Email Security for Vibe Coders: Why Your Custom Domain Needs SPF & DMARC
You've built your app with Bolt, Lovable, or Cursor. You've got a custom domain. But can attackers send emails pretending to be you? Probably yes.
The Problem Nobody Tells You About
When you register a custom domain for your vibe-coded app, you're thinking about branding and professionalism. What you're probably not thinking about: anyone in the world can now send emails that appear to come from your domain.
Without proper email authentication records, an attacker could send an email like:
From: support@yourawesomeapp.com
Subject: Urgent: Your account has been compromised
Click here to reset your password...
Your users would have no way to know this isn't really from you. This is called email spoofing, and it's trivially easy to do against unprotected domains.
What Are SPF and DMARC?
SPF (Sender Policy Framework)
SPF is a DNS record that says "these are the only servers allowed to send email from my domain." When someone receives an email claiming to be from your domain, their email server checks your SPF record to verify the sender is authorized.
Example SPF record:
v=spf1 include:_spf.google.com ~allThis says: "Only Google's mail servers can send email for this domain"
DMARC (Domain-based Message Authentication)
DMARC tells receiving email servers what to do when SPF checks fail. Without DMARC, even failed SPF checks might still deliver the email. With DMARC set to "reject", spoofed emails get blocked.
Example DMARC record:
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.comThis says: "Reject emails that fail authentication, and send me reports"
Why Vibe Coders Often Skip This
AI tools don't set this up
Bolt, Lovable, and Cursor focus on your app code, not your domain's DNS settings
Hosting platforms don't prompt you
Vercel and Netlify handle your web traffic, but email security is separate
It seems optional
Your app works fine without it—until someone spoofs your domain
How to Set Up Email Security (5 Minutes)
Step 1: Check Your Current Status
Use our free Email Security Checker to see if your domain has SPF and DMARC configured. Most vibe-coded domains will show a grade of D or F.
Step 2: Add SPF Record
Go to your domain's DNS settings (usually in your domain registrar like Namecheap, GoDaddy, or Cloudflare) and add a TXT record:
Type: TXT
Name: @ (or leave blank)
Value: v=spf1 -all
If your domain doesn't send email, use v=spf1 -all to block all email. If you use a service like Resend, Postmark, or SendGrid, add their include statement.
Step 3: Add DMARC Record
Add another TXT record for DMARC:
Type: TXT
Name: _dmarc
Value: v=DMARC1; p=reject; rua=mailto:you@email.com
Replace you@email.com with your email to receive DMARC reports.
Step 4: Verify
Wait a few minutes for DNS propagation, then check your domain again with our tool. You should now see a grade of A or A+.
Common Scenarios for Vibe Coders
"My app doesn't send emails"
You still need SPF and DMARC! They protect your domain from being spoofed, even if you never send emails.
v=spf1 -all"I use Resend for transactional emails"
Add Resend to your SPF record:
v=spf1 include:resend.com -all"I use Supabase Auth emails"
If using custom SMTP with Supabase, add your provider. If using Supabase's default, emails come from their domain.
The Business Impact
Better Deliverability
Gmail and other providers trust authenticated domains more
User Protection
Attackers can't phish your users using your domain
Professional Image
Shows you take security seriously
Compliance Ready
Many enterprise clients require email authentication
Check Your Domain Now
Our free Email Security Checker grades your SPF and DMARC configuration instantly.