---
title: "Verifying SPF, DKIM, and DMARC in Staging"
description: "Send from staging to a sandbox address and read the SPF, DKIM, and DMARC results on the received message before you change production DNS."
canonical_url: "https://smtp.dev/docs/guides/spf-dkim-dmarc/"
last_updated: "2026-07-16T01:19:47.958Z"
---

Every message that arrives [over MX](/docs/setup/domain) is checked against the sender's SPF record, DKIM signature, and DMARC policy. Send from staging to a sandbox address and you get a verdict on your DNS before any real recipient does.

## Setup

<steps level="3">

### Add a sandbox domain and point its MX record at mx.smtp.dev

[Domain setup](/docs/setup/domain) has the record.

### Create a recipient account

e.g. `authcheck@sandbox.example.com` on the [Accounts](/accounts) page.

### Send to it from your staging infrastructure

Through the same provider and DNS your production traffic will use. Authentication checks the path the message took, so it has to actually leave your infrastructure.

</steps>

## Reading the Results

Open the message in [Mail](/mail/accounts) - verification results are shown with the message. Over the API, they're on the [Message resource](/docs/api#get-a-message):

```bash
curl "https://api.smtp.dev/accounts/{accountId}/mailboxes/{mailboxId}/messages/{id}" \
  -H "X-API-KEY: smtplabs_your_api_key_here" | jq '.verifications'
```

For the underlying headers, fetch the [raw source](/docs/api#get-a-message-source).

## What Each Check Means

<table>
<thead>
  <tr>
    <th>
      Check
    </th>
    
    <th>
      Passes when
    </th>
  </tr>
</thead>

<tbody>
  <tr>
    <td>
      SPF
    </td>
    
    <td>
      The delivering server's IP is listed in the envelope sender domain's SPF record
    </td>
  </tr>
  
  <tr>
    <td>
      DKIM
    </td>
    
    <td>
      The message signature validates against the public key published in the signer's DNS
    </td>
  </tr>
  
  <tr>
    <td>
      DMARC
    </td>
    
    <td>
      SPF or DKIM passes <strong>
        and
      </strong>
      
       the passing domain aligns with the visible <code>
        From
      </code>
      
       domain
    </td>
  </tr>
</tbody>
</table>

## Common Failures

- **SPF fails after adding a provider**: the provider's `include:` is missing from your SPF record, or the record now exceeds the 10-DNS-lookup limit.
- **DKIM fails on a fresh setup**: the selector in the signature doesn't match the DNS record name, or the key was rotated and DNS still serves the old one.
- **SPF and DKIM pass, DMARC fails**: alignment. The domain that passed isn't the one in `From` - typical when a provider signs with its own domain instead of yours.

<note>

Mail sent between sandbox accounts through `send.smtp.dev` never crosses your DNS, so it says nothing about your SPF or DKIM. Send from the infrastructure you're validating.

</note>
