Email DNS settings

How to configure DNS, for email delivery through a custom domain, so that the emails do not end up in the spam folder and look more trust-worthy.



1. MX (mail exchanger) record - specifies the address of the mail server (receiver).

Example: @ MX 10 mx.yandex.net., where:

@ refers to the base domain (the one being configured) and this is the name/host field;
MX is the recod type;
10 (value or priority field) is priority (0-10, where 0 is the highest and 10 is the lowest, mostly useful when there are more than one MX records);
mx.yandex.net. (value field) is the address of the mailing server.

Note: some DNS providers require a dot at the end of the address (which tells the DNS server not to add a base domain after the value entry).


2. SPF (Sender Policy Framework) - specifies what servers are allowed to send email from the used domain.

Example: @ TXT "v=spf1 include:_spf.yandex.net -all", where:

@ (name/host field) is the same as in the MX record);
TXT means that the record type is text;
include (value field) checks the SPF settings at _spf.yandex.net and continues only if no suitable address was found (the result was not pass);
v specifies SPF version
-all gets triggered all the time if reached (- qualifier means fail; there are other qualifiers such as SoftFail: ~). Depending on the receiver server's settings, emails can be either rejected (fail) or sent to spam (soft fail).

More details can be found here.


3. DKIM (DomainKeys Identified Mail) - specifies the public key and other settings for the domain in order to sign all the outgoing emails.

Example: mail._domainkey TXT "v=DKIM1; k=rsa; t=s;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTR
2nyrp7g9moE3FsyPRthgUUTXIzstN4yecxwWltfjfLhSbjPsZJlbO
r/N9EtoCwPMhOePc0YI1B32cXl+USrm0RjwQLEP47A9pPQDq
NeeAlxzFaTJ+6g8he12SrcYnMf6B1HHTJpZw7Vw1cBERPXVlb
pBwt+ZLdZOSwAPGzyowIDAQAB"
, where:

mail._domainkey (name/host field) contains a selector (mail) which allows several domain keys to be used;
TXT is the record type and the value field contains DKIM parameters:
v is DKIM version;
k is the key type;
t is the service type (usually just mail);
p is the public key.

More details can be found here.


4. DMARC (Domain-based Message Authentication, Reporting & Conformance) - tells the receiver what to do if SPF and/or DKIM fail.

Example: _dmarc TXT "v=DMARC1; p=reject; rua=mailto:contact@kazakov.lt; ruf=mailto:contact@kazakov.lt; sp=reject; fo=1; aspf=s; adkim=s; ri=86400; pct=100", where:

_dmarc is the name/host field;
TXT - type of the record and the value field contains:
v - DMARC version;
p - what policy to apply (none - do nothing, quarantine - mark the email as spam and reject - reject the email);
rua - report URI for aggregated information;
ruf - report URI for failure information;
sp - subdomain policy (same as p);
fo - failure reporting options (0 - everything failed, 1 - at least something failed, d - DKIM failure, s - SPF failure);
aspf - alignment for SPF (s - strict: exact match between the From header and the domain, r - relaxed: allows common organisation domains);
adkim - DKIM alignment, same as aspf, between d=domain and From: domain (header);
ri - reporting interval in seconds (typically sent once a day);
pct - percentage of outgoing mails to apply the policy to.

More details can be found here.


Tools:
1. Agari - to check existing SPF/DKIM/DMARC settings;
2. MX Toolbox - to check other DNS parameters;
3. XML-to-Human - to be able to read DMARC reports easily.