Understanding DNS for Email
DNS (Domain Name System) records are critical for email authentication and deliverability. They prove you own your domain and authorize servers to send email on your behalf.
Prerequisites
- • Access to your domain's DNS management panel
- • Domain ownership verification completed
- • Email service provider account details
- • 24-48 hours for full propagation
DNS Record Types for Email
Authentication Records
- • SPF - Authorized senders
- • DKIM - Message signing
- • DMARC - Policy enforcement
Routing Records
- • MX - Mail server routing
- • PTR - Reverse DNS lookup
- • CNAME - Aliasing records
SPF Record Configuration
SPF (Sender Policy Framework) tells receiving servers which IP addresses and domains are authorized to send email for your domain.
SPF Record Structure
Common SPF Examples
Basic SPF (single provider)
v=spf1 include:_spf.google.com ~allFor Google Workspace only
Multiple providers
v=spf1 include:_spf.google.com include:spf.sendgrid.net include:mail.zendesk.com ~allGoogle + SendGrid + Zendesk
With IP addresses
v=spf1 ip4:192.168.1.1 ip4:10.0.0.0/24 include:_spf.google.com ~allSpecific IPs + Google
InboxKit optimized
v=spf1 include:_spf.inboxkit.com include:_spf.google.com ~allInboxKit + Google Workspace
SPF Limitations
- • Maximum 10 DNS lookups allowed
- • Only one SPF record per domain
- • Record cannot exceed 255 characters
- • Use ~all (soft fail) initially, then -all (hard fail)
DKIM Setup Guide
DKIM (DomainKeys Identified Mail) adds a digital signature to your emails, allowing receivers to verify the message hasn't been tampered with.
DKIM Setup Process
- 1
Generate DKIM Keys
Your email provider will generate a public/private key pair
# Example selector and domaingoogle._domainkey.yourdomain.com - 2
Add TXT Record
Add the public key to your DNS as a TXT record
# Name:google._domainkey# Value:v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ... - 3
Enable DKIM Signing
Activate DKIM signing in your email provider's settings
- 4
Verify DKIM
Send a test email and check DKIM signature validation
Multiple DKIM Records
Unlike SPF, you can have multiple DKIM records for different services:
- google._domainkey → Google Workspace
- s1._domainkey → SendGrid
- zendesk._domainkey → Zendesk
- inboxkit._domainkey → InboxKit
DMARC Policy Implementation
DMARC (Domain-based Message Authentication, Reporting & Conformance) tells receiving servers what to do with emails that fail SPF or DKIM checks.
DMARC Record Format
DMARC Policy Levels
| Level | Policy | Use Case | Risk |
|---|---|---|---|
| Monitor Only | p=none | Initial setup, monitoring | Low |
| Quarantine | p=quarantine | Testing phase | Medium |
| Reject | p=reject | Full protection | High |
Progressive DMARC Implementation
- 1Week 1-2: p=none - Monitor only
- 2Week 3-4: p=quarantine; pct=25 - Test with 25%
- 3Week 5-6: p=quarantine; pct=50 - Increase to 50%
- 4Week 7-8: p=quarantine; pct=100 - Full quarantine
- 5Week 9+: p=reject - Full enforcement
MX Records Configuration
MX (Mail Exchange) records direct incoming email to the correct mail servers. Priority values determine the order of server attempts.
Google Workspace MX Records
| Priority | Mail Server | TTL |
|---|---|---|
| 1 | aspmx.l.google.com | 3600 |
| 5 | alt1.aspmx.l.google.com | 3600 |
| 5 | alt2.aspmx.l.google.com | 3600 |
| 10 | alt3.aspmx.l.google.com | 3600 |
| 10 | alt4.aspmx.l.google.com | 3600 |
MX Priority Rules
- • Lower numbers = higher priority
- • Same priority = load balancing
- • We recommend having backup servers (priority 5-10)
- • Remove old MX records to prevent mail loops
PTR Records (Reverse DNS)
PTR records enable reverse DNS lookups, mapping IP addresses back to domain names. They're crucial for email server reputation.
Setting Up PTR Records
Important Note
PTR records are set by your IP address owner (ISP or hosting provider), not in your domain's DNS. Contact them to configure reverse DNS.
PTR Record Requirements:
- Must match forward DNS (A record)
- Use mail server hostname (mail.yourdomain.com)
- One PTR record per IP address
- Critical for email deliverability
Testing Your DNS Setup
After configuring DNS records, thoroughly test each component to ensure proper setup and propagation.
Command Line Testing
Online Testing Tools
Troubleshooting Common Issues
SPF PermError: Too many DNS lookups
Your SPF record exceeds the 10 DNS lookup limit.
Solution: Flatten your SPF record or use SPF macros. Consider using InboxKit's SPF optimization service.
DKIM signature verification failed
DKIM key in DNS doesn't match the signature.
Solution: Verify selector name, regenerate keys if needed, and ensure no extra spaces in the DNS record.
DMARC reports not received
Not receiving aggregate or forensic reports.
Solution: Check rua/ruf email addresses are valid, ensure email server accepts DMARC reports, verify DNS propagation.
Provider-Specific Guides
| Provider | Default TTL | Interface | API Available |
|---|---|---|---|
| Cloudflare | Auto | Web Portal | |
| Route 53 | 300 | AWS Console | |
| GoDaddy | 600 | Web Portal | — |
| Namecheap | 1800 | Web Portal | |
| Google Domains | 3600 | Web Portal | — |
Ongoing Maintenance
DNS Maintenance Checklist
Automate Your DNS Management
Let InboxKit handle your DNS configuration automatically. One-click setup for SPF, DKIM, and DMARC across all your domains.