3 Important DNS Records for Email

As Mail Exchange Record (MX) defines the server we used to receive email, it is not enough to secure your email service. Take a look at the mail server setup tutural, it is completely possible that we can configure the mail server send emails using any ”send from” address. This brings the security concerns:

  1. How can we prevent other people’s server to send email using my domain name and email address?
  2. How can we tell the server is allowed to send email using the domain?
  3. How can we tell the server (ip) sending the email is not hijacked by third person?

These security problem can be solved by 3 DNS records.

TXT SPF Records

An SPF record is a TXT record that is part of a domain’s DNS zone file. The TXT record specifies a list of authorized host names/IP addresses that mail can originate from for a given domain name.

If your are using third party email service, e.g. Office 365 and Google Work, there should be a document telling how to setup the proper SPF record. If you are setting up your own mail server, here is the most simplified configuration:

  1. v=spf1 mx -all Allows the domain’s MX hosts to send mail for the domain, and prohibits all other hosts.
  2. v=spf1 -all The domain sends no mail at all.
  3. v=spf1 +all This SPF is useless, as it does not limit the hosts that are authorized to send e-mail.

For me, I added DNS record: TXT @ "v=spf1 mx -all". Take a look at the more detailed manual if you need more complicated configuration.

Reverse DNS Records

Reverse DNS (rDNS) lookup is the determination of a domain name that is associated with a given IP address. It is a reversed mapping from IP to domain name. You can not setup rDNS from DNS side or mail server side. Instead you need to contact the VPS provider to setup rDNS. Most VPS provider will have an easy way to set the rDNS.

However, each IP can only have one associated rDNS recored. It is not possible to bind multiple rDNS record to the same server. You can also not ask a third party email service provider to give a rDNS record pointing to your domain. But for a self-hosted email service, rDNS is important as many spam filter server use this record to prevent spam.

DomainKeys Identified Mail

This is the most secure way to do sender identify. DKIM add a public key to mail._domainkey TXT record, and signature every sending mail with a private key. An excellent tutorial about how to setup DKIM is here

You can setup DKIM for multiple domains on the same server (and multiple server). So, it is more better and secure than rDNS.