All DNS records needed for a functional mailserver

Setting up your own mailserver may sound intimidating, but it’s not all that hard - given that the setup only has to be done once.

Here, we’ll walk through every DNS record type that’s necessary, and explain relevant security records for a reliable and standard-compliant mail system.

Ensuring the right DNS records are in place is essential for making sure emails are delivered and not rejected or flagged as spam.

A and AAAA records: pointing to your mailserver

A/AAAA records (Address records) map a domain or a subdomain to an IPv4/IPv6 address. This is how you let the world know at which location your mailserver is located.

Example A record:

mx.example.com.   A     198.51.100.42

Example AAAA record:

mx.example.com.   AAAA  2001:db8:abcd:1234::42

Tips:

  • Use mx.example.com (not your root domain) to host the mailserver.
  • For better compatability, use both A and AAAA records.

MX records: announcing where to deliver email

MX records (Mail Exchanger records) specify which hosts should receive email for your domain. The record includes a priority (lower numbers mean higher priority) and points to a hostname that must have an A or AAAA record.

Example MX record:

example.com.   MX    10   mx.example.com.

Explanation: mx.example.com receives mail on behalf of example.com.

  • Use only hostnames (like mx.example.com), for the value.
  • You can set multiple MX records with varying priority for failover. This ensures that if your primary mailserver has downtime, the second one can take over.

Having a backup mailserver is not so important since email implements retries with incremental backoffs. So if a delivery to your one and only mailserver fails, it will be retried over the course of the day and the week.

TXT records: SPF, DKIM, and DMARC

TXT records can be used for pretty much anything. Here they’re used in critical mail authentication methods: SPF, DKIM, and DMARC. These reduce spam and prevent spoofing.

Sender Policy Framework (SPF)

SPF specifies which mailservers are authorized to send for your domain. This is useful if you’re allowing other mailservers to send mail on your behalf for deliverability/marketing reasons.

Its value is placed in a TXT record:

example.com.   TXT   "v=spf1 a mx -all"

Meaning:

  • a allows the A/AAAA IPs of example.com to send emails
  • mx allows the MX servers for the domain (so, mx.example.com)
  • -all means “fail if the previous conditioned didn’t match”

A domain can only have one SPF TXT record. The rest will be ignored.

DomainKeys Identified Mail (DKIM)

DKIM lets your server sign outgoing emails with a cryptographic key, which recipients can verify via a public key published in your DNS (DKIM).

The exact steps for acquiring the record depend on your mail software, but here is a general example:

default._domainkey.example.com.   TXT   "v=DKIM1; k=rsa; p=MIIBIjANBgkq..."
  • default is the selector and can be any word set by your mailserver config
  • The p= value is your public key

You can often find DKIM keys and setup instructions in your mailserver’s admin panel, or CLI tools.

Domain-based Message Authentication, Reporting, and Conformance (DMARC)

DMARC tells receiving mailservers how to handle mail that fails SPF, DKIM, or both, and can provide reporting to help you discover misconfigurations.

An example of a strong DMARC policy is:

_dmarc.example.com.   TXT   "v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com"
  • p=reject can also be none (for testing) or quarantine (to send the failing emails into quarantine).
  • rua= specifies an email address for DMARC aggregate reports. The recipient is usually not a person, but rather an automated service that provides reports in a human-readable format.

DMARC reports usually arrive as XML file attachments, therefore they’re hard to parse by humans. Plenty of free tools exist like Cloudflare DMARC Management or Postmark that send you summaries of the aggregate reports.

Filling your DNS records

If you’re using a DNS service like HexName.com, you can register a subdomain (like example.hexname.com), create an MX record (such as mx.example.hexname.com), and add the above A, AAAA, MX, and TXT records. Ensure each record is entered precisely.

A complete (minimal) set for secure mail delivery:

  • A/AAAA records pointing to your mailserver’s IP
  • MX record on example.hexname.com pointing to mx.example.hexname.com (where your mailserver is running)
  • SPF TXT on example.hexname.com with the contents "v=spf1 a mx -all"
  • DKIM TXT on default._domainkey.example.hexname.com
  • DMARC TXT on _dmarc.example.hexname.com with the contents v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.hexname.com

These records ensure your mail can both arrive and be accepted by most of the world.

Many free online “mailserver tester” tools exist, letting you verify your mailserver configuration is correct. We recommend checking out:

After you’re done with the basics, you can look into MTA-STS, TLS and SPF reporting, TLSA, DANE, as well as methods to help ensure good deliverability.

Like what you see?

Sign up now, register our premium domains, and manage DNS records - all forever for $0.00/month.
$ dig example.hexname.com -t TXT +short
"v=spf1 mx ra=spf-reports -all"
$
$
$ dig example.hexname.com +short
198.51.100.98
$ curl icanhazip.com
198.51.100.135
$ ./update-ddns.sh
$ dig example.hexname.com +short
198.51.100.135
$
ESC / - HOME END PGUP CTRL ALT PGDN
q w e r t y u i o p
a s d f g h j k l
z x c v b n m /
123 , <      Space      > .
Get started