Email Deliverability: SPF, DKIM & DMARC
Dunning emails only recover revenue if they reach the inbox. These three DNS records authenticate your sending domain so mailbox providers trust PaymentRescue mail and keep it out of spam.
Why it matters
SPF lists which servers may send mail for your domain. DKIM cryptographically signs each message. DMARC ties the two together and tells receivers how to handle failures, plus sends you reports. Without all three, recovery emails are far more likely to be filtered — directly reducing your recovery rate.
DNS records to add
| Type | Host | Value |
|---|---|---|
| TXT (SPF) | @ | v=spf1 include:spf.brevo.com include:_spf.resend.com ~allAuthorizes Brevo + Resend to send on your behalf. Keep a single SPF record — merge includes, never publish two. |
| TXT (DKIM) | brevo._domainkey | (public key provided in your Brevo dashboard)Signs each message so receivers can verify it was not tampered with. Resend provides its own resend._domainkey selector. |
| TXT (DMARC) | _dmarc | v=DMARC1; p=quarantine; rua=mailto:dmarc@paymentrescue.dev; fo=1Tells receivers what to do with mail that fails SPF/DKIM and where to send aggregate reports. Start with p=none to monitor, then move to quarantine, then reject. |
Rollout order
- Publish SPF + DKIM first and verify they pass (send a test, check the headers).
- Publish DMARC at
p=noneand review the aggregate reports for a week. - Tighten to
p=quarantine, thenp=rejectonce all legitimate sources pass.
Bonus: Subresource Integrity (SRI) for scripts
If you self-host a fixed-version third-party script, add an integrity="sha384-…" attribute plus crossorigin="anonymous" so the browser refuses to run a tampered file. Note: SRI is not applied to Google Tag Manager / AdSense loaders because Google rotates those files and a pinned hash would break them — SRI is only safe on version-pinned, immutable assets.