Skip to main content
All CollectionsEmailsFAQ
How Emails Are Delivered And How To Set Up DMARC, DKIM And SPF
How Emails Are Delivered And How To Set Up DMARC, DKIM And SPF

How to add DMARC, SPF and DKIM settings and improve your email delivery

Adam Reiter avatar
Written by Adam Reiter
Updated over a week ago


Nosto uses AWS SES service for sending triggered emails. All sender addresses are verified by clicking a link in email sent to the address. The verified address is used in the From header of the emails sent through AWS SES. So called envelope address or MAIL FROM domain in the messages is

To use custom domain as the MAIL FROM domain, the domain needs to have DMARC, DKIM and SPF set up correctly.

Gmail and Yahoo require now all volume senders (>5000 messages/month) to have working DMARC configuration.

Sender Policy Framework (SPF) 

Sender Policy Framework is an email authentication standard developed by AOL that compares the email sender’s actual IP address to a list of IP addresses authorized to send mail from that domain. The IP list is published in the domain’s DNS record.

Domain Keys Identified Mail (DKIM)

DKIM was designed to help ISPs prevent malicious email senders by validating email from specific domains.

Spoofers and phishers can be sending email to unwitting recipients by purporting to be from a trusted brand or sender. By “signing” email with DKIM, legitimate senders can label which domains belong to them, and by doing so, empower ISPs to block email streams that have not been properly authenticated using DKIM.

Domain-Based Message Authentication (DMARC)

DMARC is an email-validation system designed to detect and prevent email spoofing. It is intended to combat certain techniques often used in phishing and email spam, such as emails with forged sender addresses that appear to originate from legitimate organizations. DMARC counters the illegitimate usage of the exact domain name in the From: field of email message headers.

To be able to be DMARC compliant one needs to confirm to both SPF and DKIM. DMARC is a policy that describes how DKIM and/or SPF checks are done and what to do with emails that don't pass verification.

Verifying custom domain applies Domain verification settings are domain-wide. Once done for a single email address, it’s working for all addresses of its domain, e.g. when SPF is verified for, it also covers,, etc.

Why is DMARC important?

With the rise of the social internet and the ubiquity of e-commerce, spammers and phishers have a tremendous financial incentive to compromise user accounts, enabling theft of passwords, bank accounts, credit cards, and more. Email is easy to spoof and criminals have found spoofing to be a proven way to exploit user trust of well-known brands. Simply inserting the logo of a well known brand into an email gives it instant legitimacy with many users.

Users can’t tell a real message from a fake one, and large mailbox providers have to make very difficult (and frequently incorrect) choices about which messages to deliver and which ones might harm users. Senders remain largely unaware of problems with their authentication practices because there’s no scalable way for them to indicate they want feedback and where it should be sent. Those attempting new SPF and DKIM deployment proceed very slowly and cautiously because the lack of feedback also means they have no good way to monitor progress and debug problems.

DMARC addresses these issues, helping email senders and receivers work together to better secure emails, protecting users and brands from painfully costly abuse.

How does DMARC work, briefly, and in non-technical terms?

A DMARC policy allows a sender to indicate that their messages are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message. DMARC removes guesswork from the receiver’s handling of these failed messages, limiting or eliminating the user’s exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.

Configuring Records

The process

Most of the setup guidelines described is out of Nosto's reach since our personnel don’t have access to the settings in Nosto, and neither can we update your DNS records. Consult your network administrator for further advise. In order to use the verification, take the following setps

In order to use the verification you have to:

  • In Nosto: set up the verification, which basically means to generate related DNS records. This step is the same for all settings and consists of just clicking the button:

  • In store infra: publish the DNS records provided by Nosto. This step is specific to DNS/Hosting provider, the instructions for most popular services are listed in next section: Creating DNS records.

  • After a DNS records update, the corresponding section should have “Success“ or “Enabled” status (except for DMARC records, which are not checked for verification, we just generate it for publishing):

Note that it may take up to 72 hours for the update to take effect since DNS is a worldwide-distributed system and records take time to propagate all over the Internet.

The same timeframe of 72 hours works for automatic record discovery, i.e. continuous polling of DNS to find the desired records. It starts from the moment records were created. After this time has passed, retry should be performed manually:

Creating DNS records

SPF (Sender Policy Framework)

DKIM (Domain Keys Identified Mail )


The table below includes links to the documentation for several common providers. This list isn't exhaustive, and inclusion in this list isn't an endorsement or recommendation of any company's products or services. If your provider isn't listed in the table, you can probably still publish an SPF record.

DNS/Hosting provider

Documentation link

Amazon Route 53


Add an SPF record (external link)




SPF Records (external link)



Further reading


Did this answer your question?