eCommerce
January 28, 2026
Email Deliverability for Stores: SPF, DKIM, DMARC in Plain English
Author
John CavilOrder emails landing in spam cost money—lost trust, missed confirmations, support pain. The good news: you can fix most deliverability issues with three records and a simple rollout plan. This guide explains SPF, DKIM, and DMARC in plain English, then shows you exactly what to publish and how to test it.
Subtle note: on Pofii, you get pPanel and clean DNS controls—so setting and testing these records is fast, automated and reliable.
The goal: make your emails look authentic to receivers
Mail providers (Gmail, Outlook, Yahoo) ask three questions:
- Who’s allowed to send mail for your domain? → SPF
- Was the message altered in transit? → DKIM
- Do the first two align with your visible “From” domain, and what should receivers do if they don’t? → DMARC
When all three line up, your store’s emails deliver and avoid the Promotions/Spam trap more often.
SPF: who may send for your domain
What it is: A DNS TXT record that lists allowed sending sources for your domain.
Plain steps:
- List every place that sends as
[email protected]: your store server, helpdesk, marketing platform, transactional provider (Postmark, Mailgun, SendGrid, Amazon SES, etc.). - Use the include strings provided by those services.
- Keep total SPF lookups ≤10 (hard limit). Consolidate if needed.
Baseline SPF (example):
Name: @
Type: TXT
Value: v=spf1 a mx include:spf.yourprovider.com include:mailgun.org -all
a mxallows your web and MX hosts (optional).include:...adds third-party senders.- End with
-all(hard fail) once you’re sure the list is complete; use~all(softfail) during testing.
DKIM: cryptographic signature that proves integrity
What it is: Your sender signs each message with a private key; receivers verify using a public key in your DNS.
Plain steps:
- In your email/ESP dashboard, enable DKIM and note the selector (e.g.,
pmors1). - Publish the CNAME/TXT records they provide. Prefer 2048-bit keys.
- Send a test; look for
dkim=passin headers.
Typical DKIM (CNAME) shape:
Name: pm._domainkey
Type: CNAME
Value: pm.domainkey.u123456.provider.com
(Your provider will give the exact values.)
DMARC: policy + reporting + alignment
What it is: A policy that tells receivers what to do if SPF/DKIM don’t align with your visible From domain—and where to send reports.
Start with “monitor only”:
Name: _dmarc
Type: TXT
Value: v=DMARC1; p=none; rua=mailto:[email protected]; fo=1
p=nonemonitors only.rua=gets you aggregate reports (mail-flow stats).fo=1requests failure details.
Then ramp protection:
- After 1–2 weeks of clean reports →
p=quarantine; pct=25 - If still clean →
p=quarantine; pct=100 - Final step →
p=reject(blocks failing mail)
Add alignment for subdomains if you use them:
sp=quarantineorsp=reject(policy for subdomains)
Alignment: the secret sauce many miss
For DMARC to pass, you need SPF or DKIM to align with the visible From domain.
- SPF alignment checks the Return-Path domain (a.k.a. envelope).
- DKIM alignment checks the d= domain in the signature.
Practical tip:
- Use the same domain (or a subdomain you control) for your From address and your ESP’s sending domain.
- Example: marketing via
news.yourdomain.com, transactional viamail.yourdomain.com. Each gets its own SPF/DKIM/DMARC.
WordPress/WooCommerce: send the right way
- Avoid default
wp_mail()with the host’s PHP mail; use a transactional provider (API or SMTP) with your authenticated domain. - Set a consistent From:
[email protected](don’t mix free mailboxes like Gmail). - Use a lean SMTP/transactional plugin; test send, then check headers.
Speed and deliverability go together. While you’re here, tune the rest of your stack:
- LiteSpeed Cache defaults (we’ve got a full guide).
- Object Cache (Redis) for faster dynamic pages: Redis vs Memcached.
- Images/LCP for product pages: WooCommerce Image Speed.
Cloudflare + DNS tips (avoid silent breaks)
- Do not proxy (
orange cloud) your MX and mail host records; email needs the real IPs. - Keep TXT/CNAME for SPF/DKIM/DMARC DNS-only.
- If you’re changing DNS hosts, use a clean plan: Zero-Downtime DNS TTL Playbook and the longer migration guide: Migrate to a Faster Host.
- General Cloudflare tuning: Cloudflare for WordPress.
Rollout plan (copy/paste)
- Publish SPF with all legitimate senders (
~allduring testing). - Enable DKIM for each sender; publish keys; verify
dkim=pass. - Add DMARC
p=nonewithrua=reports. - Watch reports for 1–2 weeks. Fix stragglers (old plugins, forgotten tools).
- Move to
p=quarantine, thenp=rejectwhen clean. - Split marketing and transactional onto separate subdomains if volume grows.
How to test (2 minutes)
- Send one email to Gmail and one to Outlook.
- In Gmail, open the message → Show original. Look for:
SPF=passDKIM=passDMARC=pass
- Confirm From matches the domain you authenticated.
- Re-send after each DNS change (allow a few minutes for propagation).
Common pitfalls (quick fixes)
- SPF too many lookups (>10): collapse includes, remove unused senders.
- Return-Path not aligned: configure a custom bounce domain with your ESP.
- Multiple tools sending: add each to SPF and enable DKIM per tool.
- Cloudflare proxied mail records: switch those to DNS-only.
- Using personal Gmail as From: use a domain mailbox you control.
Minimal checklist
- SPF published with all senders (
-allafter testing) - DKIM enabled (2048-bit) for each sender
- DMARC
p=none→quarantine→rejectwith reports todmarc@ - From domain aligns; custom bounce/return-path set
- WordPress uses SMTP/API via a transactional provider
- MX/mail records not proxied; DNS tidy
- Test headers show pass for SPF/DKIM/DMARC
FAQ
Do I need both SPF and DKIM?
Yes. DMARC needs SPF or DKIM to pass and align. In practice, set both for resilience.
Should I go straight to p=reject?
No. Start with p=none, fix stragglers using reports, then ramp to quarantine and reject.
Is a subdomain required?
Not required, but smart. Use separate subdomains for marketing and transactional to protect reputation.
Why do marketing emails hit Promotions?
Promotions tab is normal for bulk mail. Keep transactional mail on a clean subdomain with tight alignment to stay in Primary/Inbox more often.
Leave a Comment