D
DMARC Creator

DMARC Creator for Developers — Protect Transactional Email

Set up DMARC for transactional email sent via SendGrid, Postmark, Amazon SES, and other APIs. Protect deliverability across multiple sending services.

Last updated: 2026-01-28

You built the app, wired up the email API, and your password resets land in the inbox. Then one day they stop arriving. A DNS change broke your SPF record, or a new sending service threw off your DMARC alignment, and now your transactional email is quietly bouncing. Your users are not complaining about a bug. They are just not getting the email at all.

If you send transactional email through services like SendGrid, Postmark, Mailchimp Transactional (Mandrill), or Amazon SES, DMARC is not optional. It is the difference between reliable inbox delivery and silent failures that erode user trust.

Why Transactional Email Needs DMARC

Transactional emails are the messages your users actually wait for: password resets, order confirmations, two-factor codes, account notifications. Unlike marketing email, where a missed message is an inconvenience, a missing transactional email is a broken user experience.

Gmail, Yahoo, and Microsoft now use DMARC as a core signal when deciding whether to deliver, spam, or reject an email. If your domain lacks a DMARC record, or if your sending services are not properly aligned, your messages are at risk. This is true even for low-volume senders.

Beyond deliverability, DMARC prevents attackers from spoofing your domain. Without it, someone can send phishing emails that appear to come from noreply@yourapp.com. Your users receive a convincing password reset link, click it, and hand their credentials to an attacker. A DMARC policy set to reject stops that entirely.

Google and Yahoo require DMARC for domains sending more than 5,000 messages per day, but even domains sending a handful of transactional emails benefit from having a published DMARC record. It signals to receiving servers that your domain is authenticated and trustworthy.

How API Sending Services Interact with DMARC

When you send email through an API like SendGrid or Amazon SES, the email does not originate from your own servers. It comes from the provider's infrastructure. This matters for DMARC because authentication needs to align with the domain your recipients see in the "From" header.

SPF alignment. SPF validates whether the sending server's IP is authorized for a domain. When you use an API provider, the envelope sender (Return-Path) often uses the provider's domain by default, not yours. That means SPF might pass for the provider's domain but fail alignment with your "From" domain. Most providers offer custom Return-Path configuration to fix this, but you need to set it up explicitly.

DKIM alignment. DKIM is usually the more reliable alignment mechanism for API senders. Services like SendGrid, Postmark, and Amazon SES all support signing outgoing messages with your domain's DKIM key. Once you generate a DKIM key pair, publish the public key in your DNS, and configure the provider with the private key (or their generated key pair), every message gets signed with your domain. This is what makes DMARC alignment work. For a complete breakdown of how these protocols interact, see our comparison of SPF, DKIM, and DMARC.

The practical takeaway. For most developers, DKIM alignment is the path of least resistance. Configure DKIM signing with your domain at each sending provider, and your DMARC alignment will pass even if SPF alignment is handled by the provider's default configuration. That said, setting up both SPF and DKIM is the recommended approach for maximum resilience. Our email authentication guide covers the full picture.

You can create SPF records that include all your sending providers at spfcreator.com, and generate DKIM key pairs at dkimcreator.com.

The Multi-Service Problem

Most production applications do not send all their email through a single provider. You might use SendGrid for transactional messages, Mailchimp for marketing campaigns, and Amazon SES for high-volume notifications. Each of these services sends email as your domain, and each needs its own authentication configuration.

This is where things get tricky for developers.

SPF has a 10-lookup limit. Every include: mechanism in your SPF record triggers one or more DNS lookups, and the SPF spec caps total lookups at 10. When you have four or five sending services, each requiring its own include, you can hit that limit fast. Going over means your entire SPF record becomes invalid, and every email from your domain fails SPF. Use spfcreator.com to build an SPF record that stays within the limit.

Each service needs its own DKIM selector. DKIM keys are published under selectors like s1._domainkey.yourapp.com or sendgrid._domainkey.yourapp.com. Each sending service generates its own selector, so they do not conflict. But you do need to publish every selector in your DNS. If you add a new service and forget the DKIM record, messages from that service will fail DKIM and potentially fail DMARC. See our DMARC record syntax and tags reference to understand exactly what each tag in your record controls.

One DMARC record covers everything. The good news is that you only need one DMARC record per domain. It applies to all email sent from that domain regardless of which service originated it. The challenge is that you need all your sending services properly authenticated before you move to an enforcing DMARC policy.

Before setting your DMARC policy to quarantine or reject, make sure every service that sends email as your domain has both SPF and DKIM configured. A missing configuration on even one service means those messages will fail DMARC and get blocked.

Setting Up DMARC for Your Application

Here is the workflow for getting DMARC in place across your sending infrastructure.

1

Inventory your sending services

List every service that sends email using your domain. Check your codebase for API integrations, review your DNS for existing SPF includes, and ask your marketing team what tools they use. Common ones: SendGrid, Postmark, Amazon SES, Mailchimp, HubSpot, Intercom.

2

Configure SPF for all senders

Build an SPF record that includes every service. Make sure you stay within the 10-lookup limit. Create your SPF record at spfcreator.com.

3

Set up DKIM for each service

Generate and publish DKIM keys for each sending service. Each provider has its own setup process, but they all result in a CNAME or TXT record in your DNS. Use dkimcreator.com to generate keys.

4

Generate and publish your DMARC record

Use the generator below to create your DMARC record. Start with p=none so you can collect reports without affecting delivery. Add the resulting TXT record at _dmarc.yourdomain.com in your DNS.

5

Monitor reports and move to enforcement

Review your DMARC aggregate reports for two to four weeks. Verify that all legitimate sending services pass both SPF and DKIM. Then move to p=quarantine and eventually p=reject. Verify your record is live at dmarcrecordchecker.com.

Automating DNS with Infrastructure as Code

If you manage your DNS through Terraform, Pulumi, or CloudFormation, your DMARC record should live in your infrastructure code alongside your SPF and DKIM records. This keeps your email authentication configuration version-controlled and reviewable.

A Terraform example for a DMARC record on Cloudflare looks like this:

resource "cloudflare_record" "dmarc" {
  zone_id = var.zone_id
  name    = "_dmarc"
  type    = "TXT"
  content = "v=DMARC1; p=reject; rua=mailto:dmarc@yourapp.com; pct=100;"
}

The same principle applies to SPF and DKIM records. When you add a new sending service to your application, the pull request should include both the API integration code and the DNS record changes. This prevents the common scenario where a developer integrates a new email provider but forgets to update DNS, causing DMARC failures that only surface days later when users start complaining about missing emails.

Monitor all your domains in one place

Track SPF, DKIM, DMARC, and MX records across every domain your application uses.

Start Monitoring

Common Developer Pitfalls

Forgetting staging and preview domains. If your staging environment sends real email (even to internal addresses), those domains need authentication too. An unauthenticated staging domain can hurt your primary domain's reputation if they share infrastructure. Our guide on DMARC for subdomains explains how to handle staging, preview, and other subdomain configurations.

Not testing after DNS changes. DNS propagation can take minutes to hours. After publishing or modifying your DMARC, SPF, or DKIM records, verify them using dmarcrecordchecker.com before assuming they are live.

Jumping straight to p=reject. It is tempting to skip the monitoring phase and go straight to enforcement. Do not do this. Even experienced teams discover forgotten sending services or misconfigured DKIM during the p=none phase. Two weeks of monitoring data is a small investment compared to debugging silent email failures in production.

Related Articles

Monitor Your DMARC Record

You've created your DMARC record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss a DMARC issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring