Services
Services Overview Information Security Policies Infosec Audits
Solutions
WISP - Written Information Security Program iO™ DMARC Email Deliverability Tool
Resources
Email Deliverability Check Email SPF Checker DKIM Checker
iO™ Media
Blog Podcast - Cash in the Cyber Sheets iO™ SecCom Monthly Newsletter
About Us
Contact Us About Us Input Output ADA Compliance Statement Privacy Policy Satisfaction Guarantee Terms & Conditions
CONTACT US

#75: The Two Email DNS Gotchas Costing You Deliverability

Season #1

This shorter episode gets right to the point. We cover two high-impact issues we keep finding when helping clients clean up email deliverability. First, DKIM selectors. Too many teams set up one selector for one sending platform and forget the rest. Then messages from a marketing tool, ticketing system, billing platform, or CRM either fail to authenticate or limp by with soft fails that chip away at the domain’s reputation. Second, explicit subdomain records. For years many providers accepted a single set of records at the apex and quietly inherited them across subdomains. That is no longer a safe assumption. More vendors now expect explicit SPF, DKIM, and DMARC at the exact subdomain that sends, which means domains like mail.example.com, marketing.example.com, or help.example.com each need their own entries.

We explain how to verify all required DKIM selectors, how to name and rotate them safely, and how to map each sender to the right selector. You will hear practical tips for 2048-bit keys, long TXT handling, and what to do when you have multiple senders behind the same envelope. We also outline why DMARC alignment depends on the right selector and how a missing record can make your alignment look wrong even when the signature is technically present.

On subdomains, we walk through the common inheritance myths, when to set an explicit SPF with proper includes, when to publish subdomain DKIM keys and how to avoid copy and paste mistakes, and how to deploy a subdomain specific DMARC policy that respects your global policy while giving you the data you need. We share telltale signs that a subdomain needs its own records, such as vendor error messages, mixed alignment in DMARC reports, or inconsistent pass rates between platforms.

Before you send the next campaign, run a quick audit using our free tool: https://www.inputoutput.com/email-deliverability-tool . It checks the basics and gives you a clear path to fixes you can implement in minutes.

If you are a business owner, MSP, or the unofficial email firefighter on your team, this episode helps you prevent false spam flags, reduce bounces, and protect brand reputation. Fewer surprises in the DNS layer means more messages in the inbox, fewer headaches, and a friendlier relationship with your marketing calendar. Short, sharp, and very fixable.