulk-sender requirements that turned soft expectations into hard floors. SPF and DKIM both required (not either-or). DMARC required at minimum p=none with valid rua= reporting. List-Unsubscribe header in RFC 8058 one-click format, mandatory at 5,000+ daily volume. Spam complaint rate under 0.3% sustained, with hard cliff at 0.1% for new senders. One-click unsubscribe processing within 48 hours. TLS encryption on delivery, no plaintext fallback.

Microsoft followed with similar enforcement against Office 365 tenants in mid-2024. Apple's iCloud reputation scoring ramped up its weighting on DMARC alignment around the same time. The major receivers all moved together because the operational case for stricter authentication was overwhelming: phishing was getting more sophisticated, brand impersonation was hitting tier-1 banks, and consumer complaint volume kept climbing.

So the stack today is six records, not three. SPF and DKIM as baseline. DMARC with active reporting. MTA-STS with TLS-RPT to satisfy the encryption floor. BIMI if you want the brand-recognition uplift in inbox UI. Skip any of these and you're shipping mail that starts a lap behind.

your records, generated

Preview the exact records we'd publish for your domain.

Set your domain, ESP, and reporting destination. The generator shows the literal TXT records as we'd publish them. Production records get one critical verification: that the published values match exactly what was generated, character for character.

The apex domain you'll send from. Subdomains share parent SPF authorisation.

Determines what goes in the SPF include and which DKIM selector format we use.

DMARC reports come as compressed XML hourly or daily. Your inbox cannot handle the volume; use a parser.

Generated records

These would publish at your DNS provider after verification. Copy and paste-able for reference.

SPF example.com TXT 
v=spf1 ip4:185.0.0.0/24 ~all

Hard-fail terminator for tighter authentication signals.

DKIM 2026q1._domainkey.example.com TXT 
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA[...2048-bit public key...]

Year-quarter selector format enables clean rotation. 2048-bit RSA, rsa-sha256.

DMARC _dmarc.example.com TXT 
v=DMARC1; p=none; rua=mailto:rua@dmarc.ash-managed.com; pct=100; sp=none; aspf=r; adkim=r;

Starting at p=none for visibility. Promote to p=quarantine after 30 days, p=reject after 60.

MTA-STS _mta-sts.example.com TXT 
v=STSv1; id=20260115T120000;

Policy ID timestamp. Plus policy file at https://mta-sts.example.com/.well-known/mta-sts.txt

TLS-RPT _smtp._tls.example.com TXT 
v=TLSRPTv1; rua=mailto:tlsrpt@dmarc.ash-managed.com

TLS reporting destination. Required for safe MTA-STS promotion to enforce mode.

Sample records shown for illustration. Production records are generated specifically for your sending infrastructure with actual IPs, third-party include chains traversed, and unique DKIM key material. Selector names are calibrated to your rotation cadence.

the 90-day ramp

DMARC policy progression: p=none to p=reject without breaking real mail.

DMARC enforcement is a phased ramp, not a one-time switch. Click any phase to see what we change, what to expect, and what to watch for.

starting policy

Day 0: p=none with rua= reporting active

v=DMARC1; p=none; pct=100; rua=mailto:rua@dmarc.example.com;

Initial policy. p=none means receivers don't take enforcement action on authentication failures. They report what they see via aggregate reports (rua=) but they don't block, quarantine, or reject anything.

This is the visibility phase. We collect 3-4 weeks of aggregate reports to identify every legitimate sender on your domain (your own infrastructure, third-party services, internal applications, forgotten subdomains). The reports show what's authenticating cleanly, what's failing, and crucially what legitimate senders would get blocked if you went straight to p=reject.

Most domains discover 2-5 legitimate senders they didn't realise were sending in their name. Skipping this phase and going straight to enforcement is the most common reason customer mail gets blocked unexpectedly.

check what you have now

Authentication readiness score.

Tick what's currently published on your domain. The score shows how complete your existing authentication is and what gaps remain. About 80% of senders score below 6 here.

Authentication completeness
0/15

Tick what's currently published on your domain. Your score shows how complete the authentication stack is. Gaps below 6 indicate the €99 setup will pay for itself within a few campaigns via better deliverability.

honest fit assessment

Who orders this, and who shouldn't.

good fit
  • Launching email sending and you want the authentication baseline correct from day one. Cheaper than re-doing it after reputation issues surface.
  • Audit surfaced authentication gaps and you want them fixed without an ongoing engagement.
  • Existing setup with weak or missing authentication. Your DMARC has been at p=none for 18 months because nobody on the team feels confident promoting it.
  • Agency setting up a new client and you don't want to spend a day on DNS records when €99 covers it cleanly.
  • Compliance requirement for SOC 2, ISO 27001, or industry frameworks where documented authentication setup is part of the audit trail.
  • Migrating from one ESP to another and you need fresh authentication published before cutover.
poor fit
  • Complex multi-sender setup with transactional, marketing, and cold outreach on different paths. Audit (€299) is the right starting point first; setup follows the audit's recommendations.
  • You don't have access to your DNS provider yet. We need access to publish records.
  • You want full setup including MTA. That's the PowerMTA + MailWizz Setup (€299) which includes DNS auth in the bundle.
  • Your domain has SPF/DKIM/DMARC working and you only need rotation. That's the DKIM Rotation addon (€29/mo), not this.
  • You want guaranteed inbox placement as a result. Authentication is necessary but not sufficient. Reputation, content, and list quality matter too.
scope of work

Every record we publish, every check we run.

01

SPF, Sender Policy Framework

TXT record at the domain root authorising your sending IPs and any third-party services that send on your behalf (Google Workspace, Microsoft 365, transactional providers, marketing platforms).

The 10-lookup limit is verified exhaustively. Every include: chain traversed, every a: reference counted. Most senders past three include chains hit this silently, when SPF goes over 10 lookups, the receiver treats it as invalid (PermError), which triggers a soft DMARC failure even when SPF would otherwise pass. We surface this before publishing.

Hard-fail terminator (-all) by default for stronger authentication signal. Soft-fail (~all) only where your sending profile genuinely needs it (multi-vendor setups during transition periods, complex forwarding scenarios). Each choice documented with rationale.

02

DKIM, DomainKeys Identified Mail

2048-bit RSA keypair generated. rsa-sha256 signing algorithm. Public key published at <selector>._domainkey.<domain> with selector naming aligned to a rotation schedule (2026q1, 2026q2, etc.) so future rotations remain clean.

Multi-string TXT format applied where the key exceeds the 255-byte single-string limit. About 35% of providers handle multi-string TXT incorrectly on first publication; we test the rendering after publishing and adjust if needed. Several DNS providers display correctly but serve incorrectly under certain query patterns.

Private key delivered securely via Telegram or encrypted file transfer. We don't retain it after handover. If you lose it, we generate a new keypair (under warranty) but the old selector becomes orphaned.

03

DMARC, Domain-based Message Authentication

TXT at _dmarc.<domain> with version, policy, percentage, alignment modes, and reporting addresses. Initial policy is p=none with rua= reporting active. Subdomain policy explicit (sp= flag set, not inherited) so subdomains follow the ramp at the same pace as the apex.

Reporting destination chosen with you. We strongly recommend a parser (parsedmarc, dmarcian, our managed monitoring) rather than your inbox. DMARC aggregate reports come as compressed XML hourly or daily from every receiver that processes your mail; even a small domain receives 5-50 reports per day. Parsing manually is not feasible past about three days.

Ramp plan documented: p=none for visibility (30 days), promote to p=quarantine with pct=25 (15 days), then pct=100 (15 days), then p=reject with pct=50 (15 days), then pct=100 (final). Total ramp duration 75-90 days. We provide the ramp checklist; you can execute it yourself or add it to our managed monitoring.

04

MTA-STS policy and DNS

Policy file deployed at https://mta-sts.<domain>/.well-known/mta-sts.txt with version, mode (testing initially), MX entries, and max-age. The HTTPS infrastructure for the mta-sts subdomain is part of the setup; we configure either CloudFlare-fronted hosting (free) or on your existing infrastructure if you prefer.

DNS TXT at _mta-sts.<domain> with policy id and cache duration. Policy id is a timestamp string that changes when the policy file changes; receivers cache the file based on max-age but re-fetch if the id changes. Our default max-age is 7 days, short enough for fast updates but long enough to reduce request volume.

Mode starts at testing, not enforce. Testing means receivers monitor TLS but don't reject mail on TLS failure; enforce means they actively reject. Promoting to enforce requires 14 days of TLS-RPT data showing no unexpected TLS failures from legitimate receivers. Don't skip this verification.

05

TLS-RPT, TLS Reporting

TXT at _smtp._tls.<domain> directing TLS failure reports to your chosen address. Required companion to MTA-STS for safe promotion to enforce mode.

Receivers send TLS reports in JSON format daily, listing any TLS negotiation failures, certificate validation failures, or policy violations. The reports are how you discover legitimate receivers that can't establish TLS with your infrastructure (rare in 2026 but happens occasionally with niche regional MX setups).

06

BIMI bootstrap (optional)

BIMI displays your verified brand logo in supporting receivers' inbox UI (Gmail, Apple Mail, Yahoo). Requires DMARC at p=quarantine or p=reject (strict alignment, sub-100% pct doesn't qualify), a registered trademark, and a Verified Mark Certificate from DigiCert or Entrust.

We publish the BIMI DNS record pointing to your conformant SVG logo and the VMC location. We can convert your existing logo to BIMI Profile (SVG Tiny PS specification) if needed; conversion adds €99 designer fee depending on logo complexity. The VMC issuance from a Mark Verifying Authority is separate (DigiCert ~$1,499/year, Entrust ~$1,799/year), paid by you directly to them.

BIMI bootstrap takes ~30 minutes during the standard setup. Reasonable to add if you have a registered trademark and DMARC already at enforcement; skip otherwise.

07

End-to-end validation

Each record validated against our SPF/DMARC validator and DKIM key audit tools after publication. Sample test mail sent through your sending infrastructure to verify alignment in real receiver transactions, not just DNS lookup. Headers inspected from receivers to confirm authentication results are PASS across SPF, DKIM, and DMARC simultaneously.

Aggregate reports verified as flowing within 48 hours of publication. We don't declare the setup complete until rua= reports are arriving at the configured destination.

08

Documentation handover

Written deliverable showing every record published, with literal content, host, type, and rationale. The document doubles as compliance evidence for SOC 2 / ISO 27001 audits where DNS authentication is a documented control.

DMARC ramp checklist included with specific calendar dates calibrated to your start date. You can execute the ramp yourself or hand it back to us via the DKIM Rotation addon (which also handles DMARC enforcement promotion as part of its scope).

how the day unfolds

From order to validated stack.

Hour 0

Intake

Telegram intake. You provide DNS provider login or grant delegation. We confirm domain, sending services in use, target final state. Reporting destination chosen. NDA signed.

Hours 0-12

Records published

SPF, DKIM (with multi-string handling), DMARC, MTA-STS file + TXT, TLS-RPT, BIMI (if applicable) all published. Multi-string correctness verified per provider. HTTPS for mta-sts subdomain configured.

Hours 12-20

Validation pass

Each record validated against our SPF/DMARC validator and DKIM key audit. Test mail sent through your stack. Headers inspected for authentication results. Multi-receiver verification.

Hours 20-24

Reports flowing + handover

DMARC aggregate reports arriving at configured destination. TLS-RPT verified. Documentation finalised. 30-minute Telegram or Jitsi handover with your team. DMARC ramp checklist provided.

questions before you order

Frequently asked.

I already have SPF and DKIM. Why do I need this?

Maybe you don't. If your existing setup passes our free SPF/DMARC validator and your DMARC reports show clean alignment, you're fine. Most senders who think they have working SPF/DKIM have one or two gaps that don't fail loudly but degrade reputation quietly: 10-lookup overflow nobody noticed, 1024-bit DKIM keys treated as weak, DMARC at p=none with rua= going to a black hole. The free validator surfaces these instantly. Run it first; if it surfaces issues, that's your justification.

Can you do BIMI as part of this?

Bootstrap yes. We publish the BIMI DNS record, validate your SVG against the profile, point at your VMC. The VMC application itself is a separate process with the Mark Verifying Authority (DigiCert, Entrust) and takes 1-3 weeks; the certificate fee (~€1,400-1,700/year) is paid directly to them, not through us.

The €99 covers the DNS bootstrap and BIMI Profile validation. If your existing logo doesn't conform to BIMI Profile (SVG Tiny PS), conversion adds €99 designer fee. About 30% of logos need conversion; the rest pass through cleanly.

My DNS provider is restrictive (no multi-string TXT, weird length limits). Can you still help?

We work around most provider quirks. Cloudflare, Route53, Google Cloud DNS, AWS Route 53, and the major registrars all handle modern DKIM keys correctly. Some legacy registrars do not, and we surface the workaround at intake.

Worst case we recommend migrating DNS to a provider that supports current standards. DNS migration is usually free or near-free (Cloudflare's free tier handles everything), takes about an hour, and removes the constraint permanently. We can handle the migration as part of the setup if you prefer; mention at intake.

How does this differ from the audit?

Audit identifies issues; this fixes them. The audit (€299) tells you everything wrong with your setup including DNS, infrastructure, content, and list quality. This (€99) just publishes correct DNS records.

Most customers do the audit first if they're unsure where the problems are, then setup if DNS is the gap. About 40% of audits surface DNS as the primary issue; another 30% surface DNS as a secondary issue alongside infrastructure or content problems.

Do you maintain the records after setup?

Not by default. After handover, you own the records. If you want ongoing management, those are addon services:

  • DKIM Rotation (€29/mo): quarterly key rotation per M3AAWG recommendation
  • DMARC enforcement promotion (included in DKIM Rotation): automated p=none → quarantine → reject ramp
  • Deliverability Monitoring (€49/mo): continuous validation that records still pass against changes in your sending infrastructure

The setup itself is a one-time deliverable.

My DMARC is at p=reject already. Why not start there?

p=reject without aggregate reporting visibility is dangerous. It means receivers actively reject anything that fails authentication, including legitimate mail from senders you didn't realise were using your domain. Most domains discover 2-5 such senders during the p=none visibility phase: forgotten subdomains, internal applications, third-party services, marketing tools you signed up for years ago.

We start at p=none with rua= active so you can see what's authenticating before enforcing. Most customers ramp to p=quarantine within 30 days and p=reject within 60-90. Skipping the ramp is how legitimate mail gets blocked.

Will receivers see my changes immediately?

DNS propagation is fast (usually 5-15 minutes for the typical TTL settings). Receivers re-query DNS at message-send time, so your next outbound mail uses the new authentication.

Aggregate reports take longer to arrive: receivers batch reports hourly or daily. First reports usually arrive within 24-48 hours of publication. We verify reports are flowing before declaring setup complete.

What if I have multiple sending domains?

€99 covers one domain. Each additional domain on the same setup engagement is €49 (we reuse the intake call and infrastructure understanding). Past 5 domains on one engagement, bulk pricing applies.

Subdomains under the apex domain are included in the €99 fee since they share parent SPF authorisation and inherit DMARC policy via sp= flag.

How does payment work?

Standard: full payment (€99) on intake since the work is short- cycle and DNS records can't be unpublished after handover. Payable in any of our 11 supported cryptocurrencies. Self-hosted BTCPay, no third-party processor, no KYC.

also relevant

Related services and references.

one-time

Deliverability Audit

If you're not sure DNS is the gap. €299, identifies every issue including DNS.

 one-time

PowerMTA + MailWizz Setup

Full bulk email infrastructure. Includes DNS auth in scope.

 recurring

DKIM Rotation

Quarterly key rotation per M3AAWG recommendation. Plus DMARC enforcement ramp.

 reference

SPF wiki

How SPF works, the 10-lookup limit, alignment modes, common failures.

 reference

DKIM wiki

Cryptographic signing, selector management, rotation cadence.

 reference

DMARC wiki

Policy modes, alignment, ramp strategy, aggregate vs forensic reports.

 reference

MTA-STS wiki

Policy files, testing vs enforce mode, TLS-RPT companion.

 free tool

SPF / DKIM / DMARC validator

Audit your authentication records yourself. Instant, no signup.

Authentication setup beyond the initial deployment

DNS authentication setup is not a one-time deployment but an ongoing operational discipline. Initial setup produces the baseline configuration; ongoing maintenance ensures the configuration remains aligned with evolving sender infrastructure and receiver expectations.

Common reasons for authentication configuration to drift after initial deployment: new sending vendors added without authorization in SPF or DKIM coordination, IP infrastructure changes that move sending sources outside the authorized lists, organizational subdomain proliferation creating new sending paths without authentication coordination, third-party services configured by departments other than IT producing unauthorized sending under the brand domain.

Our setup service includes initial deployment plus 90 days of ongoing coordination during which authentication adjustments based on actual production behavior happen at no additional charge. The pattern matches what most operations need: initial setup with the visible sending sources, plus iterative refinement as DMARC aggregate reports surface previously-unknown sources.

After the initial 90-day window, ongoing authentication maintenance happens through subscription services (DMARC monitoring, managed authentication tier) or through occasional re-engagement when major operational changes warrant updated configuration. The structural pattern prevents authentication setup from being a one-time event that decays over time.

Ready to publish authentication correctly?

Telegram intake takes 30 minutes. 24-hour delivery starts after that. Median customer outcome: full stack live and validated within 18 hours, first DMARC reports arriving within 36 hours.

Order on Telegram Submit ticket

# Median Telegram response: 12 minutes during operating hours