Xoxoday implements SPF, DKIM, and DMARC on the xoxoday.com domain, routes application-generated emails through Twilio SendGrid, and handles corporate communications via Microsoft 365 to ensure authenticated, tamper-resistant delivery across all outbound channels.
How Xoxoday authenticates outbound email
Xoxoday fully implements SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) on the xoxoday.com domain. These three protocols work in combination: SPF declares which servers are authorised to send on behalf of a domain, DKIM cryptographically signs each message to verify it has not been altered in transit, and DMARC instructs receiving mail servers on how to handle messages that fail authentication checks. Together, these controls ensure that Xoxoday-originated emails — reward notifications, redemption confirmations, and recognition alerts — are correctly authenticated and reach employee inboxes reliably rather than spam folders.Sending email on behalf of your organisation
When Xoxoday sends emails from your organisation’s domain — for example, when distributing branded recognition emails or customer loyalty reward notifications — your IT team must add the corresponding SPF, DKIM, and DMARC records to your domain’s DNS configuration. This authorises Xoxoday’s mail servers to send on your behalf and ensures your domain’s DMARC policy is honoured throughout the delivery chain. Xoxoday provides the exact DNS values required as a standard step during onboarding.Mail service providers
Xoxoday uses two purpose-fit providers depending on email type. Application-generated emails — reward triggers, bulk distribution campaigns, OTP messages, and system notifications — are sent via Twilio SendGrid, chosen for its high-volume delivery reliability, sender reputation management, and detailed delivery analytics. Corporate communications, such as account management and support correspondence, are handled through Microsoft 365 (O365). Separating these mail streams means transactional email performance is never affected by conversational email volume. It also simplifies compliance documentation for organisations operating under frameworks such as ISO 27001 or SOC 2 Type II, where mail security controls must be evidenced across both operational and administrative channels.Why this matters for IT and security teams
Confirmed SPF, DKIM, and DMARC implementation satisfies the email security controls expected under most enterprise vendor risk questionnaires and security frameworks. It also reduces the risk of phishing campaigns impersonating Xoxoday communications to target your employees — a meaningful concern given that reward and redemption emails consistently carry high click-through rates. If your organisation’s DMARC policy is set toreject or quarantine, coordinating DNS setup before go-live is a prerequisite. Xoxoday’s implementation team supports this process as part of the standard onboarding workflow, ensuring authentication is validated end-to-end before any emails are sent from your domain.
Learn more: Xoxoday Help Centre — Infrastructure Security (Protective Technology)
Data Encryption at Rest and in Transit
Learn how Xoxoday encrypts data at rest and in transit using AES-256 and TLS 1.2+ across all platform communications.
SOC 2 Type II and ISO 27001 Compliance
Understand how Xoxoday’s independently audited compliance certifications support enterprise vendor due diligence.