HireAmino Signals

Nobody emails you an error when your SPF breaks

Email authentication now fails loudly at the mailbox and silently at the source. That gap is a job posting — and a one-line CI check.

Pull a week of email-operations job listings and the hiring isn't where you'd expect. Not the AI startups — a solar installer, a supplements brand mailing a million-plus subscribers, a CBD wellness label, a heavy-equipment dealer, a public broadcaster's donor team. Different industries, one recurring line in the description: stay on top of whether our email reaches the inbox.

They're all hiring the same thing — a human alarm. Someone to re-check that SPF still resolves, that DMARC didn't get flipped back to p=none during a migration, that the DKIM key the new ESP rotated in is actually published, that MTA-STS still covers the current MX. None of it is what these companies do for a living. But email drives enough of the revenue that someone has to own whether it lands.

The job exists because authentication fails silently. An SPF include stops resolving; a contractor relaxes DMARC to ship a campaign and never tightens it; a DKIM selector ships at 1024 bits. Nothing bounces on the day it breaks. The mail just starts landing in spam, and you find out weeks later when the numbers sag.

And the stakes are no longer subtle. Since February 2024, Gmail and Yahoo have required SPF, DKIM and DMARC from bulk senders and capped spam complaints at 0.30% — and Gmail now rejects non-compliant mail outright. Yet posture stays half-built: in Valimail's 2026 State of DMARC, fewer than half of domains reach a DMARC policy of quarantine or reject. The bar is pass/fail; the configuration drifts.

Which points somewhere specific: authentication posture is configuration — records with correct and incorrect states that change when your stack changes. We don't pay someone to re-read the firewall rules every Tuesday; we put a check in the pipeline. Deliverability deserves the same.

That's what Amino's deliverability audit Action does: it checks SPF, DKIM, DMARC, MTA-STS and more on every push, writes a scorecard with the exact fix for each finding, and breaks the build before a regression ships. Read-only, no secrets, public DNS only. It doesn't replace the person who owns deliverability — it hands them the alarm they're being asked to be.

Try it in four steps

  1. Add it to a workflow. One step, pointed at your sending domain — it runs on every push and pull request: 
    - uses: hireamino/amino-audit-action@v1
  with:
    domains: yourdomain.com
  2. Start in advisory mode. The default never fails the build — you just get the scorecard. Zero-risk to adopt.
  3. Work the findings. Every gap comes with the exact fix — publish MTA-STS, add TLS-RPT, raise the DKIM key. Clear the list.
  4. Turn on enforcement. Once you're clean, set fail-on: high so a future regression fails the build before it ships — and add comment-on-pr: true to surface it right in review.
Free email deliverability assessment powered by Amino Audit any domain in under 5 seconds
Talk to the founders More signals