Understanding DNS Records for Mail Server Setup (MX, SPF, DKIM, DMARC)

Introduction

When setting up a mail server, DNS records play a very important role.
Without correct DNS settings, your emails may go to the recipient’s spam folder or may not be delivered at all.
In this blog, we will explain the main DNS records used in email: MX, SPF, DKIM, and DMARC.
We will also discuss best practices for setting up a reliable mail server.

MX Record (Mail Exchanger)

What it does: Tells the world which server will receive emails for your domain.

Example for domain bitscentric.com:

bitscentric.com.    IN   MX   10   mail.bitscentric.com.

This means all incoming emails for @bitscentric.com should be delivered to mail.bitscentric.com.

SPF Record (Sender Policy Framework)

What it does: Defines which servers are allowed to send emails for your domain.
This prevents spammers from pretending to send emails using your domain.

Example SPF record:

bitscentric.com.    IN   TXT   "v=spf1 ip4:203.0.113.25 include:_spf.google.com -all"

• ip4:203.0.113.25 → Your mail server’s IP is allowed.
• include:_spf.google.com → Google Workspace is allowed.
• -all → All others are rejected.

DKIM Record (DomainKeys Identified Mail)

What it does: Adds a digital signature to outgoing emails.
This helps the receiver verify that the message was really sent by your server and was not changed on the way.

Steps:

1. Generate DKIM key on your mail server (Postfix/OpenDKIM).
2. Publish the public key in DNS as TXT record.

Example DKIM record:

default._domainkey.bitscentric.com.  IN  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA..."

DMARC Record (Domain-based Message Authentication, Reporting and Conformance)

What it does: Tells mail servers how to handle emails that fail SPF or DKIM checks.
It also provides reports to the domain owner.

Example DMARC record:

_dmarc.bitscentric.com.  IN  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@bitscentric.com; ruf=mailto:dmarc-failure@bitscentric.com; sp=reject; aspf=s"

• p=quarantine → Suspicious mails go to spam.
• rua= → Aggregate reports sent to your email.
• ruf= → Failure reports sent.
• sp=reject → Subdomains not allowed to send mail.
• aspf=s → Strict alignment for SPF.

Other Useful DNS Records for Mail

• A Record: Mail server hostname (e.g., mail.bitscentric.com) should point to your server IP.
• PTR Record (Reverse DNS): IP address of your mail server should resolve back to mail.bitscentric.com.
• CAA Record: Defines which Certificate Authorities can issue SSL/TLS certificates for your domain.

Best Practices for Reliable Mail Server

• Always configure MX, SPF, DKIM, and DMARC correctly.
• Set Reverse DNS (PTR record) to match your mail server hostname.
• Use valid SSL/TLS certificates for encryption (Let’s Encrypt or commercial SSL).
• Monitor mail logs in /var/log/maillog for issues.
• Limit open relay (only authenticated users should send mail).
• Use rate limiting to avoid blacklisting when sending bulk mail.
• Enable spam filtering (Rspamd, SpamAssassin) to protect users.
• Subscribe to feedback loops from big providers (Gmail, Outlook) to monitor spam complaints.

Concept Summary

Email deliverability depends heavily on DNS records and proper configuration.
MX defines where to deliver mails, SPF prevents spoofing, DKIM ensures integrity, and DMARC enforces policy.
By following these best practices, your mail server will have higher trust and better inbox delivery.

Conclusion

Setting up DNS records correctly is the foundation of a professional email system.
Without them, even the best-configured mail server can fail.
By learning MX, SPF, DKIM, and DMARC records, students can build a reliable and secure mailing solution suitable for industry-level environments.