After publishing SPF, DKIM, and DMARC records, you should confirm they actually pass before trusting them. Testing takes a minute and catches typos, wrong selectors, and alignment problems that silently send mail to spam.
The most reliable test is a live message. Send an email to an external mailbox at a major provider, open the received message, and view its original headers. Look for the authentication results line:
spf=pass dkim=pass dmarc=pass
All three should say pass. If SPF fails, the sending server is not listed in your SPF record. If DKIM fails, the selector or key is wrong. If DMARC fails despite SPF or DKIM passing, the problem is alignment (see below).
Confirm each record exists and reads correctly:
dig txt yourdomain.com +short # SPF (v=spf1 ...) dig txt selector._domainkey.yourdomain.com +short # DKIM dig txt _dmarc.yourdomain.com +short # DMARC
Replace selector with your actual DKIM selector. Check for duplicate SPF records - there must be only one - and confirm the DKIM key is present and unbroken.
DMARC requires that the domain in your visible From address aligns with the domain validated by SPF or DKIM. If you send from you@yourdomain.com but SPF validates a different envelope domain and DKIM signs with another, DMARC can fail even though SPF and DKIM individually pass. Ensure your sending platform signs and sends as your own domain.
If you send from a mail server, a marketing platform, and an app, test each one separately - each must be authorized in SPF and ideally sign with DKIM. A record that covers only your mail server will fail for the others.
Managed email on a SoftSys managed VPS is configured and validated for you, including alignment across every service you send from, so your authentication passes everywhere it needs to.