There are four DNS records that are related to emails on your domain name. They are:
- MX Record
- SPF Record
- DKIM Record
- DMARC Record
MX records are a DNS record type and they impact incoming emails. The other three are actually TXT record type and they are related to outgoing emails. SPF records and DKIM records are methods to validate the sender of emails. DMARC records control what happens if an email fails SPF and/or DKIM tests.
When somebody sends an email to an email address on your domain, how it finds the right email server to go to? This is where MX (mail exchange) records come into the play. MX records direct the incoming emails to the right mail server. MX records alway point to a domain (not an IP).
If you think about it, MX records for emails are very similar to A records for web traffic. Similar to how A record direct your website’s incoming HTTP requests to the right web server, the MX records direct your incoming emails to the right mail server.
You can have multiple MX records set up on your domain. Incoming emails always try to use the MX record with the lowest priority number, and if it fails they’ll try to use the ones with higher priority number. Priority number 0 is the highest possible. For instance these are the MX records of G Suite:
As you can see, Google gives you 5 MX records with different priorities.
Note that the priority numbers are only evaluated relative to each other and the absolute value of them makes no difference. In other words MX records with priority numbers 1, 2 and 3 is exactly the same as MX records with priorities 10, 35 and 80. In both cases, incoming emails try to use the first server first and in case it fails they try the second and finally the third one.
How to Check MX Records?
You can check the MX records of a domain in multiple ways. If you like using your command line you can use the dig command:
dig parsifar.com mx
Or you can use online tools like MX Lookup.
This was all? you need to know about the MX records. Without MX records you won’t receive incoming emails to your domain. The other three records determine whether outgoing emails from your domain end up in users inbox or their spam folder. In other words they deal with authentication and deliverability of your outgoing emails.
Imagine an email server gets an email that seems to be from your domain. How can that receiving email server make sure that the sending email server is authorized to send emails from your domain? Enters the SPF record. A Sender Policy Framework (SPF) record is a TXT DNS record that includes a list of the servers that are authorized to send emails from your domain. For instance, if you’re using G Suite to send emails, your SPF record may look like this:
v=spf1 include:_spf.google.com ~all
The first part (v=spf1) is the spp version and it’s always 1. The second part includes a list of all authorized servers. In the above example there’s only one authorized server, but for instance if you want to also send emails from Mailchimp, then you should include that server as well.
v=spf1 include:_spf.google.com include:servers.mcsv.net ~all
SPF record can also include the IP address of the email server, for instance, if you wanna authorize a mail server with IP 22.214.171.124 and also Google mail servers, you can use:
v=spf1 ip4:126.96.36.199 include:_spf.google.com ~all
If you have “mx” in the SPF record, it means that the server that the MX record is pointing to (which is the incoming email server) is also authorized to send emails. For instance:
v=spf1 mx include:spf.protection.outlook.com ~all
The final part of an SPF record is the all part. It determines what should happen to emails sent from servers that are not on the list. If it is -a it means that those emails must be rejected (Hard fail) and if it is ~all it means that those emails should be marked as suspicious (soft fail).
Important Note: A domain MUST NOT have more than one SPF record. If you wanna authorize multiple email servers, you must put all of them in one SPF record. So always check for existing SPF records before adding a new one.
How to Check SPF Records?
dig parsifar.com txt
For a more in-depth explanation of the syntax you can check openspf.org.
DKIM stands for DomainKeys Identified Mail and it’s another mechanism to authenticate emails and prevent spammers to impersonate a domain. The DKIM record which is a TXT record is one part of the DKIM mechanism. The other part of the DKIM mechanism is the DKIM header which is attached to all outgoing emails from your domain.
How DKIM Works?
DKIM uses a public key and a private key. The sending email server attaches a DKIM header to all outgoing emails. It puts a digital signature in that header. That digital signature is generated by signing (encrypting) a section of the data (this can be the subject, from address, to address, etc…) using the private key.
Now when the receiving email server receives that email, it tries to verify that digital signature using the public key. Where does it get the public key from? The answer is the DKIM record on the DNS records of the domain.
In other words, when the receiving email server gets an email from example.com domain, it queries the DKIM record on example.com and gets the public key. Then it’ll verify the digital signature in the email header. If it doesn’t match, then the email will be rejected.
A DKIM record looks similar to this:
As you can see the name of the record is not only the domain (like MX or SPF records). Instead it uses this format: [selector]._domainkey.[domain]
The first part (in this case something) is the selector which is a specific value issued by the email provider. The main role of the selector is to make it possible to have multiple DKIM records on a domain. The second part ( ._domainkey) is always the same, and finally the last part is the domain.
The content always start with v=DKIM1;. Sometimes it includes the k=rsa; which is the type of the public key, and finally it has the public key after p=
Can I have multiple DKIM records?
Unlike SPF records, a domain can have as many DKIM records for public keys as servers that send mail. In fact, if you use multiple email servers to send emails from you domain (for instance, if you use G Suite and also MailChimp) you need to have multiple DKIM records (one for each email provider). Just make sure that they use different selector names.
How the DKIM Email Header Look?
The email DKIM Header looks similar to this:
There are many sections in the DKIM header. Some of the important ones are:
- The selector which is the part after s= so in this case the selector is dk2016.
- The domain which is the part after d= so in this case the domain is desjardin.com.
- The digital signature which is the part after b=
So in this case when the receiving email server gets this email, it queries the DNS record of the domain desjardin.com for the TXT record with the name dk2016._domainkeys.desjardin.com and gets the public key from it. Then it verifies the digital signature with the public key.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) Record is another TXT record and does two things:
- Tells the recipient server to quarantine, reject or allow emails that failed SPF and/or DKIM.
- Tells the recipient server to send reports about the failed emails to a specific email address.
The DMARC record name is always _dmarc.yourdomain.com and you can only have one DMARC record for your domain.
The content of a DMARC record may look like this:
v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:email@example.com;
The first part is the version which is always DMARC1. The second part (p=) is the policy for the failed emails and can be none, quarantine, or reject. The final part (rua=) contains the email address for the reports to be sent to.