Chapter 7

Email DNS: MX, SPF, DKIM & DMARC

Reliable mail delivery and anti-spoofing.

Learning objectives

  • Configure MX for Google Workspace or similar
  • Write a basic SPF record
  • Understand where DKIM and DMARC fit

Email uses different records than the website

Workshop Co. uses Google Workspace. Their website might be on Swift Host, but mail flows through Google’s servers. DNS must say both.

MX — where mail goes

@  3600  IN  MX  1   aspmx.l.google.com.
@  3600  IN  MX  5   alt1.aspmx.l.google.com.
@  3600  IN  MX  5   alt2.aspmx.l.google.com.
@  3600  IN  MX  10  alt3.aspmx.l.google.com.
@  3600  IN  MX  10  alt4.aspmx.l.google.com.

Lower priority number = preferred. Google publishes these values — copy from their admin docs when setting up.

SPF — who may send as @workshopco.ca

SPF is a TXT record at the apex listing permitted senders:

@  TXT  "v=spf1 include:_spf.google.com ~all"
  • include:_spf.google.com — Google may send on your behalf
  • ~all — soft fail for everyone else (common starting point)
  • -all — hard fail (stricter, use when confident nothing else sends mail)
One SPF record only

Merge includes into a single TXT at @. Multiple SPF TXT records break validation.

DKIM — cryptographic signature

Google (or your mail host) gives you a TXT record like:

google._domainkey  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCS..."

Receivers verify mail was signed with the matching private key. Without DKIM, inbox placement suffers.

DMARC — policy for failures

_dmarc  TXT  "v=DMARC1; p=none; rua=mailto:dmarc@workshopco.ca"
PolicyMeaning
p=noneMonitor only — good first step
p=quarantineFailed mail to spam
p=rejectFailed mail rejected

Worked example — newsletter tool adds sending

Workshop Co. also sends class reminders via Mailchimp. Update SPF:

v=spf1 include:_spf.google.com include:servers.mcsv.net ~all

Try it yourself

For a domain you control (or use a mail-tester sandbox), check current email DNS:

  1. Look up MX records — who receives mail?
  2. Look up TXT at apex — is there an SPF record?
  3. Search for _dmarc TXT — is DMARC configured?

Optional: send a test from your domain to mail-tester.com and review the report.

What good looks like
  • MX points at your mail provider
  • Single SPF with all sending sources
  • DKIM selector TXT present
  • DMARC at least p=none with reporting address

Scenario

After moving web hosts, Workshop Co. email bounces. Website works. What DNS record class did they most likely break?

Answer

MX — often omitted when copying only A/CNAME records to the new DNS host.