Email authentication (SPF, DKIM, and DMARC) is what lets Gmail, Outlook, and other inbox providers confirm your email really came from you. Without it, even well-written email lands in spam. For a refresher on the underlying mechanics, see What is DNS?. Loops provides the records you need. You copy them into your DNS during domain setup, and DKIM signing is active from your first send. If DNS is not owned by you, the domain records page in Loops supports handing DNS setup off to someone else.Documentation Index
Fetch the complete documentation index at: https://loops.so/docs/llms.txt
Use this file to discover all available pages before exploring further.
What Loops provides vs. what you add
| You add to DNS | Loops provides |
|---|---|
SPF record (at envelope.<sendingdomain>, no collision with your root SPF) | DKIM signing on every outgoing email |
| DKIM record | A ready-to-copy default DMARC record |
| MX record | SPF alignment and envelope-from handling |
| DMARC record (with the policy you choose) | Inbox-placement improvements via Guardian |
How DKIM works in Loops
DKIM adds a cryptographic signature to every email you send. Inbox providers use the matching public key, published in DNS, to confirm the message was not tampered with. During domain setup, Loops provides the exact DNS records you need to add so DKIM verification works for your sending domain. You do not generate or manage keys yourself.Loops’ SPF record lives at
envelope.sendingdomain.com so it does not
collide with any existing SPF record at your root domain. See the SPF note in
Setting up your domain.How DMARC works in Loops
DMARC tells inbox providers what to do with email that fails SPF or DKIM. Loops provides a DMARC record during domain setup that you copy into your DNS alongside the other records. You can keep the provided policy or update it over time. The three policy levels, from least to most strict:| Policy | What happens to failing mail | When to use |
|---|---|---|
p=none | Delivered, reported only | Starting out, monitoring |
p=quarantine | Sent to spam | After 2 to 4 weeks of clean none reports |
p=reject | Blocked entirely | Once confident, typically 1 to 3 months in |
Recommended DMARC progression
Start with p=none
For the first few weeks, publish
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com at _dmarc.yourdomain.com.This collects aggregate reports without affecting delivery. Use a service like dmarc.postmarkapp.com or similar to parse reports.Move to p=quarantine
Once reports show 100% of legitimate mail is passing DMARC, move to
p=quarantine. Failing mail goes to spam instead of the inbox.Setting it up
The full DNS record setup is covered in Setting up your domain. In short:- Add your sending domain in Loops. A subdomain like
mail.yourcompany.comis recommended, see why. If you send from more than one, see Sending from multiple domains. - Copy the SPF, DKIM, MX, and DMARC records from the domain records page into your DNS provider, or use the export options to hand that work off.
- Click Verify Records in Loops.
Handing DNS setup to someone else
If DNS is not owned by you (infra team, IT, or an external DNS provider), the domain records page in Loops has two options that avoid manual copy-paste. Both were introduced in the DNS zone files release:Zone file export
Download a DNS zone file containing the records Loops provides. Most DNS
providers can import a zone file directly.
Shareable records page
Share a public records URL with whoever is managing DNS. They can read the
records without access to your Loops account, which also works well for
coordinating with your own team members.
Migrating an existing domain
If you are switching to Loops from another provider and cannot afford downtime, see Migrating domains for the safe transition path. Your existing SPF/DKIM/DMARC posture matters when deciding whether to send from a subdomain or take over the root.Verifying it is working
Loops shows “Records present” on your domain settings page when everything validates. You can also check externally:- DKIM: send yourself an email, view headers, look for
dkim=passinAuthentication-Results - SPF: same header, look for
spf=pass - DMARC: same header, look for
dmarc=pass - End-to-end: send a test to
check-auth@verifier.port25.comor usemail-tester.com - In Loops: send your first email and check
dkim=passin the headers of the received copy
Troubleshooting
DKIM fails right after domain setup
DKIM fails right after domain setup
Most often this is DNS propagation. Records can take up to an hour to
propagate globally. Wait and re-verify from the domain records page. If
the records are still missing after an hour, re-copy them (or re-export
the zone file) to confirm there is
no typo.
DMARC fails but SPF and DKIM pass
DMARC fails but SPF and DKIM pass
This is almost always a domain alignment issue. The
From: header domain
needs to match either your SPF or DKIM domain. If you are sending from
you@yourdomain.com but Loops signs at mail.yourdomain.com, you need
relaxed alignment (aspf=r; adkim=r) in your DMARC record, which is the
default in the record Loops provides.Subdomain setup but DMARC is at root
Subdomain setup but DMARC is at root
A DMARC record at the root domain (
_dmarc.yourdomain.com) applies to all
subdomains by default. You do not need a separate DMARC record at
_dmarc.mail.yourdomain.com unless you want a different policy there.Multiple sending domains and overlapping DMARC
Multiple sending domains and overlapping DMARC
If you send from more than one domain, each needs its own records. See
Sending from multiple domains.
A single root-level DMARC still applies to all subdomains unless you
override it.
Still seeing deliverability issues
Still seeing deliverability issues
Authentication is necessary but not sufficient. Check your sender
reputation, list
hygiene, and inbox placement
fundamentals. For ongoing
signal, see Gaining deliverability
insights. If you are sending at high
volume, Sending to a large
audience is worth reviewing.