Everything we know about making mail authenticate, written down properly.
No gated PDFs, no "book a demo" — if a claim is a spec requirement we cite the RFC section,
and where a check cannot prove something we say so.
Sender Policy Framework — the 10-lookup limit, PermError, and flattening.
The SPF 10-lookup limit, explained SPF allows 10 DNS lookups. Exceed it and you get PermError — SPF fails entirely, not partially. Exactly what counts, what doesn't, and how to fix it.
SPF PermError PermError means SPF failed permanently — you get no authentication benefit at all. The five causes, in order of how often they're the real one, and how to fix each.
SPF flattening, and the maintenance debt nobody mentions Flattening replaces include mechanisms with the IP ranges they resolve to, dropping your DNS lookup count to zero. It works. It also silently breaks when your ESP renumbers.
DMARC
Policy, alignment, aggregate reports, and the 2026 spec change.
DMARC has a new RFC — and pct is gone RFC 9989 (May 2026) obsoletes RFC 7489 and RFC 9091. The pct tag has been removed from the specification entirely. What changed, and what to do with your existing records.
What p=none actually does p=none asks receivers not to change message handling. It buys you visibility, not protection. What you gain, what you don't, and how to safely move to enforcement.
Every DMARC tag, explained A complete reference for DMARC record tags as of RFC 9989 — what each one does, which are required, which are safe to omit, and which no longer exist.
DMARC aggregate reports, and how to actually read one The rua tag gets you XML reports from receivers showing who is sending as your domain. What's in them, what alignment failures look like, and why ruf is mostly a dead letter.
SPF vs DKIM vs DMARC Three records, three different jobs. SPF authorises IPs, DKIM signs messages, DMARC ties either one to the From address you can actually see — and only DMARC stops spoofing.
DKIM
Selectors, key strength, and why absence is unprovable.
Finding a DKIM selector DKIM selectors are not discoverable from DNS — there is no record that lists them. You get one from a message header, from your provider's docs, or by guessing common ones.
Bounce codes
What the mailbox providers actually tell you when they reject a message.
Fixing Gmail 550 5.7.26 Gmail rejects with 550 5.7.26 when it cannot authenticate your message. Diagnose it from the actual authentication results before you touch DNS — most fixes go in the wrong place.
Gmail bulk sender requirements What Google requires once you cross its bulk threshold to personal Gmail accounts: authentication, alignment, DNS, TLS, spam rate and one-click unsubscribe.
Yahoo sender requirements Yahoo's bulk sender rules track Google's closely: SPF and DKIM, DMARC, alignment, low complaint rate, one-click unsubscribe. What differs, and how to read Yahoo's rejections.
Outlook 550 5.7.515 and friends Microsoft's 5.7.5xx family means your sending domain failed authentication or reputation checks. What each code points at, and the alignment problem behind most of them.
An SPF, DKIM and DMARC API A JSON API for SPF, DKIM and DMARC over live DNS — correct 10-lookup counting, record flattening, and bulk auditing. Free tier, no sales call.
Looking for an MXToolbox alternative? MXToolbox is a good diagnostic site. If you need SPF/DKIM/DMARC checks as a JSON API — in CI, across a client roster, with public pricing — here's an honest comparison.
What an email validation API can honestly verify Syntax, MX, disposable domains, role accounts and typos are all checkable. Mailbox existence is not. What to check before a signup, and what no vendor can promise you.
Check a domain
SPF, DKIM and DMARC from live DNS, with the records to fix what's broken.