Picture this: The critical project update you sent from your work computer never made it to the client. Meanwhile, another client just said they got an email from you that infected their computer with malware.
What’s going on?
These aren’t just random mishaps; they’re examples of what can go wrong when your organization’s DNS records are poorly configured.
DNS is more than a technology for guiding website traffic; without it, your email system will be almost useless.
Keep reading to discover everything you need to know about DNS email records to make sure your emails get delivered and stay secure from threats.
Table of Contents
- What is DNS?
- What Is DNS in Email?
- Decoding DNS Jargon
- MX Records for Email Routing
- Key DNS Records for Email Security
- Setting Up MX Records
- Configuring SPF Records for Security
- DKIM Configuration for Authentication
- How to Set up DMARC
- Audit Your DNS Settings Regularly
- DNS and Beyond: Achieve Peak Deliverability with Campaign Refinery
What is DNS?
The Domain Name System (DNS) helps your computer translate website domains (e.g., example.com) into IP addresses (e.g., 192.168.0.1).
Why is this translation necessary? Because computers can only communicate with each other using IP addresses.
So, if you want to browse example.com, you need to know the IP address of the website’s server.
You can think of DNS as the internet’s phonebook — it maintains a database of IP addresses corresponding to each domain.
DNS makes the internet user-friendly by letting us use easy-to-remember domain names. Without it, we would have to remember complex numbers for every website, which is impractical.
What Is DNS in Email?
When you send an email, you use an email address (e.g., email@example.com), which is linked to a domain name (example.com). This domain name needs to be connected to an IP address for your message to get delivered.
So, the sender server uses DNS email records to look up the IP address of the recipient email server and direct your message.
The role of DNS extends beyond just directing your email to the right server. It’s also important in securing email communications. DNS records like SPF, DKIM, and DMARC authenticate the email’s source, making sure it’s coming from a legitimate sender and not a malicious impersonator.
Other than that, DNS has advanced applications in email service management, including:
- Load balancing: By configuring records with different priorities, DNS can direct emails to a secondary server if the primary one is down to avoid disruptions in email delivery.
- Routing policies: DNS lets you set routing policies to direct emails through specific gateways for scanning or archival purposes.
- Domain verification: When setting up services, like Google Workspace for email, you have to add a DNS setting to your domain to verify that you’re the owner.
- Service customization: You can use DNS to set up subdomains for different departments or specific functions.
Decoding DNS Jargon
Before we get into the specifics of various DNS settings, let’s clarify some common DNS terms you’ll frequently encounter.
|Time to Live (TTL)
|The duration (in seconds) that a DNS resolver will cache the record before it needs to be requested again. For example, if a record has a TTL of 3600, the DNS resolver will check for any updates after an hour.
|Associates a domain or subdomain with a specific IPv4 address.
|Specifies the mail server responsible for accepting incoming messages.
|Allows inclusion of arbitrary text information in DNS records.
|Specifies the authoritative name servers for a domain.
|Maps an IP address to a domain name for reverse DNS lookups.
|Creates an alias or canonical name, mapping one domain name to another.
|Reverse DNS Lookup
|A reverse DNS lookup retrieves the domain name associated with an IP address through a DNS query.
MX Records for Email Routing
MX records direct incoming emails to the right email server.
When you send an email, it goes through these steps:
- MX record lookup: The outgoing mail server uses DNS to look up the MX records for the recipient’s domain (example.com).
- Identify destination email server: The MX records list the IP addresses of the mail servers designated to receive emails for the recipient’s domain, often with priority levels.
- Route email to the primary mail server: The email is sent to the mail server with the highest priority in the MX records.
- Fallback to secondary servers if needed: If the primary mail server is down or unreachable, the email is sent to the next available server based on the priority specified in the MX records.
Let’s look at an example table illustrating the MX records setup for a domain.
In this table, the priority column shows the priority of each MX record. A lower number indicates a higher priority. The email system tries to deliver emails starting from the lowest priority number.
Key DNS Records for Email Security
Here’s a list of the main DNS records for email security.
- Sender Policy Framework (SPF).
- DomainKeys Identified Mail (DKIM).
- Domain-based Message Authentication, Reporting & Conformance (DMARC).
Let’s briefly go over each one.
SPF Records for Sender Verification
A valid SPF record prevents hackers from sending fake emails using your domain name.
The records contain information about the authorized servers that can send emails on your behalf. So, if someone tries to send fake email addresses by impersonating you, the DNS record will give them away because they don’t have access to your verified servers.
DKIM Records for Email Authentication
DKIM is a powerful protocol that prevents email spoofing and tampering. The outgoing email server adds a cryptographic signature to the email’s header. This signature is based on the content of the email and a private key unique to the domain.
When a mail server receives an email, it sends a DNS query to the originating server to ask for its public key. The recipient’s email server validates the DKIM signature to ensure the email genuinely comes from the claimed domain.
The outgoing mail server generates a unique hash value based on the content to make sure the message doesn’t get altered in transit. Then, it encrypts the hash with a private key that’s unique to the sending domain.
The recipient’s server decrypts the hash using the public key it retrieved from DNS. It then generates its own hash of the received email content and compares it with the decrypted hash. If they match, it confirms email integrity.
DKIM enhances email delivery and deliverability by reducing the chances of legitimate emails being flagged as spam or fraudulent.
Role of DMARC in Email Security
It helps protect emails against spoofing, phishing attacks, and abuse. Domain owners can set policies using DMARC to specify how email servers should handle emails that fail SPF or DKIM authentication checks.
The protocol also provides reporting mechanisms that allow domain owners to receive feedback on email authentication results. This helps them monitor and improve their email security practices.
Setting Up MX Records
You don’t need to do anything for your DNS settings if you’re a regular Gmail user. If you want to send and receive emails from your own domain, you may need to change a few settings.
If your domain is hosted with a web hosting service, they often provide default MX records that direct your email to their provided servers. But if you’re using hosting from a different company, applying the settings will be up to you.
Here’s a step-by-step process to set up or modify your MX records.
- Log on to the DNS management dashboard provided by your domain registrar.
- Locate the DNS settings section or the option to manage DNS records.
- Look for the MX records configuration section.
- Add a new MX record by specifying the priority value and the destination email server’s domain name.
- Save the changes and wait for the DNS changes to propagate, which may take some time (usually a few hours to a day).
When configuring your DNS, pay attention to the priority values: a smaller number indicates a higher priority. Also, be careful about the destination server details. It’s easy to misspell or incorrectly enter the domain name of the destination email server.
Configuring SPF Records for Security
Setting up an SPF record involves creating a text string that you’ll later add to your domain’s DNS table.
What Does the SPF Record Include?
The string consists of the following fields:
- Record format: A TXT record type made up of a string containing information about authorized mail servers for a domain.
- Mechanisms: SPF records use mechanisms to specify which servers can send emails on behalf of a domain. Common mechanisms include “a” for the domain’s A record, “mx” for the domain’s MX records, and “include” to include SPF records from other domains.
- Qualifiers: Qualifiers define the action to be taken when a server fails SPF authentication. Common qualifiers are “+” (Pass), “-” (Fail), “~” (SoftFail), and “?” (Neutral).
Creating the string isn’t hard, but it can be confusing. So, we recommend using an SPF record generator, which takes the different details as input and outputs the record for you.
How to Set up the SPF Record
Now, you can set up SPF records by following these steps:
- Identify the authorized email servers.
- Access your DNS management interface.
- Find the DNS settings or manage DNS records.
- Add a new TXT record.
- Save the changes.
- Verify the SPF record.
- Monitor and update.
Best Practices for Implementing SPF Records
Crafting an effective SPF record requires careful consideration to balance security with email deliverability.
Here are a few tips to consider:
- Use a strong qualifier, such as “~all” or “-all:” The modifier tells receiving email servers that only the servers listed in your SPF record are authorized to send emails on behalf of your domain. The first one allows the server to accept the incoming email but marks it as suspicious, while the second one outright rejects the incoming message.
- Regularly review and update your SPF record: Email infrastructure can change over time, with new servers being added or old ones being retired. Regularly review and update your SPF record to make sure it accurately reflects your current email setup.
- Test your SPF record. After setting up or updating an SPF record, test it to make sure it works correctly. We recommend MX Toolbox SPF Record Lookup and Mail Tester.
- Avoid overcrowding and unnecessary mechanisms. Using too many mechanisms or IP addresses can make your SPF record unnecessarily complex and lead to errors.
DKIM Configuration for Authentication
Implementing DKIM on your own domain only takes a few steps. The exact process can vary depending on your email service provider and your domain’s hosting service.
Here’s a general guide:
- Generate DKIM key pair: Use a DKIM key generator tool to create a public and private key pair. Most email services offer a dedicated tool, but you can use DMARCLY or Easy DMARC, too. You’ll save the private key on your email server and publish the public key in your DNS records.
- Configure your email server: Set up the server to sign outgoing emails with your private DKIM key. The specifics of this process depend on your email server software, so you’ll need to consult its documentation.
- Add the public key to Your DNS Records: Add your public key to your DNS records as a TXT record. The DNS entry should include your DKIM selector (a unique identifier for the key), the domain name, and the public key itself.
- Test your DKIM setup: Use a DKIM validation tool to verify that your emails are being signed properly and that your DNS records are correctly configured.
How to Set up DMARC
Setting up DMARC requires having SPF or DKIM in place, ideally both, to maximize your email security.
Here’s how you can set up DMARC for your domain:
- Create your DMARC policy: Decide on the DMARC policy you want to enforce. This can range from none (monitoring only) to quarantine (treat as suspicious) and reject (block outright).
- Generate the DMARC Record: Use a DMARC record generation tool to create your DMARC record. You’ll need to input your policy preference and a couple of other options, like email addresses, for receiving reports.
- Add the DMARC Record to DNS: Once you have your DMARC record, add it to your domain’s DNS records as a TXT record. The record should start with “v=DMARC1;” followed by your specific policy and reporting preferences.
- Test Your DMARC Setup: Use a DMARC testing tool to validate your setup.
- Monitor DMARC reports: DMARC reports provide insights into your email traffic and how receiving servers are handling your emails based on your DMARC policy.
- Adjust as Needed: Based on the feedback from the DMARC reports, you might need to fine-tune your DMARC policy or your underlying SPF and DKIM settings for optimal performance.
Audit Your DNS Settings Regularly
Changes in email servers, hosting services, or email policies can render old settings obsolete, potentially leading to email delivery issues or security vulnerabilities. Regular updates can increase operational efficiency and improve authentication and trust.
When auditing your DNS email records, follow these best practices to ensure comprehensive and effective results:
- Review TTL values: A lower TTL means changes to DNS records propagate faster across the internet because DNS resolvers are checking in more frequently for updates. On the other hand, A higher TTL reduces the frequency of DNS lookups, which can decrease the load on your authoritative DNS servers and increase system stability. So, you need to find a balance between flexibility and performance.
- Test for email deliverability: Use online tools to test if your email setup, especially SPF, DKIM, and DMARC records, is functioning properly and ensuring smooth email delivery.
- Look for security vulnerabilities: Make sure your domain authentication protocols are properly configured, and you’re using an appropriate DMARC policy. Also, check if your domain’s TLS/SSL certificates are up-to-date. Expired certificates can lead to man-in-the-middle attacks.
- Delete unnecessary DNS records: Look for any old or unnecessary DNS records that might be exploited or create configuration conflicts. Keeping your DNS clean reduces the attack surface.
- Document changes: Maintain a log of changes made to your DNS settings for future reference and troubleshooting.
DNS and Beyond: Achieve Peak Deliverability with Campaign Refinery
At Campaign Refinery, we believe effective email marketing starts with strong deliverability. That’s why we’ve built our platform on a solid foundation of deliverability principles.
We require mandatory domain authentication for all our clients from day one. This initial step enhances email security and significantly reduces the chances of your emails being flagged as spam.
Beyond DNS, we focus on broader aspects of deliverability:
- We automatically clean your email list to remove inactive or harmful addresses.
- We boost your engagement through an innovative reward system for your subscribers.
- We manage IP reputation by ensuring only reliable and authentic senders use our platform.
- We implement advanced analytics to help you track and optimize email campaign performance.
With Campaign Refinery, you get a partner dedicated to ensuring your messages land in inboxes and resonate with your audience.
Apply now to become a Campaign Refinery customer.