Mail Server DNS Records

Complete reference for DNS records required to operate a mail server, including SPF, DKIM, DMARC, MTA-STS, ARC, and autodiscovery configuration.

Table of Contents#

Overview
Required Records
SPF (Sender Policy Framework)
DKIM (DomainKeys Identified Mail)
DMARC (Domain-based Message Authentication)
MTA-STS (Mail Transfer Agent Strict Transport Security)
ARC (Authenticated Received Chain)
DANE / TLSA for SMTP
Autodiscovery Records
Complete DNS Example
Troubleshooting
See Also
Sources

1. Overview#

Running a public mail server requires correct DNS configuration for both sending and receiving email. Some records are mandatory for basic functionality, while others build sender reputation and protect against spoofing.

Record	Purpose	Required
A/AAAA	Mail server IP address	Yes
MX	Directs incoming mail to your server	Yes
PTR (rDNS)	Reverse DNS for your mail server IP	Yes (for sending)
SPF (TXT)	Declares which servers may send for your domain	Strongly recommended
DKIM (TXT)	Cryptographic signature verification	Strongly recommended
DMARC (TXT)	Policy for SPF/DKIM failures	Strongly recommended
MTA-STS (TXT + HTTPS)	Enforces TLS for inbound mail	Recommended
TLSA	DANE certificate pinning for SMTP	Optional
SRV	Mail client autodiscovery	Optional

2. Required Records#

A Record#

The A record resolves your mail server's hostname to its public IPv4 address.

Type	Host	Points to	TTL
`A`	`mail`	`<mail-server-ipv4>`	`1 hour`

If your mail server supports IPv6, also add an AAAA record:

Type	Host	Points to	TTL
`AAAA`	`mail`	`<mail-server-ipv6>`	`1 hour`

MX Record#

The MX record tells other mail servers where to deliver email for your domain.

Type	Host	Points to	Priority	TTL
`MX`	`@`	`mail.example.com`	`10`	`1 hour`

Lower priority numbers are preferred
Same priority values enable load balancing between multiple servers
Higher priority values serve as backup (fallback) servers

example.com.    IN    MX    10    mail.example.com.
example.com.    IN    MX    20    backup-mail.example.com.

PTR (Reverse DNS) Record#

The PTR record maps your mail server's IP address back to its hostname. Almost all receiving mail servers perform a rDNS check and may reject or flag mail without a valid PTR.

Note: PTR records are not configured in your DNS zone. They are set by your hosting provider or ISP who owns the IP address block. Contact them to set up rDNS.

The PTR should resolve to a hostname that in turn resolves back to the same IP (forward-confirmed reverse DNS, or FCrDNS):

; Forward: mail.example.com -> 203.0.113.20
mail.example.com.    IN    A    203.0.113.20

; Reverse: 203.0.113.20 -> mail.example.com
20.113.0.203.in-addr.arpa.    IN    PTR    mail.example.com.

3. SPF (Sender Policy Framework)#

SPF (RFC 7208) is a TXT record that declares which IP addresses and servers are authorized to send email for your domain. Receiving servers check SPF to detect forged sender addresses.

Basic SPF Record#

Type	Host	TXT Value	TTL
`TXT`	`@`	`v=spf1 ip4:<mail-server-ipv4> -all`	`1 hour`

SPF Mechanisms#

Mechanism	Description	Example
`ip4`	Match IPv4 address or CIDR range	`ip4:203.0.113.20`, `ip4:203.0.113.0/24`
`ip6`	Match IPv6 address or CIDR range	`ip6:2001:db8::/32`
`a`	Match the domain's A/AAAA records	`a`, `a:other.example.com`
`mx`	Match the domain's MX hosts' IPs	`mx`, `mx:example.com`
`include`	Include another domain's SPF policy	`include:_spf.google.com`
`redirect`	Use another domain's SPF record entirely	`redirect=_spf.example.com`
`exists`	Match if a DNS A query for the macro-expanded domain succeeds	`exists:%{i}._spf.example.com`
`all`	Match everything (used as final catch-all)	`-all`, `~all`

SPF Qualifiers#

Qualifier	Result	Meaning
`+` (default)	Pass	Authorized sender
`-`	Fail	Unauthorized, reject
`~`	SoftFail	Probably unauthorized, accept but flag
`?`	Neutral	No assertion

SPF CIDR Examples#

; Allow a single IP
v=spf1 ip4:203.0.113.20 -all

; Allow an entire /24 subnet
v=spf1 ip4:203.0.113.0/24 -all

; Allow a /32 (single host, explicit)
v=spf1 ip4:203.0.113.20/32 -all

; Allow IPv6 range
v=spf1 ip6:2001:db8:abcd::/48 -all

; Multiple sources: own server + Google Workspace + Mailchimp
v=spf1 ip4:203.0.113.20 include:_spf.google.com include:servers.mcsv.net -all

SPF Limitations#

Maximum 10 DNS lookups (mechanisms like include, a, mx, exists each count as one lookup; ip4/ip6 do not)
Exceeding the lookup limit causes a permerror and SPF fails
Use tools like mxtoolbox.com/spf to validate lookup count

4. DKIM (DomainKeys Identified Mail)#

DKIM (RFC 6376) adds a cryptographic signature to outgoing emails. The receiving server retrieves the public key from DNS and verifies the signature matches the message content.

How DKIM Works#

The sending server signs the email headers and body with a private key
The signature is added as a DKIM-Signature header
The receiving server extracts the d= (domain) and s= (selector) from the header
The receiving server queries <selector>._domainkey.<domain> for the public key
The receiving server verifies the signature

Generate DKIM Keys#

Using opendkim-genkey:

# Install opendkim tools
sudo apt install opendkim-tools    # Debian/Ubuntu
sudo dnf install opendkim          # RHEL/Fedora

# Generate a 2048-bit RSA key pair with selector "default"
opendkim-genkey -s default -d example.com -b 2048

# Output files:
# default.private  - Private key (install on mail server)
# default.txt      - DNS TXT record to publish

Using OpenSSL directly:

# Generate private key
openssl genrsa -out dkim-private.key 2048

# Extract public key in DNS format
openssl rsa -in dkim-private.key -pubout -outform PEM \
  | grep -v "^-" | tr -d '\n'
# Use this base64 string as the p= value

DKIM DNS Record#

Type	Host	TXT Value	TTL
`TXT`	`default._domainkey`	`v=DKIM1; k=rsa; p=<base64-public-key>`	`1 hour`

Full example:

default._domainkey.example.com.    IN    TXT    "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2K4P...truncated...IDAQAB"

Note: If the public key is longer than 255 characters (common with 2048-bit RSA), the TXT record must be split into multiple strings: "v=DKIM1; k=rsa; p=MIIBIjAN..." "...remainder...". Most DNS providers handle this automatically.

DKIM Key Rotation#

Rotate DKIM keys periodically (every 6-12 months recommended):

Generate a new key pair with a new selector (e.g., 202603)
Publish the new public key in DNS
Configure the mail server to sign with the new key
Keep the old DNS record for 7+ days (so in-transit messages can still be verified)
Remove the old DNS record

Verify DKIM#

# Check the published DKIM record
dig +short TXT default._domainkey.example.com

# Send a test email to a DKIM verification service
# check-auth@verifier.port25.com or use mail-tester.com

5. DMARC (Domain-based Message Authentication)#

DMARC (RFC 7489) builds on SPF and DKIM to provide a policy for handling authentication failures and a reporting mechanism.

DMARC DNS Record#

Type	Host	TXT Value	TTL
`TXT`	`_dmarc`	`v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com`	`1 hour`

DMARC Tags#

Tag	Required	Description	Values
`v`	Yes	Version	`DMARC1`
`p`	Yes	Policy for domain	`none`, `quarantine`, `reject`
`sp`	No	Policy for subdomains	`none`, `quarantine`, `reject` (inherits `p` if not set)
`rua`	No	Aggregate report recipients	`mailto:dmarc@example.com`
`ruf`	No	Forensic (failure) report recipients	`mailto:forensics@example.com`
`adkim`	No	DKIM alignment mode	`r` (relaxed), `s` (strict)
`aspf`	No	SPF alignment mode	`r` (relaxed), `s` (strict)
`pct`	No	Percentage of messages to apply policy	`0`-`100` (default: 100)
`fo`	No	Forensic report options	`0` (both fail), `1` (either fails), `d` (DKIM fails), `s` (SPF fails)

DMARC Alignment Modes#

Alignment determines how strictly the domain in the From: header must match the domains used in SPF and DKIM.

Relaxed alignment (r, default):

SPF: The MAIL FROM (envelope sender) domain and the From: header domain share the same organizational domain (e.g., bounce.example.com aligns with example.com)
DKIM: The d= signing domain and the From: header domain share the same organizational domain

Strict alignment (s):

SPF: The MAIL FROM domain must exactly match the From: header domain
DKIM: The d= signing domain must exactly match the From: header domain

Recommended DMARC Deployment Path#

Monitor: Start with p=none to collect reports without affecting delivery:
```
v=DMARC1; p=none; rua=mailto:dmarc@example.com; fo=1
```
Quarantine: After reviewing reports and fixing issues, move to quarantine:
```
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com
```

Reject: Once confident, enforce full rejection:

v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=s; aspf=s

Verify DMARC#

dig +short TXT _dmarc.example.com

6. MTA-STS (Mail Transfer Agent Strict Transport Security)#

MTA-STS (RFC 8461) allows a domain to declare that it supports TLS for inbound SMTP, and that sending servers should refuse to deliver mail over unencrypted connections.

How MTA-STS Works#

The sending server checks for a _mta-sts.<domain> TXT record
If present, it fetches the MTA-STS policy from https://mta-sts.<domain>/.well-known/mta-sts.txt
The policy specifies which MX hosts require TLS and the policy mode

DNS Record#

_mta-sts.example.com.    IN    TXT    "v=STSv1; id=20260322"

The id value must change whenever the policy is updated (triggers re-fetch by senders).

HTTPS Policy File#

Host this file at https://mta-sts.example.com/.well-known/mta-sts.txt:

version: STSv1
mode: enforce
mx: mail.example.com
mx: backup.example.com
max_age: 604800

Field	Description
`version`	Always `STSv1`
`mode`	`enforce` (reject on TLS failure), `testing` (report only), `none` (disable)
`mx`	MX hosts that must support TLS (one per line, wildcards allowed: `*.example.com`)
`max_age`	Policy cache duration in seconds (604800 = 1 week)

SMTP TLS Reporting (TLSRPT)#

Companion to MTA-STS; receives reports about TLS connection failures:

_smtp._tls.example.com.    IN    TXT    "v=TLSRPTv1; rua=mailto:tls-reports@example.com"

7. ARC (Authenticated Received Chain)#

ARC (RFC 8617) preserves email authentication results across intermediaries (mailing lists, forwarding services) that may break SPF and DKIM.

How ARC Works#

An intermediary that modifies or forwards a message records the original authentication results in ARC headers
Each intermediary in the chain adds a numbered set of ARC headers (ARC-Authentication-Results, ARC-Message-Signature, ARC-Seal)
The final receiving server can evaluate the ARC chain to determine if the message was originally authenticated, even if SPF/DKIM now fail

ARC Headers#

ARC-Authentication-Results: i=1; mx.example.com;
    dkim=pass header.d=sender.com;
    spf=pass smtp.mailfrom=sender.com;
    dmarc=pass header.from=sender.com

ARC-Message-Signature: i=1; a=rsa-sha256; d=example.com; s=arc;
    h=from:to:subject:date:message-id;
    b=<signature>

ARC-Seal: i=1; a=rsa-sha256; d=example.com; s=arc;
    cv=none; b=<seal-signature>

Setting Up ARC#

ARC is configured on the mail server (not in DNS), but requires a DKIM-like key published in DNS:

# Generate ARC signing key
opendkim-genkey -s arc -d example.com -b 2048

Publish the public key:

arc._domainkey.example.com.    IN    TXT    "v=DKIM1; k=rsa; p=<base64-public-key>"

Configure your MTA (Postfix + OpenARC, or similar) to sign with ARC when forwarding.

Note: ARC does not add DNS records beyond a DKIM-style key. Its value is in preserving authentication across forwarding hops. Major providers (Gmail, Microsoft 365) evaluate ARC chains when making DMARC decisions.

8. DANE / TLSA for SMTP#

DANE (DNS-based Authentication of Named Entities) uses TLSA records to pin TLS certificates for SMTP, providing server authentication without relying on public CAs.

SMTP TLSA Record#

_25._tcp.mail.example.com.    IN    TLSA    3 1 1 <sha256-hash-of-public-key>

Generate the TLSA record:

# From the mail server's certificate
openssl x509 -in /etc/ssl/certs/mail.crt -pubkey -noout \
  | openssl pkey -pubin -outform DER \
  | openssl dgst -sha256 -binary \
  | xxd -p -c 64

Note: DANE for SMTP requires DNSSEC on the zone. Without DNSSEC, TLSA records cannot be trusted and are ignored by validating resolvers.

9. Autodiscovery Records#

Mail clients (Outlook, Thunderbird, mobile clients) use autodiscovery to automatically configure IMAP/SMTP settings based on the user's email address.

SRV Records (RFC 6186)#

; IMAP over TLS (port 993)
_imaps._tcp.example.com.       IN    SRV    0 1 993 mail.example.com.

; IMAP with STARTTLS (port 143)
_imap._tcp.example.com.        IN    SRV    0 1 143 mail.example.com.

; SMTP submission over TLS (port 465)
_submissions._tcp.example.com. IN    SRV    0 1 465 mail.example.com.

; SMTP submission with STARTTLS (port 587)
_submission._tcp.example.com.  IN    SRV    0 1 587 mail.example.com.

; POP3 over TLS (port 995) - if supported
_pop3s._tcp.example.com.       IN    SRV    0 1 995 mail.example.com.

Thunderbird Autoconfig#

Thunderbird checks https://autoconfig.example.com/mail/config-v1.1.xml:

<?xml version="1.0" encoding="UTF-8"?>
<clientConfig version="1.1">
  <emailProvider id="example.com">
    <domain>example.com</domain>
    <incomingServer type="imap">
      <hostname>mail.example.com</hostname>
      <port>993</port>
      <socketType>SSL</socketType>
      <authentication>password-cleartext</authentication>
      <username>%EMAILADDRESS%</username>
    </incomingServer>
    <outgoingServer type="smtp">
      <hostname>mail.example.com</hostname>
      <port>587</port>
      <socketType>STARTTLS</socketType>
      <authentication>password-cleartext</authentication>
      <username>%EMAILADDRESS%</username>
    </outgoingServer>
  </emailProvider>
</clientConfig>

Outlook Autodiscover#

Outlook uses multiple methods in sequence. The most common for self-hosted servers is an SRV record:

_autodiscover._tcp.example.com.    IN    SRV    0 1 443 autodiscover.example.com.

Then serve an Autodiscover XML response at https://autodiscover.example.com/autodiscover/autodiscover.xml.

10. Complete DNS Example#

A fully configured mail domain with all recommended records:

$ORIGIN example.com.

; Required
@           IN    A       203.0.113.10
mail        IN    A       203.0.113.20
mail        IN    AAAA    2001:db8::20
@           IN    MX      10 mail.example.com.
@           IN    MX      20 backup.example.com.

; SPF
@           IN    TXT     "v=spf1 ip4:203.0.113.20 ip6:2001:db8::20 -all"

; DKIM
default._domainkey    IN    TXT    "v=DKIM1; k=rsa; p=MIIBIjAN..."

; DMARC
_dmarc      IN    TXT     "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=s; aspf=s"

; MTA-STS
_mta-sts    IN    TXT     "v=STSv1; id=20260322"

; SMTP TLS Reporting
_smtp._tls  IN    TXT     "v=TLSRPTv1; rua=mailto:tls-reports@example.com"

; DANE (requires DNSSEC)
_25._tcp.mail    IN    TLSA    3 1 1 a1b2c3d4...

; CAA (restrict certificate issuance)
@           IN    CAA     0 issue "letsencrypt.org"

; Autodiscovery
_imaps._tcp         IN    SRV    0 1 993 mail.example.com.
_submission._tcp    IN    SRV    0 1 587 mail.example.com.
_autodiscover._tcp  IN    SRV    0 1 443 autodiscover.example.com.
autoconfig          IN    CNAME  mail.example.com.

Troubleshooting#

Issue	Cause	Solution
Email rejected: "SPF fail"	Sending IP not in SPF record	Add the IP or `include:` for the sending service to the SPF record
SPF permerror	More than 10 DNS lookups in SPF	Reduce `include`/`a`/`mx` mechanisms; flatten nested includes
DKIM signature verification fails	Public key mismatch or record not found	Verify selector and key match; check for DNS propagation; ensure TXT record is not split incorrectly
DMARC alignment failure	`From:` domain does not match SPF/DKIM domain	Check alignment mode (`adkim`/`aspf`); ensure DKIM `d=` matches the `From:` domain
No rDNS / PTR missing	Hosting provider did not set reverse DNS	Contact hosting provider to set PTR record; it must match the mail server hostname
MTA-STS policy not fetched	`mta-sts` subdomain not resolving or HTTPS not valid	Ensure `mta-sts.example.com` has an A record and valid TLS certificate
Autodiscovery not working	SRV records missing or wrong port	Add RFC 6186 SRV records; verify with `dig SRV _imaps._tcp.example.com`
Email flagged as spam despite passing SPF/DKIM	Missing DMARC, low sender reputation, or no PTR	Add DMARC record; build reputation gradually; verify rDNS is set
DKIM record too long for DNS	2048-bit key exceeds 255-char TXT limit	Split into multiple strings within one TXT record; most providers handle this
ARC chain broken	Intermediary did not add ARC headers	Configure forwarding servers with OpenARC or equivalent