Email delivery
Email-related DNS records ensure that mail servers are found correctly and that your domain is not classified as a spam sender. The most important components are MX, SPF, DKIM, and DMARC, which together control the delivery and authenticity of emails.
Overview: MX, SPF, DKIM, DMARC
- MX record: Indicates which mail servers are allowed to receive emails for your domain (routing for incoming mail)
- SPF (as TXT): Specifies which servers are allowed to send emails on behalf of your domain
- DKIM (as TXT): Stores the public key that recipients can use to verify the signature of your emails
- DMARC (as TXT): Defines what recipients should do with emails that fail SPF/DKIM checks (e.g. report only or reject).
MX records for email delivery
- MX records are special DNS records that point to one or more mail servers for a domain and carry a priority (preference) value, e.g. 10, 20.
- Email servers first read the MX records of the recipient domain and then deliver to the server with the lowest priority number.
Example MX records:
example.com. 3600 IN MX 10 mail.example.com.example.com. 3600 IN MX 20 backupmail.example.com.
These MX records say: the primary mail server is mail.example.com, the fallback is backupmail.example.com.
SPF: Who is allowed to send emails?
- SPF (Sender Policy Framework) is stored as a TXT record in the DNS zone of the domain and lists authorized mail servers or IPs.
- Recipients check whether the sending server is permitted in the SPF record of the sender domain; in case of a violation, the email can be rejected or flagged.
Typical SPF examples:
-
Own server only (IPv4):
example.com. 3600 IN TXT "v=spf1 ip4:203.0.113.10 -all" -
Own server + external service (e.g. newsletter):
example.com. 3600 IN TXT "v=spf1 ip4:203.0.113.10 include:_spf.mailprovider.tld -all" -
v=spf1identifies the SPF version,ip4:orip6:allow IPs,include:includes external SPF records,-allmeans all others are not permitted.
DKIM: Signed emails
- DKIM (DomainKeys Identified Mail) cryptographically signs each outgoing email. The public key is stored as a TXT record in DNS.
- The TXT record is stored under a special hostname consisting of a selector and
_domainkey, e.g.mail._domainkey.example.com.
Example DKIM record:
-
mail._domainkey.example.com. 3600 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUA...AB" -
v=DKIM1is the version,k=rsais the key type,p=contains the public key (Base64-encoded). -
The outgoing mail server signs with the private key; recipients use the public key available in DNS to verify.
DMARC: Policy for failed authentication
- DMARC (Domain-based Message Authentication, Reporting and Conformance) builds on SPF and DKIM and defines how recipients should react in case of failures.
- The DMARC record is stored as a TXT record under
_dmarc.example.comand contains, among other things, the policy (p=) and reporting addresses (rua,ruf).
Example DMARC records:
-
Monitoring only (no rejection):
_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com" -
Strict rejection on failure:
_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; adkim=s; aspf=s" -
p=none/quarantine/rejectdetermines whether emails should only be logged, moved to quarantine, or rejected.
DKIM in Plesk:
- Under Domains → select domain → Email Settings → Use DKIM spam protection system, then check the generated
*.domainkeyTXT records under "DNS Settings" and add them to your DNS.