SendCheck logoSendCheckDeliverability control center

Deliverability docs

Concise playbooks for the busiest operators. No fluff—just the exact DNS and policy moves that clear modern sender requirements.

Fix DMARC p=none fastSPF 10-lookup rule explainedDKIM alignment 101 (From vs Return-Path vs d=)Nightly monitoring with Vercel Cron + UpstashBIMI readiness checklist
Run a domain checkView sample report
Fix DMARC p=none fast

Move from a monitoring-only policy to enforcement without breaking legitimate mail.

  1. Fetch your active DMARC record (use dig/DoH or run a SendCheck scan).
  2. Add aggregate reports (rua) to a monitored mailbox if you haven’t already.
  3. Switch policy to quarantine (p=quarantine) and add pct=100 to enforce across traffic.
  4. Optionally add forensic (ruf) reporting and failure sampling (fo=1) for high-value flows.
  5. Publish update, wait for DNS TTL, and verify enforcement with SendCheck.

If you’re worried about breakage, start with pct=50 for 24 hours, watch aggregate data, then move to 100%. Gmail and Yahoo require enforcement—p=none will trigger spam-folder placement.

Pro tips

  • DMARC syntax reminder: only one rua tag per record, comma-separated mailboxes.
  • Use SendCheck’s nightly drift monitoring to ensure nobody softens the policy later.
SPF 10-lookup rule explained

SPF breaks after 10 DNS mechanisms that cause lookups (include, a, mx, ptr, exists, redirect).

  1. List every mechanism in your SPF record and count the ones that perform external DNS lookups.
  2. Flatten redundant includes by consolidating shared providers into a subdomain (e.g., mail.example.com).
  3. Use provider-maintained includes where possible (they handle IP rotation for you).
  4. Avoid ptr and mx mechanisms unless absolutely necessary—they add hidden lookups.
  5. After slimming down, verify remaining lookups with SendCheck to confirm you’re ≤10.

Remember: mechanisms inside nested includes also count toward the 10-lookup ceiling. Use subdomain delegation to isolate bulky providers.

Pro tips

  • When using Google Workspace + SendGrid, dedicate mail.example.com with its own SPF and CNAME to keep includes organized.
  • SendCheck highlights which include chain is pushing you over the limit so you can flatten the right branch.
DKIM alignment 101 (From vs Return-Path vs d=)

Alignment keeps mailbox providers from treating legitimate mail as spoofed by matching domains across headers.

  1. Ensure the DKIM signature’s d= value matches the visible From domain (relaxed alignment allows subdomains).
  2. If you send via ESPs, configure custom DKIM selectors on your domain rather than using shared d= values.
  3. Match Return-Path / bounce domains to the same organizational domain to satisfy DMARC alignment.
  4. Rotate keys to 2048-bit RSA (or Ed25519 where supported) and prune stale selectors.
  5. Verify alignment for each sending platform after changes—SendCheck highlights mismatches instantly.

Alignment is required for DMARC enforcement. If Gmail spots a mismatch between d= and From, the message fails alignment even if SPF passes.

Pro tips

  • Rotate selectors using SendCheck’s provider playbooks for ESPs like SendGrid, Postmark, and Mailgun.
  • Store old selectors for 72 hours before removal to accommodate slow queues.
Nightly monitoring with Vercel Cron + Upstash

Keep domains compliant by scheduling automatic re-checks and surfacing alerts the moment DNS drift appears.

  1. Configure Vercel Cron to hit the SendCheck re-check endpoint nightly (UTC-friendly window).
  2. Use Upstash QStash/Redis to enqueue domains so retries don’t overload your DNS provider.
  3. Process queue workers to call the Go checker and persist results via Prisma.
  4. Send notifications via Resend or SendGrid when the results band changes or new alerts open.
  5. Review alert history in the dashboard and close items once the remediation is live.

Nightly cadence catches the 48-hour policy changes most providers introduce. High-risk senders can add an hourly cron without modifying infrastructure.

Pro tips

  • Pair with SendCheck’s PDF exports to send weekly summaries to stakeholders.
  • Tag alerts with severity (SPF vs DMARC) so your on-call rotation knows what to prioritize.
BIMI readiness checklist

Unlock BIMI logos by pairing DMARC enforcement with validated SVG artwork and a Verified Mark Certificate (VMC).

  1. Enforce DMARC with p=quarantine or reject and collect aggregate reports for at least 48 hours.
  2. Host an SVG Tiny 1.2 logo over HTTPS (no external assets, fonts, or gradients).
  3. Add the BIMI TXT record: v=BIMI1; l=https://logo.example.com/logo.svg; a=https://authority.example.com/vmc.pem (optional until VMC issued).
  4. Request or renew your VMC through an approved authority (Entrust, DigiCert).
  5. Verify with SendCheck to confirm both the logo and VMC endpoints are reachable.

BIMI adoption improves brand trust but hinges on perfect DMARC enforcement. SendCheck’s hints point out malformed SVGs or missing TLS quickly.

Pro tips

  • Keep SVGs under 32 KB; gzip compression is supported when served with correct headers.
  • Rotate BIMI hosts quarterly to ensure CDN caches don’t serve stale assets.