Start here
Before You Fix It: What This Check Means
SPF, DKIM, and DMARC alignment underpins modern sender trust and spoof-resistance. In plain terms, this checks whether your domain has the main DNS records needed for sender trust and anti-spoofing. Scavo derives your registrable domain and looks up.
Why this matters in practice: operational drift here often causes hard-to-debug regressions across environments.
How to use this result: treat this as directional evidence, not final truth. This result reflects what was observable at scan time and should be verified in your own production context. First, confirm the issue in live output: verify directly in live production output with browser/network tools Then ship one controlled change: Keep SPF minimal and accurate (avoid uncontrolled include sprawl). Finally, re-scan the same URL to confirm the result improves.
Background sources
TL;DR: Your domain lacks email authentication records, allowing anyone to spoof emails from your domain and reducing your deliverability.
Only 18% of the top 10 million domains publish a valid DMARC record, and just 4% enforce a reject policy (Valimail, 2024). Fully authenticated senders are 2.7x more likely to reach the inbox than unauthenticated ones. Meanwhile, an estimated 3.4 billion phishing emails are sent daily, with domain spoofing as the primary vector. Without SPF, DKIM, and DMARC, anyone can send emails that appear to come from your domain.
What Scavo checks (plain English)
Scavo derives your registrable domain and looks up:
- SPF TXT record (
v=spf1) - DMARC TXT record at
_dmarc.<domain>(v=DMARC1) - sampled DKIM selectors (
selector._domainkey.<domain>) via TXT/CNAME hints
Current logic:
Fail: both SPF and DMARC missingPass: SPF + DMARC present, DMARC policy is enforcing (quarantineorreject), and at least one sampled DKIM selector is foundWarning: partial posture (for example DMARCp=none, missing sampled DKIM, or one record missing)Info/Warning: runtime/domain lookup constraints block reliable evaluation
Important: DKIM selector detection is sample-based. Valid custom selectors may exist even when sample list misses them.
How Scavo scores this check
Scavo assigns one result state for this check on the tested page:
- Pass: baseline signals for this check were found.
- Warning: partial coverage or risk signals were found and should be reviewed.
- Fail: required signals were missing or risky behavior was confirmed.
- Info: Scavo could not gather enough reliable evidence on this run to score pass/fail confidently.
In your scan report, this appears under What failed / What needs attention / What is working for email_trust, followed by Recommended next steps and Technical evidence (for developers) when needed.
- Scan key:
email_trust - Category:
TECHNICAL
Why fixing this matters
Weak sender auth increases spoofing risk and can hurt deliverability of critical emails (password reset, billing, onboarding).
For SaaS teams, this can directly impact account recovery success and customer trust.
If you are not technical
- Ask your DNS/email admin for current SPF, DKIM, and DMARC records.
- Confirm DMARC policy stage (
nonevs enforcing). - Ask whether all sending services are included in SPF/DKIM setup.
- Re-run Scavo after DNS propagation.
Technical handoff message
Copy and share this with your developer.
Scavo flagged Email trust (SPF, DKIM, DMARC) (email_trust). Please verify SPF and DMARC on the root domain, confirm DMARC policy intent, and ensure DKIM selector coverage (including custom selectors). Share DNS evidence and re-run Scavo.If you are technical
- Keep SPF minimal and accurate (avoid uncontrolled include sprawl).
- Enable DKIM signing for every active sender platform.
- Progress DMARC from monitoring (
none) to enforcement when aligned. - Add custom DKIM selectors to configuration so Scavo can detect them.
- Monitor DMARC aggregate reports for alignment issues.
How to verify
- Query TXT for root and
_dmarcrecords. - Validate active DKIM selector endpoints used by each ESP/tool.
- Confirm DMARC policy and alignment outcomes match intent.
- Re-run Scavo and verify posture improvement.
What this scan cannot confirm
- It does not guarantee mailbox placement outcomes by itself.
- It may miss valid DKIM selectors outside sampled names.
- It does not replace full sender reputation and abuse monitoring.
Owner checklist
- [ ] Assign one owner for domain sender-auth posture.
- [ ] Keep sender inventory and SPF/DKIM mapping current.
- [ ] Review DMARC policy quarterly.
- [ ] Re-audit after adding/changing ESP or transactional provider.
FAQ
Why is DMARC p=none a warning?
Because it monitors but does not enforce reject/quarantine actions against spoofed mail.
Can we pass with custom DKIM selectors?
Yes, but if selectors are non-standard, add them to configured sample list so detection is accurate.
Why can this fail even if some records exist?
A strong pass requires complete posture: SPF, DKIM signal, and enforcing DMARC policy.
How long until fixes appear?
Usually after DNS propagation and resolver cache expiry.
Sources
Need a clean sender-auth inventory template for all your providers? Send support your ESP stack.
