Install an SPF Record to Improve Email Delivery

Setting up SPF, DKIM, and DMARC

To ensure these emails hit the inbox (and not the spam folder), you need to implement the "Holy Trinity" of email authentication: SPF, DKIM, and DMARC.

SPF (Sender Policy Framework)

SPF helps control forged e-mail. It allows domain owners to designate which mail servers are legitimate for their domain.

First, you need to see if you already have an SPF record. 

We recommend using the MXToolbox SuperTool to look up your domain: https://mxtoolbox.com/SuperTool.aspx

Depending on the result, follow the instructions below:

Scenario A: You have NO existing SPF record

If the tool returns no SPF record, you need to create a new TXT record in your DNS:

Host: @ Value: v=spf1 ip4:199.127.240.0/21 include:amazonses.com ~all

Scenario B: You DO have an existing SPF record

If you already have a SPF record (Microsoft 365, Google), do not create a new one. 

Instead, you need to  edit the existing TXT value to include our IP ranges and “AWS include”:

Insert the following into your existing value:

ip4:199.127.240.0/21 include:amazonses.com

Ensure the record ends with ~all.

DKIM (DomainKeys Identified Mail)

DKIM attaches a digital signature to the email header using a private key. This proves the email hasn't been altered in transit.

Unlike SPF, DKIM requires a two-part handshake: server-side installation and a DNS record.

Contact your Pinpointe support representative at support@pinpointe.com so we can generate the unique DKIM private keys and install them on our sending servers (PMTA).

Once we have configured the backend, depending on your configuration, we will either provide you with a text string (the Public Key), or a series of CNAME records. 

Note: You cannot complete DKIM setup until Pinpointe has generated the keys for your specific domain.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC relies on SPF and DKIM results to determine the fate of an email. It allows you to set rules for how receiving servers should handle failed emails.

First, check if you have an existing DMARC entry. If not, we recommend the following Quarantine policy to ensure good deliverability while protecting your brand.

Important Pre-requisite: You must create a valid email alias or account dedicated to receiving these reports, for example: dmarc@yourdomain.com.

Add this TXT record to your DNS:

Host: _dmarc Value: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100; fo=1; sp=none; adkim=r; aspf=r

What do these tags mean?

v=DMARC1: Version tag.

p=quarantine: Policy. If an email fails checks, send it to the recipient's Spam folder (rather than rejecting it outright or doing nothing).

rua: Specific email address where aggregate and forensic reports are sent.

pct=100: Apply this policy to 100% of emails.

fo=1: Generate a failure report if either SPF or DKIM fails (standard is usually if both fail).

aspf=r / adkim=r: Sets the alignment to "relaxed," which is standard for using third-party ESPs.

Summary Checklist 

[ ] SPF: Update your DNS TXT record with the IP range 199.127.240.0/21.

[ ] DKIM: Request key generation from Pinpointe, then add the provided Public Key to your DNS.

[ ] DMARC: Create a dmarc@ email alias and publish the recommended p=quarantine record.

Once these three are set, your marketing team can send their campaigns with maximum deliverability!