BIG BOX Hosting
Get a quote
BIG BOX Hosting Services SPF / DMARC Audit № 02.06

SPF, DKIM, DMARC — aligned
and reject-ready.

A two-week audit of your domain's email authentication, followed by a documented remediation plan and 30 days of monitoring while we advance your DMARC policy from p=none to p=reject without breaking legitimate mail. Aligned with the May 2025 Microsoft enforcement, the February 2024 Google and Yahoo rules, and the next round of tightening already on the horizon.

See pricing → Talk to an engineer
01  /  Why this matters in 2026

Authentication is no longer optional.

For the first 25 years of email, SPF plus DKIM plus DMARC were a recommendation. Senders who set them up correctly got better placement; senders who did not got mediocre placement and shrugged. Those days ended in February 2024 and the door closed for good in May 2025.

The timeline is worth being precise about because the dates appear in compliance documents that real auditors check. February 2024: Google and Yahoo rolled out their bulk sender requirements — any domain sending 5,000+ messages a day to gmail.com, yahoo.com, or their consumer variants must have valid SPF and DKIM that pass authentication, a DMARC record at minimum p=none, alignment between the From address and at least one of SPF or DKIM, RFC 8058 one-click unsubscribe via the List-Unsubscribe-Post header, and a complaint rate under 0.3%. Non-compliant traffic gets quietly junked. May 5, 2025: Microsoft followed with effectively identical requirements for senders past 5,000 messages a day to outlook.com, hotmail.com, and live.com. By late May 2025, Microsoft escalated to outright rejection with the SMTP error code 550 5.7.515 Access denied, sending domain does not meet the required authentication level.

What happened in the year between these enforcement dates is what every senior deliverability engineer expected: the floor rose. Senders who had not implemented authentication properly saw their inbox placement at Gmail drop from the 89% range to the 76% range over the course of 2024 as engagement filtering tightened. Senders who had partial implementation — SPF without DKIM, DKIM without alignment, DMARC at p=none with broken alignment — landed on the wrong side of the new threshold and started getting filtered. The Microsoft enforcement in May 2025 closed the last gap. By mid-2026, anyone sending bulk email without proper alignment is effectively invisible at the major mailbox providers regardless of how good their content is.

The other thing that changed is the difficulty of getting alignment right. Modern email infrastructure is rarely a single sending source. A typical mid-sized company's domain emits mail from a marketing platform (Mailchimp, ActiveCampaign, HubSpot), a transactional service (SendGrid, SES, Postmark), a CRM (Salesforce, Zendesk), an HR platform (Lattice, BambooHR), an accounting system (QuickBooks, Xero), and the company's own SMTP via a dozen forms scattered across business apps. Every one of those sources has its own DKIM key, its own SPF requirement, its own alignment behaviour. Getting them all to pass DMARC alignment without missing a legitimate sender — and breaking real mail by setting p=reject too aggressively — is a multi-week exercise in DNS forensics that most internal IT teams have never done before.

02  /  The methodology

DMARC reports are the truth.

Most "DMARC audits" on the market are a one-shot DNS lookup followed by a generic checklist. We do something different: we publish a rua= endpoint into your DMARC record, gather two weeks of real DMARC aggregate reports from Google plus Microsoft plus Yahoo plus the smaller providers, then use that data to identify every legitimate sending source.

The DMARC aggregate report is the most important diagnostic tool that exists for understanding email authentication. Mailbox providers send these reports daily to whatever address you specify in the rua= tag of your DMARC record — they contain, for the previous 24 hours, every IP address that sent mail claiming to be from your domain, the SPF and DKIM result for each, the DMARC alignment outcome, and the count of messages. Two weeks of these reports gives a complete picture of your domain's mail behaviour.

Without DMARC aggregate reporting, an audit is guesswork. You can check what authentication records exist; you cannot check what is actually using them. The marketing tool that switched providers eight months ago and forgot to update its DKIM selector is invisible. The shadow IT team running a side project from a cloud function with no SPF authorisation is invisible. The phishing campaign currently impersonating your domain from a Russian botnet is invisible. All three become visible immediately once you start collecting rua= data — and all three need to be addressed before p=reject can be safely deployed.

Initial DMARC record we publish for the auditread-only mode
; _dmarc.yourcompany.com TXT record
; p=none means we do nothing yet — we just collect data.
; rua= sends aggregate reports to our endpoint for analysis.

v=DMARC1; p=none;
  rua=mailto:[email protected];
  ruf=mailto:[email protected];
  fo=1;
  adkim=r;
  aspf=r;
  pct=100

; Translation:
;   p=none      — observe only, do not affect mail flow
;   rua=        — daily aggregate reports to us
;   ruf=        — failure-event reports (forensic, sampled)
;   fo=1        — generate forensic for any auth failure
;   adkim=r     — relaxed DKIM alignment (subdomain match OK)
;   aspf=r      — relaxed SPF alignment (subdomain match OK)
;   pct=100     — apply to 100% of mail

After two weeks of collection, the data tells us everything we need. The audit report identifies every IP address, every sending source, every authentication outcome. Legitimate sources get fixed (DKIM signing added where missing, SPF includes adjusted, alignment pattern corrected). Illegitimate sources get documented and you get to decide what to do about them — sometimes it is a forgotten internal application that gets deprecated, sometimes it is a partner who shouldn't have been sending in the first place, sometimes it is an active phishing campaign that gets reported to the relevant authorities.

Only after every legitimate source is producing aligned authentication do we begin advancing the DMARC policy. The progression is conservative on purpose — moving too fast breaks legitimate mail, which is worse than moving too slowly.

DMARC policy advancement scheduleconservative — adjusts to live data
Week 1-2:   p=none; pct=100      # observe, identify all sources
Week 3-4:   p=none; pct=100      # fix discovered issues, re-observe

# Begin enforcement — staged percentage
Week 5:     p=quarantine; pct=10   # 10% of failing mail to spam
Week 6:     p=quarantine; pct=25
Week 7:     p=quarantine; pct=50
Week 8:     p=quarantine; pct=100
Week 9:     p=reject; pct=10       # begin reject
Week 10:    p=reject; pct=50
Week 11:    p=reject; pct=100      # full enforcement

# If anything wobbles at any stage we hold the percentage
# until the underlying issue is fixed.
Even with full SPF plus DKIM plus DMARC aligned, sustaining 90%+ deliverability on cold outreach is genuinely difficult in 2026. Authentication is the floor, not the ceiling. We will tell you that during the audit if your traffic profile is heading into territory that authentication cannot save. — Internal note, audit engagement runbook
─────────────────────────────────────────────────────────────────────────
03  /  What you get

A document, and the changes deployed.

The €750 covers both the analysis and the implementation. We do not write a report and hand you a list of DNS changes to deploy yourself — that would defeat the point. We write the report, then we make the changes (or supply them in a form your DNS team can deploy verbatim), then we monitor the result.

Two-week observation
Initial DMARC record published with our rua= endpoint. 14 days of aggregate report collection from Google, Microsoft, Yahoo, Apple, ProtonMail, and the smaller European providers we get reports from. No changes to mail flow during this period.
Source inventory
Complete list of every IP address and every sending domain that produced mail for your domain in the observation window, classified as legitimate / unknown-investigate / illegitimate. The inventory typically includes 8 to 25 distinct legitimate sources for a mid-sized company; we have seen 60+ for large enterprises with sprawling SaaS adoption.
SPF record rewrite
Most SPF records we audit either exceed the 10-DNS-lookup limit (causing silent failures) or include legacy authorisations that should have been removed years ago. We produce a clean SPF record that authorises every legitimate source and stays under the lookup limit, using SPF flattening tools where appropriate.
DKIM key inventory and rotation
Every DKIM selector currently in use, classified by sending source and signing key strength. We rotate keys to 2048-bit RSA where the existing keys are weaker, set up a quarterly rotation schedule for the keys we manage, and document the selectors in use so future audits can find them.
DMARC progression plan
Documented schedule for advancing your policy from p=none through p=quarantine to p=reject at the percentages and timing appropriate for your traffic. The plan adjusts to live data — if a previously-unknown legitimate sender shows up in week 6, we hold enforcement until they are fixed.
ARC sealing setup
Where your traffic profile includes mailing lists, forwarders, or aggregators that legitimately rewrite messages and break original DKIM signatures, we configure ARC (Authenticated Received Chain) sealing. Without ARC, forwarded messages from places like Google Groups break DMARC alignment and end up rejected at p=reject; with ARC, the original authentication chain is preserved.
BIMI eligibility review
For verticals where the certificate cost is justified (consumer brands, retail, financial services where the brand logo in the inbox produces measurable open-rate lift), we evaluate BIMI eligibility, identify the certificate type required (VMC vs CMC), and recommend a path to deployment. For verticals where BIMI is not worth it, we say so directly.
MTA-STS and TLS reporting
MTA-STS policy publication for clients who want enforced TLS to receiving mailbox providers (helps with phishing-resistance posture). TLS-RPT endpoint setup so you receive failure reports from receivers when TLS negotiation fails. Both are increasingly expected for senders in regulated industries.
30 days of post-deploy monitoring
After full p=reject is in effect, 30 days where we continue receiving the DMARC reports, watching for any new sender that shows up and starts failing alignment. Any incident in that window is fixed under the original engagement fee.
─────────────────────────────────────────────────────────────────────────
04  /  What we typically find

A few greatest hits.

After running this audit on roughly 200 domains over the last three years, the failure modes have settled into recognisable categories. The five below show up in roughly that frequency. Yours probably has at least one of them.

The five categories below cover the bulk of what we find. They do not cover everything. Across 217 audits we tracked between January 2023 and December 2025, the frequency distribution of findings settled into a stable shape — roughly the same percentages from one quarter to the next, regardless of client sector or domain size. The chart below is what 200+ domains tell you about the state of email authentication in production. The interpretation is uncomfortable: most domains have at least four findings, and the average domain has 6.3.

// frequency of audit findings · 217 domains · jan 2023 – dec 2025

Methodology: 217 single-domain and multi-domain audits run by our team January 2023 – December 2025. Findings recorded against a fixed 12-check audit checklist (full list in section 09). Severity classification follows our internal triage: critical = active exposure or material reputation loss, high = delivery failure or imminent enforcement break, medium = deviation from best practice with measurable but non-acute impact. The 12 percent active-impersonation finding is the one that surprises most clients.

The 10-lookup SPF cliff. SPF has a hard limit of 10 DNS lookups, recursive includes counted. An SPF record that lists Google Workspace plus Microsoft 365 plus SendGrid plus Mailchimp plus a CRM platform almost always exceeds this — each include: directive can chain into multiple sub-lookups. Once over the limit, SPF returns permerror, which the receiving mailbox treats as a hard SPF failure regardless of whether the actual sender is authorised. Most senders never notice because the failure is silent — until DMARC starts enforcing, and then half their mail starts failing alignment overnight. The fix is SPF flattening (replacing include: with the actual IP ranges it expands to) combined with removing legacy authorisations for vendors no longer in use.

The forgotten subdomain. Mail gets sent from marketing.yourcompany.com, app.yourcompany.com, noreply.yourcompany.com, and the parent domain yourcompany.com — all four with separate authentication setups, three of which were configured by different teams at different times. The DMARC policy is published at the parent domain only. Three of the four subdomains have no DKIM signing, no SPF authorisation, and no aligned From address. The audit catches it; the fix is publishing per-subdomain authentication records or, more often, consolidating sending onto fewer subdomains so the surface to authenticate is smaller.

The CDN that mangles TXT records. Some CDN-fronted DNS providers split long TXT records at byte boundaries that break SPF and DMARC parsing — the record looks correct in the dashboard but resolves as malformed at the wire level. Cloudflare and Fastly along with a couple of others have specific quirks here that have caught us multiple times. The diagnostic is reading the raw DNS response with dig or equivalent rather than trusting the provider's UI. The fix is either escaping the splits correctly or moving authentication-critical TXT records to a DNS provider that does not transform them.

The marketing tool that signs DKIM with the wrong selector. A platform was configured years ago with selector k1 that DKIM-signs against a key the sender no longer controls. The platform later added a new selector k2026 with a key the sender does control, but the platform's outbound traffic still uses k1 for messages submitted via legacy API endpoints. SPF is fine, DKIM signature is technically valid, but the From-domain alignment fails because the k1 selector is hosted on the platform's domain rather than the customer's. Caught only by reading the DKIM d= field in the DMARC report. Fixed either by migrating the platform's traffic to the new selector or by accepting that this source needs SPF alignment as the path to DMARC pass.

The phishing campaign that has been running for six months. Roughly 1 audit in 8 reveals an active impersonation campaign — somebody sending mail from your domain to your customers, usually for credential phishing or invoice fraud. The DMARC report shows it immediately: a chunk of failing-alignment volume from IP ranges that have nothing to do with your legitimate sending sources, often with email patterns that mimic your invoice or password-reset templates. The fix is twofold — get to p=reject as fast as is safe, which kills the campaign at the receiving end, and report the campaign to the hosting provider of the originating IPs (and to your local cybercrime authority if there is monetary loss involved). Several of these have led to legal action.

─────────────────────────────────────────────────────────────────────────
05  /  What it costs

€750 flat-fee, most engagements.

One-time pricing for the standard audit. Multi-domain organisations pay a per-additional-domain rate. Continuous monitoring after the initial engagement is available as a low-cost subscription.

Single domain 1 primary + up to 5 sending subdomains
  • Two-week DMARC observation period
  • Complete sending-source inventory
  • SPF record rewrite + flattening
  • DKIM key inventory + rotation
  • DMARC progression to p=reject
  • ARC sealing setup where applicable
  • 30 days of post-deploy monitoring
€750 one-time, all-in Start single-domain →
Multi-domain Most-asked configuration
  • Everything in Single Domain
  • Up to 4 primary domains
  • Cross-domain consolidation review
  • BIMI eligibility per domain
  • MTA-STS and TLS-RPT setup
  • Unified reporting dashboard
  • Identifies brand-protection opportunities
€1,800 up to 4 primaries · €350 each beyond Pick multi-domain →
Continuous After initial audit
  • Ongoing DMARC report ingestion
  • New-source detection alerts
  • Quarterly DKIM key rotation
  • Quarterly written health report
  • Re-audit when major changes happen
  • Access to deliverability engineers
  • Pause anytime, no penalty
€89 per month, per primary domain Add monitoring →
─────────────────────────────────────────────────────────────────────────
05b  /  The before / after numbers

What 90 days after the audit actually look like.

Three real audit engagements from 2025, plotted from the week the changes deployed through week twelve. Inbox placement at Gmail measured weekly. Names anonymised, sectors preserved. The trajectories are not smooth — that is the honest part — but they all bend in the same direction.

The audit produces a document. The document is not the deliverable. The deliverable is what happens to the placement numbers in the 90 days after the changes ship. Below: actual placement-rate trajectories for three audits we ran in 2025, plotted from week zero (audit complete, changes deployed) through week twelve. Names anonymised, sectors preserved. The shape of the curve is the answer to "does fixing this stuff actually do anything." It does, but the timing is not what most clients expect.

Three trajectories. Client D is a B2B SaaS company that started at 71 percent inbox placement at Gmail and crossed 95 percent at week eight. The curve is gradual because reputation rebuilds slowly — there is no overnight fix once the placement degraded. Client E is an e-commerce retailer who started at 88 percent and reached 98 percent by week six. They were closer to clean to begin with, so the recovery was faster. Client F is the interesting one. Started at 64 percent, hit 92 percent at week four, then dropped to 81 percent at week six because a separate marketing campaign violated the new DMARC policy and produced a temporary reputation hit. Recovered fully by week eleven. None of these trajectories is straight. All of them are upward.

// gmail inbox placement % · post-audit weeks 0-12

Methodology: weekly inbox placement measured via seed list of 1,200 Gmail addresses (Glock Apps + internal cohort) with placement classified by tab assignment. Week 0 = audit deliverables shipped, all DNS changes propagated. Sectors: Client D = B2B SaaS, Client E = e-commerce DTC, Client F = B2C marketing-heavy. Mid-recovery dip on Client F at week six was a separate marketing campaign violating the new p=quarantine policy — recovered fully once the campaign content was corrected. Client identities held confidentially under NDA; redacted summary documentation available on request.

Two things buyers should take from these curves. First, the audit pays for itself in roughly six to ten weeks measured against incremental delivered volume — that is the recovery period for placement to stabilise above 90 percent at the major receivers. Faster than most senders expect, slower than vendor marketing implies. Second, recovery is not always monotonic. Client F's mid-recovery dip is normal, not a signal that the audit was wrong. Reputation systems at the major providers are noisy by design, and a clean audit produces a clean trajectory only if downstream operations stay clean too. The audit fixes the configuration. It does not fix the team that produced the configuration. That part is on you.

─────────────────────────────────────────────────────────────────────────
06  /  Common questions

SPF / DMARC audit, specifically.

Questions we hear during the intake call about authentication audits, sorted from most-asked down. If your question is broader — deliverability fundamentals, payment terms, support tier — the main FAQ covers it.

01 We are under 5,000 emails a day. Do we still need this? +
The 5,000/day threshold is what triggers mandatory compliance with the Microsoft, Google, and Yahoo bulk sender rules. Below it, you are not required to have aligned authentication — but the placement penalty for not having it has been climbing throughout 2025 and 2026 because mailbox providers use authentication signal as one input among many for placement decisions even on smaller senders. Practically: under 1,000/day, the audit is a nice-to-have that produces small placement gains; 1,000-5,000/day, it usually produces measurable placement gains in the 5-15% range; above 5,000/day, it is required to keep mail flowing at all. We will tell you honestly during the intake call which side of that line you are on.
02 Why does this take two weeks rather than a one-day audit? +
Because the data tells the truth and the data takes two weeks to collect. A one-day audit reads your existing DNS records and runs them against a checklist — it tells you what exists. It does not tell you what is actually sending mail from your domain right now, which sources are aligning correctly, which are silently failing, or whether someone is impersonating you. That information lives in DMARC aggregate reports, and aggregate reports come in daily from each mailbox provider. Two weeks gives us 14 cycles per provider, 4-6 distinct providers reporting, and enough volume to surface intermittent senders that only show up once a week. Faster audits exist in the market and they cost about as much; what they produce is a checklist, not a remediation plan.
03 What if we already have DMARC at p=reject and just want a sanity check? +
Then the audit is faster and we discount it to €450. We still do the two-week observation period because the value is in the data, but the remediation phase is usually short — most teams that have already deployed p=reject have done the heavy lifting and the audit confirms it. About 1 in 5 senders who request the sanity-check version turn out to have a hidden issue (an obscure source that is failing alignment and getting rejected, often something the team's own email is going to that they hadn't noticed) and need the full remediation engagement. We adjust the price up to the standard €750 if that happens, with the discount counted as a deposit.
04 Can we do this ourselves with a free DMARC reporting tool? +
Yes, technically — there are several free tools (Postmark's DMARC service, Red Sift's free tier, EasyDMARC's starter plan, dmarcian's community offering) that ingest aggregate reports and present them in a dashboard. The tools work; the limitation is interpretation. DMARC reports contain hundreds of rows per day for an active domain, most of which look broadly similar to a non-expert reader. The audit value is not in collecting the reports — it is in knowing which 4 of those 200 rows represent a problem worth fixing, what to fix, and in what order. If your team has someone who has done DMARC remediation before and is comfortable with DNS forensics, the free tools are fine. If not, the time saved by hiring this work out usually exceeds the €750 fee.
05 Will deploying p=reject break our forwarded mail? +
Without ARC sealing, yes — and this is one of the most common reasons audits we did not run end up reverting from p=reject back to p=quarantine within weeks. Mailing lists like Google Groups, internal forwarders, and personal "forward to my Gmail" rules rewrite messages in ways that break the original DKIM signature; without ARC, the receiving mailbox sees a DMARC failure on a legitimate forwarded message and applies your p=reject policy. The fix is configuring ARC sealing on every legitimate forwarder you control, plus accepting that some forwarding paths you don't control will lose messages and that this is the trade-off for protecting your domain from impersonation. We document the trade-offs explicitly and you decide where to set the boundary.
06 Do you handle BIMI? +
We do the eligibility review and the deployment for clients where it is worth doing. BIMI requires DMARC at p=quarantine or p=reject as a prerequisite, plus a Verified Mark Certificate (VMC) for the brand logo — VMCs run roughly USD 1,500-2,000 per year from the two issuing authorities (Entrust and DigiCert). The placement-rate lift from BIMI is real but measurable mainly in B2C verticals where brand recognition affects open rates: retail, financial services, consumer SaaS. For B2B senders or anyone whose recipients open mail based on the From name rather than the logo, BIMI is rarely worth the certificate cost. We will tell you which side of that line you are on during the audit; for the first ~12 months after the audit we recommend deferring BIMI and seeing whether the basic alignment work moves your placement enough on its own.
─────────────────────────────────────────────────────────────────────────
09  /  The 12 audit checks

The full playbook, in fixed order.

The complete 12-check audit, applied in this order to every engagement since 2023. Sharing it openly because the audit itself is not the trade secret — the experience of running it across 217 domains is. The percentages reflect how often each check produced a finding across those engagements.

Twelve checks, in fixed order, applied to every audit. The order matters because findings cascade — fixing the SPF lookup count before reading the DMARC reports avoids chasing alignment failures that disappear once the lookup count drops below ten. We have not changed the checklist meaningfully since 2023. The patterns are stable, the diagnostic questions are stable, and the fixes are stable. What changes is the percentage of clients triggering each check, which we track quarterly.

# Check What we look for Find rate
01 SPF lookup count Recursive expansion of every include: against the 10-lookup ceiling. Crossing it produces silent permerror. 78%
02 Inactive senders in SPF Authorisations for vendors the client stopped using. Subtraction is usually cheaper than flattening. 71%
03 DKIM signing coverage Every legitimate sender confirmed signing with a 2048-bit key, key rotation cadence verified. 64%
04 Subdomain authentication Per-subdomain SPF, DKIM, DMARC alignment. Common gap on marketing., app., noreply. subdomains. 58%
05 DMARC policy progression Time at p=none. Six months without progression is the signal nobody on the team owned the migration. 51%
06 MTA-STS deployment DNS record at _mta-sts.{domain} plus HTTPS-hosted policy file. Both halves and id sync. 47%
07 TLS-RPT companion When MTA-STS exists, TLS-RPT should too. Without it, MTA-STS enforcement is blind. 38%
08 From: alignment DKIM d= domain or SPF return-path domain matches the visible From: header. Misalignment kills DMARC pass. 31%
09 DNS hygiene TXT record splitting at byte boundaries, malformed quoting, CNAME chains where TXT was expected. Read with dig, not the dashboard. 23%
10 Active impersonation Aggregate report scan for failing-alignment volume from IP ranges unrelated to legitimate sources. Often a phishing campaign in progress. 12%
11 BIMI eligibility gap BIMI record published but DMARC at p=none. The logo never renders. Marketing budget wasted. 9%
12 Forwarding-aware policy Heavy-forwarding domains pushed to p=reject without ARC sealing. Legitimate-mail loss usually visible in reports. 7%

The playbook is open because the audit is not the trade secret. The trade secret is the experience to know which finding deserves attention first when three of them surface at once, what the second-order effects look like when you fix one without addressing the related three, and how to talk to a procurement team about results that cannot be guaranteed in writing because reputation systems do not work that way. Anyone can run the 12 checks. The value of the engagement is what happens after the findings are listed — sequencing the fixes, reading the post-deployment aggregate reports, knowing when the placement curve is healthy and when it is not. Tools tell you what is wrong. Operators tell you what to do about it.

─────────────────────────────────────────────────────────────────────────

The audit pays for itself in placement gains.

Most senders we audit see a 5 to 15 percentage point lift in inbox placement at Microsoft and a smaller but consistent lift at Gmail within 60 days of completing remediation. For a sender doing 100K marketing sends a month, that lift is worth substantially more than the audit fee in revenue terms. We will run the maths during the intake call so you know what return to expect before signing.

[email protected] See all plans