Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From rampstack-skills
Configures SPF, DKIM, and DMARC authentication, diagnoses spam delivery, and monitors sender reputation. Use when email isn't reaching inboxes or before scaling volume.
npx claudepluginhub rampstackco/claude-skills --plugin rampstack-skillsHow this skill is triggered — by the user, by Claude, or both
Slash command
/rampstack-skills:email-deliverabilityThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Get email into inboxes, not spam folders. Set up authentication. Monitor reputation. Diagnose problems before they hurt the business.
Audits domain email deliverability (SPF, DKIM, DMARC, MX records, blacklists, TLS), generates 0-100 health score with prioritized fixes, checks bulk sender compliance, provides DNS updates.
Reviews DNS sender-authentication records (SPF, DKIM, DMARC, BIMI) for marketing domains to identify policy gaps exposing campaigns to spoofing, rejection, or inbox displacement.
Guides effective email strategy covering transactional vs marketing separation, deliverability infrastructure (SPF/DKIM/DMARC), permission practices, and automation patterns with queuing and event tracking.
Share bugs, ideas, or general feedback.
Get email into inboxes, not spam folders. Set up authentication. Monitor reputation. Diagnose problems before they hurt the business.
email-sequences)email-sequences)domain-strategy)Email deliverability rests on three pillars. Weakness in any one limits the others.
Mailbox providers verify email is actually from who it claims to be from. Three records.
SPF (Sender Policy Framework)
Lists which servers are authorized to send mail for the domain. Published as a TXT record at the apex.
v=spf1 include:_spf.mailprovider.com -all
include: adds another sender's authorized list-all (hard fail): mail from unlisted senders fails authentication~all (soft fail): unlisted senders are suspicious but pass; useful during rollout+all: never use; allows anyone to sendOnly one SPF record per domain. Multiple SPF records break SPF entirely. Combine senders into a single record.
SPF has a 10-DNS-lookup limit. Each include: may use multiple lookups. Hit the limit and SPF stops working. Watch this carefully.
DKIM (DomainKeys Identified Mail)
A cryptographic signature on each outgoing email. The mail server signs with a private key; the public key is published in DNS.
selector1._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIGfMA0G..."
Selectors differ by ESP. Some use default._domainkey, some use unique selectors per service. Most ESPs walk you through publishing the records.
DKIM proves the message wasn't modified in transit and that the sender controls the domain.
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
The policy layer. Tells receivers what to do when SPF or DKIM fails, and where to send reports.
_dmarc.example.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc-aggregate@example.com; ruf=mailto:dmarc-forensic@example.com; pct=100; adkim=s; aspf=s"
Components:
p=: policy. none, quarantine, or reject.rua=: aggregate reports (daily, summary). Always set this.ruf=: forensic reports (per-message). Optional, can be high volume.pct=: percentage of failing mail subject to the policy. Useful for gradual rollout.adkim=, aspf=: alignment mode. s (strict), r (relaxed). Strict means From: domain must match exactly.DMARC is the most important record. It's what makes spoofing your domain hard.
Mailbox providers (Gmail, Outlook, Yahoo) score every sender. Reputation drives delivery.
Reputation factors:
Reputation is per (sending domain × mailbox provider). Gmail's view of you is independent of Outlook's.
Authentication and reputation rest on list quality. Bad list = bad reputation eventually.
The single biggest deliverability lever for most senders is list hygiene.
Check the current DNS records:
dig +short txt example.com
dig +short txt selector1._domainkey.example.com
dig +short txt _dmarc.example.com
Also check:
Tools: mxtoolbox.com, dmarcian.com, mail-tester.com (for individual messages).
If any of SPF, DKIM, DMARC is missing or misconfigured, fix first.
SPF fix order:
include: value or IP for each-all for hard fail (or ~all if rolling out gradually)DKIM fix order:
dkim=pass)DMARC fix order:
p=none initially (monitoring mode)p=quarantine with pct=10, gradually increasep=reject once confidence is highThe full progression typically takes 2-3 months. Rushing causes legitimate mail to bounce.
Ongoing visibility:
If reputation is good and authentication passes, check content:
Email volume affects reputation. Sudden spikes look like spam.
BIMI (Brand Indicators for Message Identification) shows your logo next to authenticated emails in supporting clients (Gmail, Apple Mail, Yahoo, others).
Requires:
p=quarantine or p=reject (so this comes after the DMARC progression)_bimi DNS record pointing to the SVG and VMCBIMI improves trust signals and engagement. Worth doing once DMARC enforcement is in place.
Document the email architecture:
Revisit quarterly or when a new ESP is added.
Multiple SPF records. Two or more SPF records on the same domain breaks SPF. Combine into one.
SPF DNS lookup limit exceeded. Too many include: directives or chained includes. Flatten or simplify.
DMARC at p=none forever. Monitoring without enforcement. Spoofing remains easy. Move to enforcement.
DMARC at p=reject too quickly. Legitimate mail bounces because alignment wasn't verified. Use the gradual rollout.
Sending from a different domain than the From: address. Causes alignment failures. Fix the From: domain or ensure proper alignment.
Using a shared ESP IP without ESP-specific configuration. Some ESPs don't sign with your DKIM by default; the signature is the ESP's, not yours. Configure custom DKIM.
Sending from a domain that also sends marketing. A spam complaint on a marketing email hurts transactional deliverability. Use a subdomain for transactional (transactional.example.com) or marketing (mail.example.com).
No bounce monitoring. Hard bounces accumulate, reputation tanks, deliverability cliff-falls. Monitor.
Bought lists or scraped contacts. Spam traps in those lists destroy reputation. Don't.
No double opt-in for marketing. Single opt-in lets bots and typos onto the list. Bots generate spam complaints, destroy reputation.
Ignoring DMARC reports. Reports show problems early. Set up a parser. Look weekly.
Treating "marked as not-spam" as the goal. The goal is to never land in spam in the first place. Once reputation is bad, recovery takes months.
A deliverability audit document includes:
references/dmarc-rollout-playbook.md: Step-by-step for moving from no DMARC to p=reject, with timing, monitoring, and how to handle problems found along the way.