Email Deliverability
Also Known As
SPF
DKIM
DMARC
email authentication
transactional email
TL;DR
The technical requirements for email reaching inboxes rather than spam folders — SPF, DKIM, DMARC, and sending reputation work together to authenticate your emails.
Explanation
SPF (Sender Policy Framework): a DNS TXT record listing authorised sending IPs for your domain. DKIM (DomainKeys Identified Mail): cryptographic signature on outgoing emails, verified by recipients using a public key in DNS. DMARC (Domain-based Message Authentication): policy defining what to do when SPF/DKIM fail (none, quarantine, reject) and where to send reports. Sending reputation is built on low bounce rates, low spam complaint rates, and consistent sending volume. PHP applications should use a transactional email service (SendGrid, Postmark, SES) rather than server SMTP.
Diagram
flowchart LR
PHP[PHP App] -->|SMTP| MTA1[Sending MTA<br/>sendgrid.net]
MTA1 -->|DNS MX lookup| MTA2[Receiving MTA<br/>gmail.com]
MTA2 --> FILTER{Spam Filter}
FILTER -->|SPF pass| FILTER2{DKIM check}
FILTER2 -->|valid signature| INBOX[Inbox]
FILTER -->|SPF fail| SPAM[Spam / Rejected]
FILTER2 -->|invalid| SPAM
DNS[DNS Records:<br/>SPF TXT record<br/>DKIM TXT record<br/>DMARC TXT record] -.->|validates| FILTER & FILTER2
style INBOX fill:#238636,color:#fff
style SPAM fill:#f85149,color:#fff
style DNS fill:#1f6feb,color:#fff
Common Misconception
✗ Setting up SPF alone is sufficient for deliverability — SPF, DKIM, and DMARC all three are needed; DMARC enforcement without DKIM means SPF alone cannot protect from spoofing.
Why It Matters
Password reset emails, order confirmations, and notifications going to spam directly impacts business metrics — email deliverability is a technical requirement, not a nice-to-have.
Common Mistakes
- Using server's own SMTP for transactional email — shared hosting IP reputation is poor; use a dedicated sending service.
- SPF record with too many DNS lookups — SPF has a 10 DNS lookup limit; exceeding it causes SPF failures.
- Not setting DMARC policy — without DMARC, spoofed emails from your domain bypass SPF/DKIM failures.
- Not monitoring bounce rates — high bounce rates signal ISPs to start filtering your email.
Code Examples
✗ Vulnerable
// Using PHP mail() directly — poor deliverability:
mail('user@example.com', 'Reset Password', $body);
// Sent from shared hosting IP with no SPF/DKIM/DMARC
// Goes straight to spam or rejected
✓ Fixed
// Transactional email service with authentication:
// DNS records required:
// TXT @ 'v=spf1 include:sendgrid.net ~all'
// TXT s1._domainkey 'v=DKIM1; k=rsa; p=<public_key>'
// TXT _dmarc 'v=DMARC1; p=reject; rua=mailto:dmarc@example.com'
// PHP with SendGrid:
$email = new SendGrid\Mail\Mail();
$email->setFrom('noreply@example.com');
$email->addTo($userEmail);
$email->setSubject('Reset your password');
$email->addContent('text/html', $htmlBody);
$sendgrid = new SendGrid(getenv('SENDGRID_API_KEY'));
$sendgrid->send($email);Tags
🤝 Adopt this term
£79/year · your link shown here
Added
15 Mar 2026
Edited
22 Mar 2026
Views
40
🤖 AI Guestbook educational data only
|
|
Last 30 days
Agents 0
No pings yet today
No pings yesterday
Amazonbot 11
Google 9
Perplexity 7
Ahrefs 3
ChatGPT 3
SEMrush 2
Unknown AI 1
Also referenced
How they use it
crawler 34
crawler_json 2
Related categories
⚡
DEV INTEL
Tools & Severity
🟠 High
⚙ Fix effort: Medium
⚡ Quick Fix
Use a transactional email service (SendGrid, Mailgun, Postmark) instead of PHP's mail() or raw SMTP — they handle deliverability, SPF/DKIM alignment, bounce handling, and analytics
📦 Applies To
PHP 5.0+
web
cli
queue-worker
🔗 Prerequisites
🔍 Detection Hints
PHP mail() function in production; SMTP sending from application server IP; no SPF DKIM records; emails going to spam
Auto-detectable:
✗ No
mail-tester
mxtoolbox
postmark
⚠ Related Problems
🤖 AI Agent
Confidence: Medium
False Positives: Medium
✗ Manual fix
Fix: Medium
Context: File
CWE-183