How to configure DNS, for email delivery through a custom domain, so that the emails do not end up in the spam folder and look more trust-worthy.
1.
MX (mail exchanger) record - specifies the address of the mail server (receiver).
Example:
@ MX 10 mx.yandex.net., where:
@ refers to the base domain (the one being configured) and this is the name/host field;
MX is the recod type;
10 (value or priority field) is priority (0-10, where 0 is the highest and 10 is the lowest, mostly useful when there are more than one MX records);
mx.yandex.net. (value field) is the address of the mailing server.
Note: some DNS providers require a dot at the end of the address (which tells the DNS server not to add a base domain after the value entry).
2.
SPF (Sender Policy Framework) - specifies what servers are allowed to
send email
from the used domain.
Example:
@ TXT "v=spf1 include:_spf.yandex.net -all", where:
@ (name/host field) is the same as in the MX record);
TXT means that the record type is text;
include (value field) checks the SPF settings at
_spf.yandex.net and continues only if no suitable address was found (the result was not
pass);
v specifies SPF version
-all gets triggered all the time if reached (- qualifier means
fail; there are other qualifiers such as
SoftFail: ~). Depending on the receiver server's settings, emails can be either rejected (fail) or sent to spam (soft fail).
More details can be found
here.
3.
DKIM (DomainKeys Identified Mail) - specifies the public key and other settings for the domain in order to sign all the
outgoing emails.
Example:
mail._domainkey TXT "v=DKIM1; k=rsa; t=s;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTR
2nyrp7g9moE3FsyPRthgUUTXIzstN4yecxwWltfjfLhSbjPsZJlbO
r/N9EtoCwPMhOePc0YI1B32cXl+USrm0RjwQLEP47A9pPQDq
NeeAlxzFaTJ+6g8he12SrcYnMf6B1HHTJpZw7Vw1cBERPXVlb
pBwt+ZLdZOSwAPGzyowIDAQAB", where:
mail._domainkey (name/host field) contains a selector (
mail) which allows several domain keys to be used;
TXT is the record type and the value field contains DKIM parameters:
v is DKIM version;
k is the key type;
t specifies whether to apply strict checking of the sender domain, so
t=s means that no subdomains are sllowed;
p is the public key.
More details can be found
here.
4.
DMARC (Domain-based Message Authentication, Reporting & Conformance) - tells the receiver what to do if SPF and/or DKIM fail.
Example:
_dmarc TXT "v=DMARC1; p=reject; rua=mailto:contact@kazakov.lt; ruf=mailto:contact@kazakov.lt; sp=reject; fo=1; aspf=s; adkim=s; ri=86400; pct=100", where:
_dmarc is the name/host field;
TXT - type of the record and the value field contains:
v - DMARC version;
p - what policy to apply (
none - do nothing,
quarantine - mark the email as spam and
reject - reject the email);
rua - report URI for aggregated information;
ruf - report URI for failure information;
sp - subdomain policy (same as
p);
fo - failure reporting options (
0 - everything failed,
1 - at least something failed,
d - DKIM failure,
s - SPF failure);
aspf - alignment for SPF (
s - strict: exact match between the
From header and the domain,
r - relaxed: allows common organisation domains);
adkim - DKIM alignment, same as
aspf, between
d=domain and
From: domain (header);
ri - reporting interval in seconds (typically sent once a day);
pct - percentage of
outgoing mails to apply the policy to.
More details can be found
here.
Tools:
1.
Agari - to check existing SPF/DKIM/DMARC settings;
2.
MX Toolbox - to check other DNS parameters;
3.
XML-to-Human - to be able to read DMARC reports easily.