No Papers

Deliverability Case Study: "No Papers"

"No Papers" opens The Postmaster with the foundational rule of email sending: a sender who cannot prove their identity does not exist in the receiving infrastructure. The track works through all three pillars of modern email authentication — SPF, DKIM, and DMARC — through the voice of an implacable gatekeeper who has seen every ghost, every unverified sender, and every domain that thought it could slip through without papers. The tone is unhurried and certain; The Postmaster doesn't need to raise his voice because the door is already closed.

The Postmaster is a 10-track album based on Google's Top 10 Gmail Sender Issues — the official Gmail Help Center list of the most common sender violations. This track covers issue #1: Authenticate your outgoing email.

Here is the technical breakdown of the deliverability concepts detailed in the song:

Verse 1: SPF and DKIM — The Price of Entry

"No SPF, no nothing on the lock / No DKIM stamp, no place to stand / My filters read you like a book left blank / A ghost in the machine, from the lowest rank"

• The Deliverability Context: SPF (Sender Policy Framework, RFC 7208) is a DNS TXT record that tells receiving servers which IP addresses are authorized to send mail on behalf of your domain. DKIM (DomainKeys Identified Mail, RFC 6376) attaches a cryptographic signature to the email header, letting the receiving Mail Transfer Agent (MTA) verify the message originated from your domain and was not altered in transit. Without either record, the receiving server has no mechanism to validate the sender's identity — the email is, as the lyrics say, "a book left blank." Gmail, Yahoo, and virtually every major mailbox provider classify unauthenticated mail as suspicious by default, routing it to spam or blocking it entirely.
• The Fix: Publish an SPF record in your domain's DNS: v=spf1 include:[your-esp.com] ~all. Generate a 2048-bit DKIM key pair, publish the public key as a DNS TXT record on a named selector (e.g., selector1._domainkey.yourdomain.com), and configure your ESP or MTA to sign all outgoing mail. Verify both pass using MXToolbox or your ESP's authentication dashboard before your first send.

Verse 2: DMARC — Your Domain's Defense While You Sleep

"No DMARC means your name ain't safe to keep / Another ghost can wear your face while you sleep"

• The Deliverability Context: DMARC (Domain-based Message Authentication, Reporting, and Conformance, RFC 7489) ties SPF and DKIM together and instructs receiving servers what to do when either check fails: p=none (monitor only), p=quarantine (route to spam), or p=reject (block entirely). The lyric targets DMARC's most critical secondary function: without enforcement, phishers can send mail that appears to come from your domain. Your subscribers receive spoofed messages in your name — "another ghost can wear your face" — while you have zero visibility and zero control. DMARC aggregate reports (rua=) are the only mechanism that reveals this activity.
• The Fix: Publish a DMARC TXT record starting at p=none with a reporting address: v=DMARC1; p=none; rua=mailto:reports@yourdomain.com. Monitor aggregate reports for 2–4 weeks to map all legitimate sending streams. Escalate to p=quarantine, then p=reject once you've confirmed SPF and DKIM pass for every source. DMARC identifier alignment requires the RFC5321 MailFrom domain (SPF) or the DKIM d= tag to match the visible From: header domain.

Bridge: The Affirmative Case — Three Papers, Written Plain as Day

"SPF says: here's who I am, here's my gate / DKIM puts a seal on every message sent / DMARC lays the law on bad intent / Three papers. Three. Written plain as day."

• The Deliverability Context: The bridge names each protocol by function in three lines — the most concise summary of the authentication stack anywhere in the ISC catalog. SPF is the declaration of authorized senders. DKIM is the tamper-evident seal on every message. DMARC is the enforcement policy that closes the loop and produces visibility. Since February 2024, Gmail and Yahoo have required all bulk senders (5,000+ messages per day) to have all three configured — making "three papers" no longer optional but a minimum compliance requirement.
• The BIMI Extension: Once all three protocols pass consistently and DMARC is at p=quarantine or p=reject, senders become eligible for BIMI (Brand Indicators for Message Identification). BIMI displays a verified brand logo next to the message in supporting inboxes (Gmail, Yahoo, Apple Mail). It requires a Verified Mark Certificate (VMC) from an accredited authority (DigiCert or Entrust) and a published default._bimi DNS TXT record pointing to a trademarked SVG logo.

The track's final verdict — "the door stays closed" — is technically precise: an unauthenticated sender is not delayed or downgraded, they are simply not present in the inbox. Authentication does not improve deliverability incrementally; it is the condition under which deliverability exists at all.