DNS Records required for custom Domain Email

Setting up custom domain email for your business elevates your professional image, but navigating the technical DNS records required can be daunting for those unfamiliar with the process. Each DNS record type serves a specific purpose in the email delivery ecosystem, from verifying domain ownership to preventing email spoofing and ensuring messages reach their intended destinations. In this comprehensive guide, I’ll walk through each essential DNS record required for proper custom domain email configuration, helping you establish reliable business email that strengthens your brand identity and communication capabilities.

MX Record (Mail Exchange)

Purpose: MX Records identify the mail servers responsible for receiving email messages sent to your domain. They direct email to the proper server for processing. Without proper MX records, emails sent to your domain will have nowhere to go.

example.com.  IN  MX  10  mail.example.com.
example.com.  IN  MX  20  backup-mail.example.com.

If you have multiple Mail Servers, you can specify a priority for which Mail Server should be attempted first. The numbers “10” and “20” indicate priority - lower numbers are attempted first.

A, AAAA, or CNAME

Purpose: These records map hostnames to IP addresses or another hostname (CNAME). These ensure the mail server specified in the MX record is reachable.

mail.example.com.     IN  A      192.0.2.10
mail.example.com.     IN  AAAA   2001:db8::1
webmail.example.com.  IN  CNAME  mail.example.com.

Using CNAME records for hosts specified directly in MX records violates DNS standards and may cause email delivery problems with certain mail servers. Always use A or AAAA records for direct mail server hostnames.

SPF Record (Sender Policy Framework)

Purpose: SPF is implemented as a TXT record that specifies which servers are authorized to send email on behalf of your domain. SPF helps prevent email spoofing by allowing receiving mail servers to verify whether a mail server is authorized to send email from your domain.

example.com.  IN  TXT  "v=spf1 include:email.example.com ip4:192.0.2.0/24 ~all"

DKIM Record (DomainKeys Identified Mail)

Purpose: DKIM records allow the receiving Mail server validate an email is from a specific domain and was authorized by the owner of that domain. This is done using public key infrastructure and is not exposed to the end users. DKIM involves a private key used by the sender to sign emails and a corresponding public key published in the DNS record. DKIM signatures can be obtained by your Email Service Provider.

selector._domainkey.example.com.  IN  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3QEKyU1fSma0axspqYK5iAj+54lsAg51vNI2l4JvRT3lFTX3aYDEXIPGLgXqlXUUWY0gSVpjOG8vA5x0aIyvc7rSLnpGdnrQAvQGaLekgJ/VQqHwJUzwAe+HkS5tJfyWAHljJ4weUY7W5bYk2TUKXWEnQWQA/yNS29sB4S0vdVQIDAQAB;"

DKIM keys should be rotated periodically (typically every 6-12 months) for security. THIS IS LIKELY DONE BY YOUR EMAIL PROVIDER! When rotating keys, add the new key before removing the old one to ensure email continuity. Keys that are too short (less than 1024 bits) may be rejected by receiving mail servers.

DMARC Record (Domain-based Message Authentication, Reporting and Conformance)

Purpose: DMARC is a TXT record that tells receiving mail servers how to handle emails that fail SPF and DKIM checks. DMARC builds on SPF and DKIM to improve domain security, provides a feedback mechanism for authentication results, and specifies how to handle failed authentication.

_dmarc.example.com.  IN  TXT  "v=DMARC1; p=quarantine; rua=mailto:reports@example.com; ruf=mailto:forensic@example.com; adkim=s; aspf=s;"

Alignment Modes

Strict = (s) Exact DKIM Match required.

Relaxed = (r) - Subdomain Emails allowed.

Note that adkim and aspf are optional, and relaxed is the default if unspecified.

p=quarantine: Ask the recipient platform to mark the unauthorized email as spam or quarantine the email.

p=reject: Ask the recipient platform to reject the unauthorized emails. These will not be delivered at all!

p=none: Do not quarantine or reject unauthorized emails. Usually, people only use this policy to troubleshoot or test.

Start with “none” for monitoring, move to “quarantine” with a percentage, then finally to “reject” once you’re confident in your setup.

Testing your Custom Email Delivery

References

CloudFlare - DMARC Management

MXToolbox DMARC Checker

MXToolbox DMARC Tags

Wikipedia - DKIM

• 2026 11
• 2025 7
• 2024 6
• 2023 2