Skip to main content

Email delivery

Email-related DNS records ensure that mail servers are found correctly and that your domain is not classified as a spam sender. The most important components are MX, SPF, DKIM, and DMARC, which together control the delivery and authenticity of emails.

Overview: MX, SPF, DKIM, DMARC

  • MX record: Indicates which mail servers are allowed to receive emails for your domain (routing for incoming mail)
  • SPF (as TXT): Specifies which servers are allowed to send emails on behalf of your domain
  • DKIM (as TXT): Stores the public key that recipients can use to verify the signature of your emails
  • DMARC (as TXT): Defines what recipients should do with emails that fail SPF/DKIM checks (e.g. report only or reject).

MX records for email delivery

  • MX records are special DNS records that point to one or more mail servers for a domain and carry a priority (preference) value, e.g. 10, 20.
  • Email servers first read the MX records of the recipient domain and then deliver to the server with the lowest priority number.

Example MX records:

  • example.com. 3600 IN MX 10 mail.example.com.
  • example.com. 3600 IN MX 20 backupmail.example.com.

These MX records say: the primary mail server is mail.example.com, the fallback is backupmail.example.com.

SPF: Who is allowed to send emails?

  • SPF (Sender Policy Framework) is stored as a TXT record in the DNS zone of the domain and lists authorized mail servers or IPs.
  • Recipients check whether the sending server is permitted in the SPF record of the sender domain; in case of a violation, the email can be rejected or flagged.

Typical SPF examples:

  • Own server only (IPv4):
    example.com. 3600 IN TXT "v=spf1 ip4:203.0.113.10 -all"

  • Own server + external service (e.g. newsletter):
    example.com. 3600 IN TXT "v=spf1 ip4:203.0.113.10 include:_spf.mailprovider.tld -all"

  • v=spf1 identifies the SPF version, ip4: or ip6: allow IPs, include: includes external SPF records, -all means all others are not permitted.

DKIM: Signed emails

  • DKIM (DomainKeys Identified Mail) cryptographically signs each outgoing email. The public key is stored as a TXT record in DNS.
  • The TXT record is stored under a special hostname consisting of a selector and _domainkey, e.g. mail._domainkey.example.com.

Example DKIM record:

  • mail._domainkey.example.com. 3600 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUA...AB"

  • v=DKIM1 is the version, k=rsa is the key type, p= contains the public key (Base64-encoded).

  • The outgoing mail server signs with the private key; recipients use the public key available in DNS to verify.

DMARC: Policy for failed authentication

  • DMARC (Domain-based Message Authentication, Reporting and Conformance) builds on SPF and DKIM and defines how recipients should react in case of failures.
  • The DMARC record is stored as a TXT record under _dmarc.example.com and contains, among other things, the policy (p=) and reporting addresses (rua, ruf).

Example DMARC records:

  • Monitoring only (no rejection):
    _dmarc.example.com. 3600 IN TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com"

  • Strict rejection on failure:
    _dmarc.example.com. 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; adkim=s; aspf=s"

  • p=none/quarantine/reject determines whether emails should only be logged, moved to quarantine, or rejected.

DKIM in Plesk:

  • Under Domains → select domain → Email Settings → Use DKIM spam protection system, then check the generated *.domainkey TXT records under "DNS Settings" and add them to your DNS.