What order should I configure email DNS?

Start with MX, then SPF, then DKIM, and finally DMARC. Begin DMARC with p=none before moving to stricter enforcement.

Why does SPF fail even with a correct record?

SPF often fails because a domain has multiple SPF records or exceeds the 10-DNS-lookup SPF limit.

Where should DMARC be published?

DMARC must be published as a TXT record on the _dmarc subdomain, for example _dmarc.example.com.

What is a DKIM selector?

A DKIM selector is the DNS prefix used to locate the right DKIM public key, allowing multiple sending services to use separate keys.

How Email DNS Works (MX, SPF, DKIM, DMARC)

Modern email delivery relies entirely on DNS to function correctly and securely. Setting up a domain for email requires configuring four distinct DNS records: MX for receiving, and SPF, DKIM, and DMARC for authenticating outgoing messages to prevent spoofing and spam.

Audit your Email Configuration

Are your emails going to spam? Test all four critical email records at once.

Run the Email DNS Check

The Four Pillars of Email DNS

To guarantee that your emails reach the inbox of major providers like Gmail and Microsoft 365, you must prove that you own the domain and that the server sending the email is authorized to do so. Here is how the records work together:

MX (Mail Exchange): The foundation. It tells the internet which servers are allowed to receive emails sent to your domain.
SPF (Sender Policy Framework): A TXT record that lists all the IP addresses and third-party services (like Mailchimp or Google Workspace) authorized to send emails on your behalf.
DKIM (DomainKeys Identified Mail): Adds a digital signature to every email you send. The receiving server uses the public key published in your DNS (as a TXT record) to verify the signature, proving the email wasn't tampered with in transit.
DMARC (Domain-based Message Authentication, Reporting, and Conformance): The enforcer. It ties SPF and DKIM together. It tells the receiving server exactly what to do (e.g., quarantine to spam, or reject entirely) if an email fails the SPF or DKIM checks.

Email DNS FAQ & Best Practices

Always start with MX to ensure you can receive mail. Next, configure SPF to authorize your sending IPs. Then, set up DKIM to sign your messages. Finally, once SPF and DKIM are fully propagated and working, publish your DMARC record (starting with a p=none policy to monitor traffic before enforcing strict rules).

SPF frequently fails for two reasons: First, a domain is strictly allowed to have only one SPF record. If you have two TXT records starting with v=spf1, both will fail. Second, SPF has a hard limit of 10 DNS lookups. If you "include" too many third-party services in your SPF string, you will exceed this limit and fail validation.

Unlike SPF which is published at the root/apex of your domain, DMARC must be published as a TXT record on a very specific subdomain: _dmarc.yourdomain.com.

A DKIM selector is a prefix that tells the receiving mail server exactly where to find the public key in your DNS. Because you might send emails from multiple services (like Google Workspace and Mailchimp), each service uses a different selector (e.g., google._domainkey vs k1._domainkey) so their keys don't conflict.