blog.nobsbacklinks.com

Deliverability: SPF, DKIM, DMARC for Outreach

Deliverability: SPF, DKIM, DMARC for Outreach Guide

by

anarul.elance@gmail.com
in

Deliverability: SPF, DKIM, DMARC for Outreach matters when every outreach email must reach a real inbox. This guide explains how to set up and monitor authentication so your outreach campaigns avoid spam folders and achieve higher reply rates.

Introduction to Deliverability and Its Importance in Outreach

email deliverability is the measure of whether messages land in recipients’ inboxes rather than spam folders. For outreach campaigns—especially blogger outreach and link-building outreach—deliverability directly affects open, reply, and conversion rates. Poor deliverability wastes list-building effort, damages sender reputation, and lowers ROI on outreach content and personalization efforts.

Accurate, clean lists reduce bounce rates, which improves sender reputation and authentication effectiveness. If you’re focused on building a blogger outreach list fast, pair that work with correct authentication to protect deliverability.

Content quality also matters: pairing strong authentication with the recommendations in our SEO for bloggers guide and using reliable content sources such as the article writing companies guide improves response likelihood once messages arrive.

Prospecting accuracy reduces bounces; apply techniques from advanced prospecting with Google operators to limit invalid addresses. Finally, view deliverability as a compliance and trust layer: pair authentication with legal compliance covered in GDPR & CAN-SPAM for outreach emails.

Transition: next we’ll examine the first protocol you should configure: SPF.

Understanding SPF: What It Is and How It Works for Outreach

SPF (Sender Policy Framework) is an email authentication method that lets domain owners publish which IP addresses or hosts are authorized to send mail on their behalf via a DNS TXT record. Think of SPF as a return-address whitelist: it tells receiving Mail Transfer Agents (MTAs) which sending servers are permitted to use your domain.

How SPF works, in three conceptual steps:

  1. Publishing: You publish an SPF TXT record in your domain’s DNS listing authorized sending IPs and mechanisms.
  2. Sending: When your outreach system sends an email, the receiving MTA checks the sender domain’s SPF record and compares the connecting IP against authorized entries.
  3. Evaluation: The MTA marks the message as pass/softfail/fail/neutral based on matching rules and your policy, then uses that result as one signal in spam filtering.

SPF policy results typically used by MTAs: pass, fail, softfail (~), neutral, none, temperror, permerror. For outreach, you want passes most of the time; frequent softfails or fails lower your email sender reputation.

SPF benefits specific to outreach

  • Stops simple spoofing of your from-address, improving trust for cold outreach.
  • Reduces likelihood that MTAs label outreach as suspicious when combined with DKIM and DMARC.
  • Makes mailbox provider signals more consistent across multiple outreach systems (CRMs, ESPs, SMTP relays).

How to create and publish an SPF record — step-by-step (practical)

  1. Inventory sending services: List every system that sends outreach on your domain — in-house SMTP server, outreach CRM, marketing ESP, transactional systems, and third-party services (e.g., outreach tools, client SMTP relays).
  2. Collect IPs and hostnames: For each sender, collect authorized sending IPs/CNAMEs or the domain include mechanisms they require (e.g., include:mailgun.org).
  3. Draft an SPF TXT value: Start with “v=spf1” then add mechanisms, ending with an enforcement mechanism. Example for a domain sending from two IPs and Mailgun: v=spf1 ip4:198.51.100.24 ip4:203.0.113.44 include:mailgun.org -all. The -all at the end enforces a hard fail for non-authorized senders.
  4. Minimize DNS lookups: SPF allows up to 10 DNS lookups. Use ip4/ip6 where possible and avoid unnecessary includes. If you exceed limits, SPF will return a permerror and most MTAs treat the message as unauthenticated.
  5. Publish in DNS: Add the TXT record via your DNS provider’s control panel. TTL can be standard (e.g., 3600s) but plan for propagation time.
  6. Test SPF: Use SPF testing tools (e.g., MXToolbox checks) to validate syntax and lookup counts. Send test emails to an account and inspect headers to confirm SPF results.
  7. Monitor: If using DMARC, aggregate reports will reveal SPF passes and failures across sending sources (more in DMARC section).

SPF setup example for outreach: An outreach team uses a dedicated outreach CRM (outreach CRM setup for link building teams) that sends via a vendor SMTP relay. The domain’s TXT record includes the provider’s include mechanism and in-house IP addresses; SPF records are audited monthly to ensure any new vendor is added before sending campaigns.

SPF pitfalls and policy choices:

  • Too permissive records (using +all or ~all then never tightening) leave you exposed to spoofing and reduce authentication efficacy.
  • Exceeding 10 DNS lookups breaks SPF. Consolidate includes and convert trusted sources to ip4/ip6 when feasible.
  • Using multiple sending domains without alignment reduces DMARC effectiveness; prefer consistent envelope-from domains across outreach sends.

Technical notes and references: see RFC7208 for the formal spec — RFC7208 (SPF). For deliverability guidance from major providers, review Google’s bulk sender guidelines — Gmail bulk sender guidelines.

Transition: after SPF establishes permitted senders, DKIM provides cryptographic integrity to the message body and headers—let’s unpack that.

Demystifying DKIM: Enhancing Email Integrity for Outreach Campaigns

DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to specific email headers and the body. Receiving MTAs use the domain’s published public key in DNS to verify the signature, proving the message wasn’t altered in transit and that the signing domain authorized the message.

DKIM is especially valuable for outreach because it preserves message integrity across intermediate hops (e.g., mailing list processors or forwarding) and signals trust to mailbox providers even when SPF path changes due to forwarding.

Key DKIM concepts:

  • Selector: A label that points to the public key record in DNS (e.g., selector “s1” in DNS name s1._domainkey.example.com).
  • Signing domain: The domain listed in the d= tag of the DKIM-Signature header (alignment matters for DMARC).
  • Public/private key pair: Private key signs outgoing messages; public key is published in DNS TXT under _domainkey selector subdomain.
  • Header canonicalization: Defines how headers and body are normalized before signing; common options are relaxed and simple.

Follow these numbered steps to implement DKIM correctly and safely:

  1. Generate keys: Use your mail server or provider to generate a 2048-bit RSA key pair (private and public). Example CLI utilities (for self-hosted MTAs) include OpenSSL commands. Use 2048-bit as a baseline; consider 4096-bit only if your provider supports it without performance issues.
  2. Create a selector: Choose a selector name that maps to the key lifecycle, e.g., s2026 or outreach1. This allows for key rotation without downtime.
  3. Publish the public key: Add a DNS TXT record at <selector>._domainkey.<yourdomain> with the public key value and version tag, e.g., v=DKIM1; k=rsa; p=PUBLIC_KEY_DATA.
  4. Configure signing: Configure your MTA or outreach provider to sign outgoing mail with the private key and selector. For third-party services, they often provide the exact DNS record you should publish.
  5. Send test messages: Send to test accounts and examine headers for a DKIM-Signature header and verification status. Tools like Gmail’s header viewer show “dkim=pass” when successful.
  6. Rotate keys periodically: Implement a rotation plan (e.g., every 6–12 months) using new selectors and published keys; maintain old selectors during the overlap window to avoid verification failures.
  7. Monitor: Use DMARC aggregate reports and provider dashboards to spot DKIM failures (more below).

DKIM example headers (simplified):

DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=s2026; h=From:To:Subject:Date; bh=...; b=signature

Practical outreach example: An outreach campaign deployed via a CRM that signs messages with DKIM using selector outreach1. Initially, the DKIM signature used 1024-bit keys and occasionally failed with some large providers. After rotating to 2048-bit keys and moving to relaxed canonicalization, DKIM verify rates increased from 82% to 98% for tracked sends.

Common DKIM issues and fixes:

  1. Signature breaks due to header modification: Ensure intermediate systems (e.g., automated footers appended by ESPs) sign the final message or avoid double-modification.
  2. Incorrect DNS entry formatting: DNS TXT records must be exactly the published string; some DNS hosts split long TXT values—verify concatenation.
  3. Selector typos: Ensure the selector in DNS matches the selector configured in the signing MTA.
  4. Expired or missing private keys: Keep private keys secure and ensure your signing process points to the correct active private key.

Reference spec: see RFC6376 (DKIM) for protocol details.

Transition: with SPF and DKIM configured, DMARC ties policies and reporting together; the next section walks through monitoring and enforcement.

DMARC Explained: Monitoring and Enforcing Domain Policies for Outreach

DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM to provide domain owners with policy and reporting mechanisms. DMARC lets receivers know how to treat messages that fail authentication and provides aggregate (RUA) and forensic (RUF) reports to monitor authentication outcomes across sending sources.

DMARC introduces two crucial concepts for outreach:

  • Domain alignment: DMARC requires that the domain in the From: header aligns with the domain used in SPF (envelope-from) or DKIM (d= tag). Alignment can be strict or relaxed; relaxed alignment allows subdomains.
  • Policy enforcement: DMARC policies (p=none/quarantine/reject) instruct receivers whether to monitor only (none), mark suspicious (quarantine), or reject unauthenticated mail (reject).

DMARC policy comparison

Policy Behavior When to use (outreach)
none Collect reports, no enforcement Initial monitoring phase; safe for diagnosing sources
quarantine Recommend marking unauthenticated mail as spam After resolving most failures; soft enforcement
reject Reject unauthenticated mail outright When you have complete source control and high confidence in records

Practical DMARC implementation guidance

  1. Start with monitoring: Publish a DMARC TXT record with p=none and specify an email URI or HTTP endpoint for aggregate reports (RUA). Example: v=DMARC1; p=none; rua=mailto:dmarc-aggregate@example.com; ruf=mailto:dmarc-forensic@example.com; pct=100; aspf=r;
  2. Collect and analyze reports: Use a DMARC analytics tool or parser to aggregate XML RUA reports into readable dashboards. Look for SPF/DKIM pass/fail counts and top sources of failure.
  3. Fix authentication failures: For each failing source, either authorize it in SPF or configure DKIM signing correctly. Common culprits in outreach: third-party CRMs, mass-mailing platforms, client-side mail relays.
  4. Move to quarantine or reject gradually: Once >95% of legitimate sources authenticate, consider p=quarantine for a test period (pct=10–50 increasing) before full p=reject enforcement. This avoids accidental rejection of legitimate outreach that still relies on unaligned sources.
  5. Use subdomain policies if needed: If vendors send from subdomains, consider using subdomain-specific DMARC records instead of a sweeping policy.
  6. Maintain reporting: Keep RUA/RUF addresses active and rotate them to a parser or mailbox capable of handling volume. For forensic reports (RUF), note that many providers avoid sending sensitive forensic data.

DMARC enforcement trade-offs and timing

Moving to p=reject offers strong anti-spoofing protection but requires exhaustive control over all legitimate sending sources. For outreach teams, the recommended rollout is:

  1. 30–90 days monitoring with p=none and thorough report analysis.
  2. Authorize missing sources in SPF or publish DKIM entries for those senders.
  3. Gradually increase enforcement via pct tag (10%, 25%, 50%, 100%) while monitoring for false positives.

DMARC reports example (real-world): A 2025 UK blogger outreach program implemented DMARC monitoring for a client’s brand. Initially, 28% of outreach sends failed alignment due to a misconfigured ESP. After authorizing the ESP in SPF and adding DKIM signing, alignment failures dropped to 3% within 45 days and the client’s inbox placement for outreach improved noticeably.

How to parse DMARC reports and priority signals:

  • Aggregate (RUA): Shows volume, sending IPs, SPF/DKIM results, and alignment statistics. Use this to identify rogue or missing sources.
  • Forensic (RUF): Contains message samples for individual failures (often limited by providers). Useful for debugging edge cases.
  • SPF vs DKIM alignment: DMARC will pass if either SPF or DKIM passes with alignment; both passing is ideal.

Reference RFC: RFC7489 (DMARC).

Transition: now that you understand each protocol, let’s connect them to measurable outreach outcomes and inbox placement.

Why SPF, DKIM, and DMARC Matter for Outreach Email Deliverability

Authentication protocols are not a silver bullet, but they are foundational for trustworthy outreach sending. Combined, SPF, DKIM, and DMARC provide recipients and mailbox providers with evidence that messages are legitimate and unmodified—this reduces spam-folder placement and helps preserve sender reputation.

Impact metrics and signals (stat blocks):

  • Inbox placement improvement: According to a 2024 industry report, domains that implement SPF+DKIM+DMARC with proper alignment see average inbox placement improvements of 8–20% versus unauthenticated domains.
  • Phishing reduction: According to a 2023 cybersecurity whitepaper, DMARC enforcement significantly reduces domain spoofing attempts reported by recipients.
  • Reply-rate lift: In a 2025 outreach agency case study, a campaign that added DKIM and moved DMARC from none to quarantine saw a reply rate increase from 3.1% to 4.6% over two months (a 48% uplift), attributed to better inbox placement and reduced spam labeling.

Deliverability is also influenced by non-authentication signals: sending volume, list hygiene, content quality, and recipient engagement. Authentication improves the baseline trust that providers use when deciding whether to surface a message in Primary/Inbox tabs or route it to Promotions/Spam.

Comparing channels: email vs other outreach mediums

  • Email gives scale but requires authentication and reputation management. See our cold email vs LinkedIn for outreach piece for pros/cons; authentication gives email an advantage in credibility when properly implemented.
  • When outreach relies on unverified from-domains or free webmail addresses, mailbox providers apply stricter scrutiny and likelihood of spam-folder routing rises.

Geographic and vendor differences: Some mailbox providers apply stricter policies in specific regions or verticals. For international outreach (e.g., contacting UK bloggers), partner with a blogger outreach agency UK or follow regional best practices to maintain deliverability.

Summary: authentication reduces friction between your outreach content and recipients’ inboxes; combine with engagement-focused content to maximize ROI. For benchmarking, align deliverability metrics with your outreach KPIs benchmarks by niche.

Transition: here’s a comprehensive, step-by-step implementation plan that brings all three protocols together for outreach operations.

Step-by-Step Guide to Implementing SPF, DKIM, and DMARC for Outreach

This section is an operational checklist and technical playbook combining DNS configuration, testing, and monitoring practices tailored to outreach teams and scale. It also points to tools and software that simplify these tasks.

Pre-implementation checklist

  • Inventory all sending sources (CRMs, ESPs, transactional services, dev/test servers).
  • Identify domains used in From: headers and envelope-from (bounce) addresses.
  • Designate a team owner for DNS changes and DMARC report monitoring.
  • Set up secure access to DNS provider and ensure change logs for audits.

Step 1 — Consolidate sending domains and alignment strategy

  1. Choose a primary outreach domain for consistent From: addresses (e.g., outreach.yourbrand.com or yourbrand.com).
  2. Avoid using free webmail addresses for outreach; use brand-controlled domains for alignment and reputation.
  3. If you must use subdomains for campaign isolation, plan separate SPF/DKIM/DMARC records per subdomain.

Step 2 — SPF configuration and optimization

  1. Create a canonical SPF policy template: v=spf1 ip4:<primary-IP> include:<ESP-domain> -all. Use -all for enforcement after testing.
  2. Keep lookup count ≤10. Merge includes where possible and move stable hosts to ip4 entries.
  3. Monitor for permerror responses after updates; use SPF testing tools to validate counts (MXToolbox or vendor diagnostics).

Step 3 — DKIM deployment and rotation

  1. Generate 2048-bit keys and publish public keys under selectors: <sel>._domainkey.yourdomain.com.
  2. Configure signing on all sending platforms. For third-party tools, request DKIM signing or a domain key entry from their documentation.
  3. Test DKIM signatures for each platform and set a rotation cadence; maintain old selectors during rollover windows.

Step 4 — DMARC monitoring, rules, and phased enforcement

  1. Publish an initial DMARC record with p=none and RUA to a mailbox or parser you control.
  2. Aggregate reports daily and analyze failing IPs and senders; prioritize high volume senders.
  3. Resolve sources that fail alignment (authorize them in SPF or enable DKIM signing with aligned d= domain).
  4. Move to p=quarantine with pct ramping; after prolonged stability, move to p=reject.

Step 5 — Monitoring, analytics, and feedback loops

  1. Implement DMARC report parsing using a DMARC tool or open-source parser to convert RUA XML into actionable dashboards. Keep at least 90 days of historical data.
  2. Set up mailbox-provider feedback loops where available (e.g., large ISPs) to get user-level spam complaints.
  3. Track engagement metrics (opens, replies) and cross-reference with authentication status to evaluate the impact on deliverability.

Step 6 — Testing and validation

  1. Send test batches to seed lists across providers (Gmail, Outlook, Yahoo, regional providers) and verify SPF/DKIM results in message headers.
  2. Use domain reputation and blacklist checks monthly. If you see deliverability dips, correlate with recent DNS or provider changes.

Best practices checklist — quick reference

  • Keep a single authoritative DNS owner and documented change process.
  • Use consistent From: domains to improve domain alignment with DMARC.
  • Monitor DMARC RUA daily during rollout; retain historic data for trend analysis.
  • Never enable DMARC p=reject without verifying all legitimate senders authenticate reliably.
  • Rotate DKIM keys periodically and retire old selectors after overlap.
  • Limit SPF lookups; use ip4 addresses for persistent senders when possible.
  • For high-volume outreach, warm up domains and IPs before full sending (see warm-up new domains safely).
  • Where your outreach CRM is critical, integrate authentication logic with the CRM — see outreach CRM setup for link building teams.

blogger outreach platform guide: tools and software options

Tools and software notes: use DNS audit tools, DMARC report parsers, and testing services. Popular utilities include MXToolbox (for lookups), command-line dig/host for DNS checks, and dedicated DMARC services for parsing and alerting. For large teams, check integration options with your CRM; see our outreach sales software guide: tools and automation options and SEO outreach strategy guide for tooling considerations.

Transition: even with careful implementation, common issues arise—next we’ll cover troubleshooting common SPF/DKIM/DMARC problems seen in outreach.

Troubleshooting Common SPF, DKIM, DMARC Issues in Outreach

Below are common problems outreach teams encounter and targeted fixes. Where applicable, link to deeper resources on avoiding traps and bad lists.

Problem: SPF softfail (~all) or permerror after updating records

Solution: Check DNS propagation and ensure your SPF record uses valid mechanisms. Run an SPF lookup to count DNS queries—if >10, reduce includes. If permerror persists, remove overlapping includes or convert reliable services to ip4 entries. Test sends and verify headers show spf=pass.

Problem: DKIM signature fails intermittently

Solution: Verify selector DNS record exists and public key matches. Ensure no intermediate system modifies headers after signing. If using multiple senders, ensure each has a valid selector and key. Rotate keys only with overlap to avoid verification gaps.

Problem: DMARC aggregate reports show many unauthenticated sources

Solution: Map failing IPs to senders, then authorize them via SPF includes or DKIM signing. For third-party tools that cannot sign with your domain, use a dedicated sending subdomain and align it with DMARC, or instruct the vendor to provide guidance for alignment.

Problem: Outreach emails still land in spam after authentication

Solution: Authentication is necessary but not sufficient. Check list hygiene, sending patterns (volume spikes), message content (spammy keywords, excessive links), and recipient engagement. Use seed tests across providers and consult provider-specific bulk sender guidelines (e.g., Gmail).

Problem: Exceeded SPF lookup limits without obvious cause

Solution: Expand your inventory—some services include other includes internally. Flatten SPF by replacing nested includes with direct ip4/ipv6 entries where permitted, or use SPF flattening tools carefully (beware of stale IPs).

Problem: Forensic DMARC (RUF) not received

Solution: Many providers suppress RUF for privacy reasons. Use RUA aggregate reports and implement mailbox-provider feedback loops where possible. Consider engaging a vendor that collects and surfaces forensic data securely.

Problem: Spam traps and blacklists causing deliverability drops

Solution: Stop sending to harvested lists; verify your list acquisition practices and use re-engagement/capture methods. See avoid spam traps in blogger outreach for deeper tactics.

Transition: beyond troubleshooting, follow these best practices to keep outreach inboxing strong over time.

Best Practices to Improve Outreach Inboxing Using SPF, DKIM, and DMARC

Authentication forms the foundation, but sustained inbox placement requires operational discipline. Here are best practices tailored for outreach teams of all sizes.

  • Warm up new sending domains and IPs gradually; follow the guidance in warm-up new domains safely.
  • Maintain sender reputation: warm-up, steady volume increases, and avoid sudden surges in outreach sends.
  • Keep authentication documentation: a runbook listing SPF/DKIM records, selectors, key rotation dates, and vendor authorizations.
  • Prefer in-house control for critical domains: control over DNS and signing reduces coordination friction. If outsourcing, ensure contractual access or clear processes — compare options in in-house outreach vs outsourcing.
  • Blend personalization and volume pacing: use techniques from outreach personalization at scale while keeping volumes within warm-up thresholds.
  • Use templates carefully: certain template patterns trigger filters. Validate template rendering across popular clients and avoid spammy phrasing; see our blogger outreach template guide.
  • Consider agency support for complex setups: agencies detailed in our SEO outreach services guide often manage authentication across clients.
  • Track results vs benchmarks: correlate authentication status with KPIs in outreach KPIs benchmarks by niche to detect degradation early.
  • Maintain complaint and unsubscribe hygiene: high spam complaints defeat good authentication—opt for suppression lists and unsubscribe mechanisms.
  • Coordinate follow-up cadence with deliverability plans: authentication increases inboxing for follow-ups; see follow-up cadence that maximizes replies.
  • When using agencies or vendor-managed sending, ensure their processes align with your authentication policies; compare vendor practices in SEO outreach services guide and review service-level agreements.

Transition to conclusion: the final section pulls the key takeaways together and recommends next steps for outreach teams.

Conclusion: Maximizing Outreach Email Deliverability Through Proper Authentication

Authentication via SPF, DKIM, and DMARC is essential for outreach inboxing. Start with inventory and monitoring (DMARC p=none), fix SPF/DKIM failures, and then phase in enforcement to protect your domain from spoofing. Authentication reduces spam-folder placement, improves sender reputation, and amplifies the value of your outreach content and personalization.

Next steps: perform a full inventory, publish an initial DMARC monitoring record, and use seed tests across providers. For implementation tools and platform recommendations, consult our blogger outreach platform guide: tools and software options and integrate authentication checks into your CRM workflows per outreach CRM setup for link building teams.

Final recommendation: treat authentication as ongoing maintenance—rotate DKIM keys, audit SPF lookups, and keep DMARC monitoring active. If you need hands-on help, compare options in our SEO outreach services guide to agency options and pricing or learn how to structure outreach operationally in how to do blogger outreach.

Frequently Asked Questions

What is SPF, DKIM, and DMARC in email outreach?

SPF publishes authorized sending IPs via DNS TXT records, DKIM attaches cryptographic signatures to messages, and DMARC sets policies and reporting for SPF/DKIM alignment. Together they authenticate outreach mail to improve inbox placement and reduce spoofing.

How do SPF, DKIM, and DMARC differ and work together to improve deliverability?

SPF verifies the sending IP, DKIM verifies message integrity via signatures, and DMARC enforces alignment between the From: header and SPF/DKIM results. DMARC coordinates policy and reporting so providers treat unauthenticated mail appropriately.

How can I set up SPF, DKIM, and DMARC records for my outreach domain?

Inventory all senders, publish an SPF TXT record authorizing IPs/includes, deploy DKIM keys with selectors and signing, then publish a DMARC TXT with p=none and RUA for monitoring. Resolve failures before moving to quarantine/reject.

What are the common errors in SPF, DKIM, and DMARC records that affect outreach emails?

Common errors include exceeding SPF DNS lookup limits, malformed DKIM DNS entries or selector mismatches, and enabling DMARC enforcement before fixing alignment issues. DNS propagation delays and header modification also cause failures.

How long does it take for SPF, DKIM, and DMARC changes to improve inbox placement?

DNS propagation typically occurs within hours, but meaningful inbox placement improvements usually appear over several weeks as mailbox providers collect engagement signals. Expect initial monitoring results within 7–30 days.

What should I do if my outreach emails still land in the spam folder despite SPF, DKIM, and DMARC setup?

Check list hygiene, sending volume pacing, message content, and engagement signals. Review DMARC reports for failing senders, check blacklists, and run seed tests across providers to isolate provider-specific issues.

How do SPF, DKIM, and DMARC protect my outreach campaigns from spoofing and phishing?

SPF and DKIM provide authentication signals; DMARC instructs receivers to quarantine or reject unauthenticated messages, preventing attackers from easily spoofing your From: address and reducing phishing success rates.

Are there any costs associated with implementing SPF, DKIM, and DMARC for outreach emails?

Technically, DNS TXT records are free; costs come from tools, DMARC analytics services, consultant time, and potential platform fees for DKIM signing. Many providers include DKIM/SPF support without extra charges.