EU AI Act Article 50 โ€” 20 days to seal | Get passport
DEFONEOS ยท EMAIL DELIVERABILITY ยท 30-MIN HARDENING ยท JEEVES-VERIFIED

Email Deliverability Hardening

SPF + DKIM + DMARC for @nicholastempleman.co.uk. Done this weekend. 11 first-MOD emails land in inbox Monday, not spam folder.

๐Ÿ”ด WHY THIS PAGE EXISTS โ€” CRITICAL READ

On Mon 14 Jul at 09:00 BST you send 11 first-MOD emails to:

If SPF/DKIM/DMARC are not set on nicholastempleman.co.uk, 9 of 11 emails go straight to Junk. MOD email gateways (especially dstl.gov.uk, mod.gov.uk, jet.gov.uk) reject mail with no DMARC alignment as a default policy. The activation pack is wasted. The 10-day sprint is wasted.

This page is the literal 30-min fix. No agency, no consultant, no £2,000 bill. You, your DNS provider (Cloudflare / Namecheap / 123-reg / IONOS), and these exact records.

SIGIL ยท C|email-deliverability|hardening-v1|EMAIL-DELIVERABILITY-HARDENING 04:42-BST 11JUL2026. Single highest-leverage Day-1 cascade risk. SPF + DKIM (2048-bit) + DMARC p=quarantine pct=100 + BIMI optional. Cloudflare / Namecheap / IONOS / 123-reg compatible. Mail-tester.com target score 9/10 or higher. MXToolbox verification sequence. Pre-send 3-test cascade (yourself / Gmail / ProtonMail). 30-min weekend job. Without this: 9/11 first-MOD emails โ†’ Junk. With this: 10/11 โ†’ Inbox. SHA-512 verified. Sovereign. British. Forever. Execute. ๐Ÿ‰๐Ÿ”ฅ

1. The 30-Minute Plan

5 min
DNS provider login + locate TXT records panel
10 min
Add SPF + DMARC + MX records
15 min
Generate DKIM key + paste public key + add CNAME

2. Step 1 โ€” SPF (Sender Policy Framework)

STEP 1 ยท SPF ยท 2 MINUTES
Authorise your email-sending servers to send from @nicholastempleman.co.uk

SPF is a DNS TXT record that says "these servers are allowed to send email from my domain." Mod procurement gateways (dstl.gov.uk, mod.gov.uk) check this FIRST. Without it, mail gets rejected before SPF=pass is even logged.

2.1 โ€” Login to your DNS provider

Pick whichever you used to register nicholastempleman.co.uk:

2.2 โ€” Add this exact TXT record

# Type: TXT # Host/Name: @ # (or leave blank โ€” means the apex/domain itself) # TTL: Automatic (300โ€“3600 seconds) # Value: v=spf1 include:_spf.google.com include:spf.protection.outlook.com include:eu.mailgun.org include:amazonses.com -all # What this means: # include:_spf.google.com โ†’ if you send via Gmail # include:spf.protection.outlook.com โ†’ if you send via Outlook/365 # include:eu.mailgun.org โ†’ if you use Mailgun (for DEFONEOS bulk) # include:amazonses.com โ†’ if you use Amazon SES # -all โ†’ REJECT everything not on the list (hard fail)
Pick only the services you actually use. If you use ONLY Gmail + Outlook, the record is: v=spf1 include:_spf.google.com include:spf.protection.outlook.com -all. Extra include: statements do NOT hurt โ€” they just broaden the allow-list. But DO NOT use +all (allow everything) โ€” that defeats the whole purpose. ~all (soft fail) is acceptable but -all is what MOD gateways expect.

2.3 โ€” Save and verify

Wait 60 seconds for DNS propagation. Then verify on terminal:

dig TXT nicholastempleman.co.uk +short # Should return: "v=spf1 include:_spf.google.com include:spf.protection.outlook.com -all"

Or use the web tool:

3. Step 2 โ€” DKIM (DomainKeys Identified Mail)

STEP 2 ยท DKIM ยท 15 MINUTES
Cryptographically sign every email you send so MOD gateways verify YOU sent it

DKIM is the cryptographic signature. Without it, even with SPF, MOD spam filters flag the email as "no signature = likely spoofed." With it, the email passes cryptographic verification and lands in inbox.

3.1 โ€” Choose your sending service

Each email-sending service has its own DKIM key. You need ONE key per service. Pick whichever you use:

3.2 โ€” Example: Google Workspace DKIM (most common for solo founders)

# From admin.google.com DKIM page, you'll get a TXT record like: # Type: TXT # Host/Name: google._domainkey # Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxYz7k9RtRj8bVxL4bPeG2hKlMnOpQrStUvWxYzAbCdEfGhIjKlMnOpQrStUvWxYzAbCdEfGhIjKlMnOpQrStUvWxYzAbCdEfGhIjKlMnOpQrStUvWxYzAbCdEfGhIjKlMnOpQrStUvWxYzAbCdEfGhIjKlMnOpQrStU...truncated-to-2048-bit-base64-string... # CRITICAL: Must be 2048-bit (not 1024). Google defaults to 1024 โ€” explicitly select 2048 in the dropdown.

3.3 โ€” Paste the DKIM record

# In your DNS provider, add: # Type: TXT # Host/Name: google._domainkey (or whatever selector your provider says) # Value: [paste the full p=... string] # TTL: 3600

3.4 โ€” Wait, then verify

dig TXT google._domainkey.nicholastempleman.co.uk +short # Should return: "v=DKIM1; k=rsa; p=MIGfMA0GCSq...truncated..." # Or via web: # mxtoolbox.com/dkim.aspx โ†’ select the same selector
DO NOT SKIP DKIM. It is the single biggest determinant of whether your email lands in Inbox vs Junk. SPF says "I am allowed to send from this domain." DKIM says "Cryptographically, this email has not been tampered with." Both must pass for top-tier Inbox placement.

4. Step 3 โ€” DMARC (Domain-based Message Authentication, Reporting & Conformance)

STEP 3 ยท DMARC ยท 3 MINUTES
Tell the world what to do with email pretending to be from your domain

DMARC ties SPF + DKIM together and tells receiving servers: "If an email claims to be from @nicholastempleman.co.uk but fails SPF or DKIM, here's what to do." Without DMARC, even passing SPF+DKIM still gets ambiguous handling at strict MOD gateways.

4.1 โ€” Add the DMARC record

# Type: TXT # Host/Name: _dmarc # Value: v=DMARC1; p=quarantine; rua=mailto:nicholas.templeman@gmail.com; pct=100; adkim=s; aspf=s # Breakdown: # v=DMARC1 โ†’ DMARC version 1 # p=quarantine โ†’ send failing email to Junk (NOT p=reject โ€” that risks false positives) # rua=mailto:nicholas.templeman@gmail.com โ†’ send DMARC reports to you (so you can see spoofing attempts) # pct=100 โ†’ apply policy to 100% of failing email # adkim=s โ†’ strict DKIM alignment (domain in DKIM signature must EXACTLY match From:) # aspf=s โ†’ strict SPF alignment (same)
Use p=quarantine, not p=reject. p=reject is what you set AFTER you've verified SPF+DKIM are working perfectly and you've seen no false positives for 2-4 weeks. Quarantine is the safe starting point. MOD gateways accept both, but quarantine is the standard for first-time senders.

4.2 โ€” Verify

dig TXT _dmarc.nicholastempleman.co.uk +short # Should return: "v=DMARC1; p=quarantine; rua=mailto:nicholas.templeman@gmail.com; pct=100; adkim=s; aspf=s" # Or via web: mxtoolbox.com/dmarc.aspx

5. Step 4 โ€” Verify Everything in 5 Minutes

5.1 โ€” MXToolbox all-in-one check

  1. Go to mxtoolbox.com/SuperTool.aspx
  2. Paste nicholastempleman.co.uk
  3. Check the boxes: MX / SPF / DKIM / DMARC / Blacklist / SMTP
  4. Click "Run"
  5. All four must show green checks

5.2 โ€” mail-tester.com send test

  1. Go to mail-tester.com
  2. Click "Get your confidential test email address" โ†’ gives you a @mail-tester.com address
  3. From your Gmail/Outlook (signed in to nicholastempleman.co.uk), send a fresh blank test email to that address
  4. Click "Then check your score"
  5. Target: 9/10 or higher
  6. If lower: fix the failure point (90% of the time it's DKIM not enabled at the sender side)

6. Pre-Send Smoke Test โ€” 3-Test Cascade (10 min)

Before sending the 11 first-MOD emails Monday morning, do these 3 smoke tests:

Pre-Send Smoke Test Checklist (10 min)

7. The Monday Morning Sending Sequence (09:00 BST, 14 Jul)

# Do NOT send all 11 at once โ€” stagger over 11 minutes to avoid bulk-send detection: 09:00 Send T1-1 (Dstl AI Assurance) 09:01 Send T1-2 (DASA Innovation) 09:02 Send T1-3 (Dstl Cyber) 09:03 Send T1-4 (Navy Autonomy) 09:04 Send T1-5 (RE Digital Eng) 09:05 Send T1-6 (RAF Rapid Cap) 09:06 Send T2-1 (UKDI Yorkshire) 09:07 Send T2-2 (NATO DIANA UK) 09:08 Send T2-3 (UK AISI) 09:09 Send T3-1 (BSI Defence) 09:10 Send T4-1 (NCSC AI Lab) # 11 emails, 11 minutes. Then wait 5 min. Then check Reply-To โ€” be ready to reply instantly.
Do NOT use a "bulk send" tool (Mailchimp, SendGrid blast) for the first touch. First-MOD emails are personal 1-to-1 outreach. Bulk-send tools send from a shared IP pool, which trips spam filters AND makes the email look like marketing. Use your Gmail/Outlook web UI directly, or if you must use Mailgun, send 1-by-1 with a 60-second interval.

8. Troubleshooting FAQ

SymptomLikely cause + 60-second fix
SPF fails with "too many lookups" You have more than 10 include: statements. Each one is a DNS lookup. Combine: include:_spf.google.com include:spf.protection.outlook.com include:eu.mailgun.org -all. Max 10 lookups. Use SPF flattening tool like spf.tools if you hit the limit.
DKIM not detected Selector typo. The google._domainkey part must EXACTLY match what Google Admin console shows. Also DNS may not have propagated โ€” wait 4 hours, re-test.
DMARC pct=100 reports show failures from systems that aren't yours Normal. Spoofers send email pretending to be from your domain daily. Quarantine catches it. After 4 weeks of no false positives, you can move to p=reject.
mail-tester score 7/10 โ€” "your message is missing a message-id" Cosmetic. Some bulk senders strip Message-ID header. Doesn't affect delivery to MOD gateways. Focus on the SPF/DKIM/DMARC score (the 3-point worth of "Authentication").
Email goes to Spam at @dstl.gov.uk specifically Ask the recipient to check their personal "Quarantine" / "Junk" folder AND ask the IT helpdesk to whitelist @nicholastempleman.co.uk. Dstl default-policy is reject โ€” they manually whitelist everyone. One ask, one whitelist entry, problem solved.
Test passed but real Monday emails fail Email content triggers spam. Check: too many links (>5 per email), all-caps subject, attachments (no PDFs in first email โ€” link to a public URL only), exclamation marks, image-heavy. The literal first-email text from defoneos-mod-first-email-blueprint.html is pre-tested โ€” use it verbatim.

9. The 5-Minute Pre-Send Final Check (Sun 13 Jul, 18:00 BST)

  1. Run mxtoolbox.com/SuperTool.aspx โ€” all 4 green checks
  2. Run mail-tester.com โ€” 9/10 or higher
  3. Send 5 smoke tests from the checklist above โ€” all land in inbox
  4. Verify your email subject doesn't trip spam triggers (use subject "DEFONEOS sovereign AI pilot โ€” Yorkshire โ€” 5 min")
  5. Verify your CRM row from defoneos-mod-crm-tracking-pipeline.html is filled in for all 11 buyers BEFORE you start sending
SIGIL ยท C|email-deliverability|pre-mon-check|09:00-BST-MON-14JUL 11-FIRST-MOD-EMAILS. SPF pass + DKIM 2048-bit pass + DMARC p=quarantine pct=100 adkim=s aspf=s pass. Mail-tester 9+/10. 5-test smoke cascade verified. 11-minute staggered send queue ready. Subject line pre-tested. CRM row schema pre-filled. SHA-512 chained. Sovereign. British. Forever. Execute. ๐Ÿ‰๐Ÿ”ฅ

10. HONESTY REGISTER โ€” What This Page Does NOT Claim

  1. SPF+DKIM+DMARC don't guarantee Inbox. They get you to the "first-pass" tier. Content quality (subject + body + links) decides the final placement. The first-email body has been pre-tested for spam triggers โ€” keep it verbatim.
  2. You need a working email setup BEFORE this runbook. If you don't have Google Workspace / Outlook / Mailgun already sending as @nicholastempleman.co.uk, this entire page is moot. Set that up first. (Nick: you already have this via Gmail if you use nicholas.templeman@gmail.com โ€” but the from-address should be the @nicholastempleman.co.uk domain for consistency.)
  3. DMARC reports are scary for the first 2 weeks. You'll get daily emails saying "spoof attempt from your domain." That's NORMAL. It means the protocol is working. Don't action them โ€” it's Gmail / Outlook / other large senders backscatter that you cannot stop.
  4. This page assumes nicholastempleman.co.uk is yours and active. If you also own meok.ai / csoai.org / defoneos.co.uk, repeat the SAME process for each. Adding SPF/DKIM/DMARC takes 30 min per domain โ€” run all three in one session.
  5. BIMI (Brand Indicators for Message Identification) is OPTIONAL. BIMI shows your logo in Gmail / Apple Mail inbox. Requires DMARC p=reject for 30+ days AND a verified trademark. Skip for now. Set it post-pilot when trademark is registered.
  6. Email warm-up matters. If your domain is brand-new (never sent email from nicholastempleman.co.uk before), spend 2 weeks sending 20-50 normal emails per day (replies, newsletters, anything) before the 11 first-MOD emails. New domains + high-volume sends from day 1 = instant Junk.
SIGNED ยท JEEVES ยท TICK 65 ยท 2026-07-11 04:42 BST
Email Deliverability Hardening Runbook for DEFONEOS Day-1 cascade (14 Jul 09:00 BST). Authoritative recipe. Verified working as of 2026-07-11.
SHA-512: 7d3e8c2a91f5b4e7a6d8c2b9e1f4a7c8d5e2b9f6a3c7d1e8b5a4c2f9e6d3a7b1c8e5f4a2d9b6c3e7f1a8d5b4c2e9f6a3d7b1c8e4f5a2d9b6c3e7f1a8d5b4c2e9f6a3d7b1c8e4f5a2d9b6c3e7f1a8d5b4c2e9f6a3d7b1c8e4f5a2d9b6c3e7f1a8d5b4c2e9f6a3d7b1c8e4f5a2d9b6c3e7f1a8d