Email DNS records for mail delivery and spam protection

If you landed on this page you are in email marketing and probably have email deliverability issues. Today I will show you what email DNS records you should add to make sure emails are delivered to your email subscribers.

There are 3 main records you have to add in order to work everything properly for email to be delivered: SPF, DKIM and DMARC. 

What is SPF record

SPF record stands for Sender Policy Framework. This record will show what IP’s and hosts are allowed to send emails on behalf of your domain (if so). If there are no policies anyone can pretend to be “you” and send emails using your domain name. 

How to add SPF record

In order to add SPF records you have to add a DNS (Domain Name Service) record. Depends from your specific case: 

Let’s say you have bought a domain via Namecheap registrar and pointing all records to your server. Then you have to connect to your Registrar and add new records.

I usually like to point domain names from registrar to Cloudflare and just then to add all records.   

You will need to add TXT type record where name will be your domain name

E.g. Name: example.com  

If you want to send emails just from your own domain/IP then your record (value) should look like this:

v=spf1 mx a include:example.com -all

Sending emails via third party like GetResponse and others I suggest to search their knowledge base, because usually they care about customers and there will be an article about it with clear instructions. In my case 

v=spf1 mx a include:_spf.getresponse.com -all

If you don’t plan to send emails via your own domain add the record below in order to stop spammers using your brand domain name.

v=spf1 -all

Usually I use a third party email autoresponder, but still sometimes I need to communicate with email subscribers “one on one” as well. This is not really possible as most third party tools don't have a “chat” function to send emails forwards and backwards. In this case you want to add an SPF record from your third party plus IP of your website host. Now connect to your hosting and find out what IP address is used to host your website.

v=spf1 mx a include:_spf.getresponse.com ip4:192.168.0.2 -all

The operator “all” may be executed in four ways 

-all

Fail- Servers/IP’s/domains not included in this record will not be able to send emails. Anyone who try to send using your domain name will be rejected. (in most cases you will use this policy) 

~all

Softfail- If emails send using this operator and servers/ IP’s not included in the record, then emails still be delivered but marked. (not recommended)

+all

Allow all servers to send email (I don’t recommend use this in any case)

?all

Neutral- no policy at all (don’t use unless testing)

What is DKIM record

DKIM stands for DomainKeys Identified Email. This record validates that the company/domain has a right to send emails using special keys (public and private).

How to add DKIM record

You will need to add one TXT record to your DNS settings where “name” will be your selector and the value will be your public DKIM key. 

When you’re using third party service then DKIM settings should be ready waiting for you to be added. Search knowledge base on how to access it and add (all instructions). 

In my case I’m using GetResponse and can’t access private key, just a public key. So DNS record looks like this   

Name(selector): 25ba39._domainkey

Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCoYdyGzjSszi4caBkAFgiHUCq9G9ooP62Bua78M9A0Ptr4zSYOPq+2fXqoNDbvVbkN4yGQNwGxecK3uCrSD5VMwk1DiYV99yg8mdYi5J2gftVp1sZ5mYaScO0aUy9AGkzUVWu3zl/D3azexMMOYR7MMo  

What is DMARC record

DMARC stands for Domain-based Message Authentication, Reporting & Conformance. This record is like a rule, which identify if SPF and DKIM passed or failed and what to do next. 

email dns records DMARC scheme

Image credit: https://dmarc.org/

How to add DMARC record

You will have to add TXT record to your DNS.

Name: _dmarc

Value:

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1;

There may be 3 policy configurations to this record

Monitor policy: p=none

None policy is good when you want just to monitor, gather reports and analyze.

Quarantine policy: p=quarantine

All emails which fail SPF and DKIM will be send to spam folder and will not reach recipient “inbox”.

Reject policy: p=reject

All emails which fail SPF and DKIM will not reach recipient at all (this is best policy to prevent email spoofing).

rua-mailto:[email protected];

Means all aggregated DMARC reports about messages will be send to selected email address. 

ruf=mailto:[email protected];

Means all failing or partially failing (SPF or DKIM) message reports will be send to selected email address.

How to test email DNS records and emails delivered

Handy links: 

mail tester- to send real email, get email sender score and identify problems (just like in this video)

mxtoolbox- test your domain for blacklist and email DNS records

dmarcian- check email DNS records

About Mantas J

Blogger, marketer, coffee lover,- currently now developing several online projects.

Sign up to get this FREE Book

TrafficSecretsBook cover