Email Deliverability for Job Boards: Getting SPF, DKIM and DMARC Right

If you run a job board, email is a major part of your business and a key requirement of your platform. When emails like job alerts, application confirmations, employer notifications, and password resets don’t land, users don’t see it as a minor hiccup. They see your site as broken.

Over the last few years, Gmail and other major providers have tightened authentication rules significantly. If your domain isn’t properly set up, your emails are going straight to junk, or being rejected entirely. This is where SPF, DKIM, and DMARC come in. You don’t need to be an engineer to understand them, but it’s vital you get them right.

What these records actually do

When your platform sends an email using your domain name, the receiving server (like Gmail or Outlook) makes a basic trust decision. It asks: Is this server actually allowed to send from this domain, and has the message been tampered with?

When your platform sends an email from your domain (i.e. email@jobboard.strategies.co.uk), the receiving server (Gmail, Outlook, etc.) makes a simple decision: Is this server actually allowed to send from this domain? Has the message been tampered with?

SPF, DKIM, and DMARC answer those questions. Think of them as three layers of authentication:

  • SPF (Sender Policy Framework): Says who’s allowed to send email for your domain
  • DKIM (DomainKeys Identified Mail): Proves the message hasn’t been altered in transit
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance): Tells receivers what to do after the first two checks

They won’t improve your email content or design, but without them emails won’t reach the recipient’s inbox.

They don’t improve the content or design of your emails, but nevertheless they are critical to ensure it can be delivered to the intended recipient.

SPF: Authorising the sender

SPF is a DNS record listing every system/IP address allowed to send email on behalf of your domain. If your job board platform sends emails for you, it must be in this record. If it’s not, mail servers will treat those messages as unauthorised, even if they look completely legitimate to you.

The three most common mistakes we see are:

  • Multiple SPF records. You can only have one per domain. If you accidentally have two, both fail. It’s not immediately obvious when this happens, which makes it particularly dangerous.
  • Missing includes. You have an SPF record, but it doesn’t actually list the job board platform doing the sending. Again, this won’t throw an error but your emails just quietly start landing in junk
  • Wrong domain configured. Your job board runs on teachingjobs.co.uk (or a subdomain like jobboard.strategies.co.uk), and you’ve set up SPF there correctly. But your emails are sent from your main domain (i.e. info@strategies.co.uk) which doesn’t have the job board platform in its SPF record. The SPF check happens on the domain in your FROM address, not where your job board is hosted. If they don’t match up, authentication fails.

All three are easy to miss and won’t show up as obvious errors, so check thoroughly from the start.

DKIM: Proving the message is genuine

Instead of authorising an IP address like SPF, DKIM ‘signs’ each email with a digital signature. This isn’t to be confused with the email signature at the bottom of your email, it’s a separate thing entirely. The DKIM signature is invisible to recipients but confirms the message actually came from your domain and hasn’t been modified along the way.

To enable it, you add a specific DNS record provided by your platform (i.e. Strategies). Once that’s live, outgoing mail gets signed automatically. For domains sending at scale, like job boards, DKIM is expected now, not optional.

DMARC: Defining the policy

3D illustration of email security with shield and messages on a smartphone. Ideal for spam filtering, phishing protection, and secure communication.

DMARC ties SPF and DKIM together and tells receiving servers what to do based on the authentication results.

Without DMARC, there’s no formal policy. With it, you can instruct the email server to:

  • None (Monitor mode): “Report the results to you, but deliver the email regardless”
  • Quarantine: “If authentication fails, send it to junk”
  • Reject: “If authentication fails, bounce it entirely”

Our advice: always start in monitor mode (p=none). Once you’re confident SPF and DKIM are working perfectly, you can tighten the policy. If you jump straight to “reject” and something’s misconfigured, you’ll block your own legitimate emails, which can be a nightmare to unpick.

Why job boards are uniquely exposed

Job boards generate email constantly. Even a relatively small site will need to send a serious volume over time through daily alerts, job applications, etc. From the perspective of a large email providers like Gmail, this looks like bulk sending behaviour, and bulk senders get scrutinised heavily.

If your authentication repeatedly fails, providers don’t just filter individual messages. They reduce the overall trust score of your domain. Once that happens, deliverability becomes genuinely difficult to recover. Prevention is much easier than repair.

How to sense-check your setup

You don’t need to be an email specialist to verify the basics. If you have access to your DNS panel (or can ask whoever manages it), look for:

  • SPF: A TXT record starting with v=spf1. Make sure there’s only one. Confirm it includes your job board platform.
  • DKIM: A record that looks like selector._domainkey (the exact name will vary based on your provider).
  • DMARC: A TXT record at _dmarc.yourdomain.com.

If you’re not sure what the exact values should be, ask your platform provider (i.e. Strategies). The platform provider should be able to give you the precise text to paste into your DNS – at Strategies we always supply this in the information pack we send out in preparation for the job board’s launch.

Quick email checklist

If we were auditing a job board today, here’s what we’d check to move it from “risky” to “properly configured”:

  • One valid SPF record that includes the sending platform
  • DKIM enabled and actively signing outgoing email
  • DMARC record exists (even if just set to monitor mode)

It’s worth checking this before your users discover the problem for you, or even worse, fail to receive any emails and quietly leave your job board without you having any idea why.

Need help with this?

If you’re using our job board platform or hosting, we can help – email authentication is just one aspect we handle. And if you’re exploring job board options, getting deliverability right from day one is one less thing to worry about. Check out ourjob board software andhosting services, orget in touch if you’d like to know more.