Email deliverability: SPF, DKIM, and DMARC

·

SPF, DKIM and DMARC are not SummitPSA settings — they are DNS records you publish for the domain you send from. They tell receiving servers that your SummitPSA / relay is allowed to send as your domain, which is essential for ticket mail to reach inboxes. This is general email-infrastructure guidance for self-hosters.

SPF

Sender Policy Framework lists the servers allowed to send for your domain, as a single TXT record. If you relay through a provider (for example Mailgun), include theirs:

v=spf1 include:mailgun.org -all

Publish exactly one SPF record; end it with -all (hard fail) or ~all (soft fail).

DKIM

DomainKeys Identified Mail cryptographically signs outgoing mail. Your relay or mail server generates a key pair; you publish the public key as a TXT record at a selector subdomain, e.g. selector._domainkey.yourdomain.com. Receivers verify the signature against it.

DMARC

DMARC tells receivers what to do when SPF/DKIM fail and where to send reports. Start in monitor mode, then tighten:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Move from p=none to p=quarantine and finally p=reject once reports confirm your legitimate mail aligns.

Checklist

  • Use a consistent From domain in your SummitPSA email account that you control DNS for.
  • Publish SPF, DKIM and DMARC for that domain.
  • Send a test ticket reply and inspect the headers (or use a mail-tester tool) to confirm all three pass.

Allow time for DNS changes to propagate, and verify with your provider's domain-verification page before going live.

Was this article helpful?
Still need help? Contact SummitPSA support.