HomeMailConfiguring MX, SPF & Other DNS Records for Improved Email Delivery

Configuring MX, SPF & Other DNS Records for Improved Email Delivery

Ensuring your emails reach their intended recipients without spam filters flagging them or them getting lost in the digital ether is crucial for any business or individual. One of the keys to achieving this is the proper configuration of DNS (Domain Name System) records. As a server administrator, I’ve seen the critical impact of DNS configurations on email deliverability. Many of these issues, including emails landing in spam folders or failing to arrive altogether, often stem from misconfigured DNS records. Here’s a guide, borne out of my personal experiences, to help you navigate the often-overlooked nuances of DNS setup for ensuring your emails reach their intended destinations.

Improve email deliverability

DNS Records for Email

  • MX records are responsible for directing incoming emails to the correct server based on the domain name.
  • SPFrecords specify which mail servers have authorization to send emails on behalf of your domain, helping to prevent email spoofing.
  • DKIM adds a digital signature to emails your domain sends, letting receiving servers verify that the email remains untampered and the domain owner has authorized it.
  • DMARC uses SPF and DKIM records to improve email security by specifying how receivers should handle emails that fail SPF or DKIM checks.
  • PTR , used for reverse DNS lookup, mapping an IP address to a domain name. It’s crucial for some receiving mail servers to verify the sender’s identity.

MX (Mail Exchange) :

MX records, or Mail Exchange records, are a type of DNS (Domain Name System) record that specifies a mail server responsible for receiving and handling emails on behalf of your domain. Moreover, MX records tell other mail servers how to find your email server on the internet, enabling the correct delivery of emails to your domain.

How MX Records Work

When someone sends an email to your domain (e.g., user@example.com), their email server looks up the MX records for “example.com” in the DNS. The MX records provide the address of the mail server(s) that can accept email for your domain. The sending server then directs the email to one of these specified mail servers.

Configuring MX Records

MX records consist of two main parts: a priority value and the domain name of the email server. Here’s what you need to know about configuring them:

  • Priority:MX records include a priority number indicating the order to try the mail servers.Lower numbers have higher priority. If there are multiple servers with the same priority, the sender’s email system can choose any at random.
  • Mail Server Domain: The fully qualified domain name of the mail server designated to handle email for your domain specifies this. It’s important that this domain has an A record (for IPv4) or AAAA record (for IPv6) pointing to the IP address of the mail server.

Example of MX Records

Suppose you have two mail servers for your domain “example.com”: one primary and one backup. Your MX records might look like this:

  • Priority: 10 Mail Server: mail1.example.com.
  • Priority: 20 Mail Server: mail2.example.com.

In this example, emails will be directed to mail1.example.com first because it has a higher priority (indicated by a lower number). If mail1 is unreachable, emails will then be directed to mail2.example.com.

SPF (Sender Policy Framework)

SPF, an email authentication method, prevents spammers from sending messages on behalf of your domain. A DNS text record specifies which mail servers have permission to send email for your domain. By implementing an SPF record, you help increase the legitimacy of your email. Also reducing the likelihood that receiving mail servers will mark it as spam

The primary goal of SPF is to let domain owners specify which mail servers have authorization to send emails on their behalf. This helps to combat email spoofing, where attackers send emails from a forged email address, often used in phishing attacks.

How SPF Works

When an email is sent, the receiving mail server checks the sender’s domain DNS records for the SPF record. The SPF record specifies which IP addresses can send email from the domain. Therefore the receiving server verifies the sender’s IP address against the SPF record. If the SPF record lists the email’s originating IP address, the system considers it authentic. Otherwise, it may reject the email or mark it as spam. It depends on the policies of the receiving server and the “fail” mechanism specified in the SPF record.

Configuring an SPF Record

We can publish an SPF record in DNS as a TXT record. The record lists all the IP addresses that authorized to send mail from your domain and specifies a policy for how receiving servers should treat emails not aligning with the record.

A basic SPF record looks something like this:

v=spf1 ip4: ip4: include:thirdparty.com -all
  • v=spf1 indicates the version of SPF used.
  • ip4 specifies IP addresses that are allowed to send email.
  • include is used to include the SPF record of another domain, which is useful if you use third-party services to send emails.
  • -all specifies a “hard fail” for any sources not explicitly allowed in the record. Other mechanisms include ~all for a “soft fail” and ?all for a neutral stance, indicating that the SPF record is still being tested.

Thus implementing SPF is a crucial step in securing your email domain against spoofing and phishing attacks. It’s part of a trio of email authentication standards, alongside DKIM and DMARC, that work together to verify the authenticity of email messages.

DKIM (DomainKeys Identified Mail)

The DKIM email security standard aims to prevent email spoofing, a common technique in phishing and email spam. DKIM enables senders to attach a digital signature to emails. This allows receiving mail servers to verify that the email genuinely came from the claimed domain and that its content remains unchanged during transit.

How DKIM Works

  1. Signing:The outgoing mail server generates a unique DKIM signature for the message when sending an email. This signature is based on the content of the email and a private key known only to the sender’s domain.
  2. DNS Record: The sender’s domain publishes the corresponding public key in its DNS records as a TXT record. This public key is what receiving mail servers will use to verify the email’s DKIM signature.
  3. Verification: Upon receiving an email, the recipient’s mail server looks up the sender’s DKIM public key through DNS. It then uses this public key to decrypt the signature attached to the email.If the decrypted signature matches a signature newly calculated based on the email’s content, the system considers the email authentic.

Configuring DKIM

  1. Generate a DKIM Key Pair: Use a tool or service that generates DKIM key pairs. The key pair consists of a private key (kept secret) and a public key (published in DNS).
  2. Publish the Public Key: Add a TXT record to your DNS settings to publish the DKIM public key. The record name usually follows the format selector._domainkey.yourdomain.com, where selector is a unique name identifying the key pair, and yourdomain.com is your domain.
    • Example TXT record value: v=DKIM1; k=rsa; p=MIGfMA0GCSqG... (The p= part will be your public key).
  3. Configure Your Email Server: Configure your email server or service to sign outgoing emails with the private DKIM key. Many email service providers (ESPs) offer DKIM setup options in their dashboard.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC, an email authentication protocol, allows email domain owners to protect their domain from unauthorized use, commonly known as email spoofing. The purpose and primary outcome of implementing DMARC is to improve and ensure the integrity and security of email communication. DMARC builds on two existing mechanisms, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), by adding a reporting function that allows senders to instruct email providers on how to handle mail that doesn’t pass SPF or DKIM checks.

How DMARC Works

DMARC policies are published in the DNS as TXT records and specify how mail receivers should treat emails that claim to come from your domain but fail SPF and DKIM checks. Additionally, DMARC specifies how receivers can report back to you about messages that pass and/or fail these checks. This feedback loop is invaluable for organizations to identify and mitigate potential email spoofing issues.

Configuring DMARC

To set up DMARC, you add a TXT record to your domain’s DNS records with a specific format that outlines your DMARC policy. Here is a basic structure of a DMARC TXT record:

v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com;
  • v=DMARC1: This tag indicates the version of DMARC in use. Currently, DMARC1 is the only version.
  • p=none: This tag sets the policy for how receivers should treat emails that fail DMARC checks. Options include:
    • none: Take no specific action; merely report the failure.
    • quarantine: Treat the email with suspicion, often moving it to the spam/junk folder.
    • reject: Block the email from being delivered altogether.
  • rua=mailto:dmarc-reports@example.com: This tag specifies the destination for aggregate reports of DMARC failures, offering insights into emails sent from your domain, including those failing DMARC checks.

PTR(Pointer) Records

PTR records, commonly known as Pointer records or Reverse DNS records, play a crucial role in the internet’s naming structure by mapping an IP address back to a host name. Unlike most DNS records that translate names to IP addresses (forward DNS), PTR records do the opposite, providing the ability to perform a reverse DNS lookup.

Purpose of PTR Records

The primary purpose of PTR records is to verify the IP address’s association with a host name.This verification process holds particular importance for email servers, using it as a method to combat spam and ensure email security.

Many mail servers perform a reverse DNS lookup on the incoming messages’ IP addresses. If the PTR record does not match the expected value or is missing, email servers can mark the email as spam or reject it.

How PTR Records Work

When performing a reverse DNS lookup, the querying server searches for the PTR record associated with the given IP address. For an IP address like, the server queries the PTR record at (for IPv4) or uses the corresponding nibble format for an IPv6 address within the ip6.arpa zone. It should receive the domain name linked to that IP address as a response.

Configuring PTR Records

PTR records are typically managed by the organization responsible for the IP address block, often an Internet Service Provider (ISP) or hosting provider. To set up or modify a PTR record:

  1. Contact Your ISP or Hosting Provider: Since the organization responsible for the IP block level manages PTR records, individual domain owners usually cannot create or modify PTR records directly. You’ll need to request the PTR record setup through your ISP or hosting provider.
  2. Provide Necessary Information: You will likely need to provide the IP address you wish to have a PTR record for, and the fully qualified domain name (FQDN) that the IP address should resolve to.
  3. Verification: After the PTR record is set up, verify it by performing a reverse DNS lookup using tools like nslookup, dig, or online reverse DNS lookup services.

Although most internet services do not directly use PTR records, they play a crucial role in certain applications, especially in email delivery. Configuring a PTR record well can significantly lower the chances of spam marking your emails, thus enhancing the reputation of your email server.Additionally, PTR records can assist in troubleshooting network issues and verifying the legitimacy of servers in various security contexts.

Scroll to Top