Sepat
Back
Three DNS records on the customer's domain are needed to authenticate outbound mail.
Without them, ESPs (Gmail, Office 365, Yahoo, etc.) will junk or reject your sends.
All three live on the From-header organisational domain
— for this client that's sepat.fyi.
1. SPF
Authorises which servers can send From sepat.fyi.
Type: TXT Name: sepat.fyi (i.e. the apex/root) Content: v=spf1 +a +mx +ip4:<your-smtp-server-IP> ~all
Replace <your-smtp-server-IP> with the public IPv4 of your SMTP host. Use ~all (soft-fail) while warming up; tighten to -all later.
2. DKIM
Public key your SMTP provider gives you. Common selector: default.
Type: TXT Name: default._domainkey.sepat.fyi Content: v=DKIM1; k=rsa; p=<public-key-from-your-SMTP-provider>
If your provider uses a different selector (e.g. google, k1, selector1), use that name instead. The checker will try the common ones automatically.
3. DMARC
Tells receivers what to do with mail that fails SPF/DKIM. Start permissive.
Type: TXT Name: _dmarc.sepat.fyi Content: v=DMARC1; p=none;
After a few weeks of clean traffic, tighten to p=quarantine then p=reject. p=none is monitoring-only — safe starting point.
DNS changes propagate in 1–5 minutes typically; up to a few hours on slow providers. Cron auto-rechecks every 6 hours, but you can hit Verify any time after the customer says they've added the records.