Email DNS records for mail delivery and spam protection

What is SPF record

SPF record stands for Sender Policy Framework. This record will show what IP’s and hosts are allowed to send emails on behalf of your domain (if so). If there are no policies anyone can pretend to be “you” and send emails using your domain name. 

How to add SPF record

In order to add SPF records, you have to add a DNS (Domain Name Service) record. Depends on your specific case: 

Let’s say you have bought a domain via Namecheap registrar and pointing all records to your server. Then you have to connect to your Registrar and add new records.

I usually like to point domain names from the registrar to Cloudflare and just then add all records.   

You will need to add TXT type record where the name will be your domain name

E.g. Name: example.com  

If you want to send emails just from your own domain/IP then your record (value) should look like this:

v=spf1 mx a include:example.com -all

Sending emails via third parties like GetResponse and others I suggest searching their knowledge base because usually they care about customers and there will be an article about it with clear instructions. In my case 

v=spf1 mx a include:_spf.getresponse.com -all

If you don’t plan to send emails via your own domain add the record below in order to stop spammers from using your brand domain name.

v=spf1 -all

Usually, I use a third-party email autoresponder, but still, sometimes I need to communicate with email subscribers “one on one” as well. This is not really possible as most third-party tools don’t have a “chat” function to send emails forwards and backward. In this case, you want to add an SPF record from your third party plus the IP of your website host. Now connect to your hosting and find out what IP address is used to host your website.

v=spf1 mx a include:_spf.getresponse.com ip4:192.168.0.2 -all

The operator “all” may be executed in four ways 

-all

Fail- Servers/IP’s/domains not included in this record will not be able to send emails. Anyone who tries to send using your domain name will be rejected. (in most cases you will use this policy) 

~all

Softail- If emails are sent using this operator and servers/IP’s not included in the record, then emails still be delivered but marked. (not recommended)

+all

Allow all servers to send an email (I don’t recommend using this in any case)

?all

Neutral- no policy at all (don’t use unless testing)

What is DKIM record

DKIM stands for DomainKeys Identified Email. This record validates that the company/domain has a right to send emails using special keys (public and private).

How to add DKIM record

You will need to add one TXT record to your DNS settings where “name” will be your selector and the value will be your public DKIM key. 

When you’re using a third-party service then DKIM settings should be ready waiting for you to be added. Search knowledge base on how to access it and add (all instructions). 

In my case, I’m using GetResponse and can’t access the private key, just a public key. So DNS record looks like this   

Name(selector): 25ba39._domainkey
Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCoYdyGzjSszi4caBkAFgiHUCq9G9ooP62Bua78M9A0Ptr4zSYOPq+2fXqoNDbvVbkN4yGQNwGxecK3uCrSD5VMwk1DiYV99yg8mdYi5J2gftVp1sZ5mYaScO0aUy9AGkzUVWu3zl/D3azexMMOYR7MMo  

What is DMARC record

DMARC stands for Domain-based Message Authentication, Reporting & Conformance. This record is like a rule, which identifies if SPF and DKIM passed or failed and what to do next. 

email dns records DMARC scheme

Image credit: https://dmarc.org/

How to add DMARC record

You will have to add a TXT record to your DNS.

Name: _dmarc

Value:

v=DMARC1; p=none; rua=mailto:webmaster@example.com; ruf=mailto:webmaster@example.com; fo=1;

There may be 3 policy configurations to this record

Monitor policy: p=none

No policy is good when you want just to monitor, gather reports and analyze.

Quarantine policy: p=quarantine

All emails which fail SPF and DKIM will be sent to the spam folder and will not reach the recipient’s “inbox”.

Reject policy: p=reject

All emails which fail SPF and DKIM will not reach the recipient at all (this is the best policy to prevent email spoofing).

rua-mailto:webmaster@example.com;

This means all aggregated DMARC reports about messages will be sent to the selected email addresses. 

ruf=mailto:webmaster@example.com; 

This means all failing or partially failing (SPF or DKIM) message reports will be sent to the selected email addresses.

How to test email DNS records and emails delivered

Handy links: 

mail tester– to send a real email, get the email sender score and identify problems (just like in this video)

mxtoolbox– test your domain for blacklist and email DNS records

dmarcian– check email DNS records

About Mantas J

Blogger, marketer, coffee lover,- currently now developing several online projects.