This is an internal documentation. There is a good chance you’re looking for something else. See Disclaimer.

DNS Records for Outgoing Mails

Create SPF Record

As shown below, include:spf.tocco.ch needs to be added to the SPF record. The record shown below may need to be extended depending on whether another relay is used to send mails from the same domain. Also, ?all is generally safe but the domain owner may wish to use ~all or -all to avoid that anyone else can send mails using her domain.

@ IN TXT "v=spf1 … include:spf.tocco.ch ?all"

Warning

~all and -all may lead to mails being rejected or considered spam if the policy is incorrect. Be careful!

Wikipedia has comprehensive article on SPF if more information is needed.

../../_images/nine_spf.png

Sample SPF record in Nine web interface

Verify SPF Records

  1. Go to https://mxtoolbox.com/spf.aspx

  2. Enter domain name

  3. Verify there is no errors printed

  4. Verify record contains “include:spf.tocco.ch”

Have a look at Verify Correctness should you require a more comprehensive test. Usually only needed if there are known problems.

Create DKIM Record

A CNAME record for the name default._domainkey needs to be created.

default._domainkey IN CNAME default._domainkey.tocco.ch.

See wikipedia entry on DKIM for more details.

Hint

In case the selector name default is used, an alternative selector called tocco can be used:

  1. Switch domain to the tocco selector. See commit e3c08e3ff16b for an example.

  2. Add the following DNS record:

    tocco._domainkey IN CNAME tocco._domainkey.tocco.ch.

  3. Use alternative selector in config.yml:

    example:  # <-- customer
  mail_domains:
    example.net:   # <-- domain
      dkim_selector_name: tocco
      dkim_value: '{{ _dkim_value_selector_tocco }}'
../../_images/nine_dkim.png

Sample CNAME record in Nine web interface redirecting to our DKIM entry.

Verify DKIM Record

  1. Go to https://mxtoolbox.com/dkim.aspx

  2. Enter domain name and “default” as selector

  3. Verify there is no errors printed

  4. Check value is correct by checking if record contains “MyHW9JhhHiLdYNar9H77Ob1” (which is part of the public key).

  5. Go to https://dnslookup.online/txt.html

  6. Look up “default._domainkey.${DOMAIN}” (e.g. default._domainkey.example.net)

  7. Ensure result contains

    Type

    Cname

    CNAME

    default._domainkey.tocco.ch

Hint

Old records may be missing the CNAME record. This is okay but new records must contain it.

Have a look at Verify Correctness should you require a more comprehensive test. Usually only needed if there are known problems.

Create DMARC Record

A TXT entry for the name _dmarc needs to be created. Reports about mails rejected or classified as spam are sent the the mail address specified in the record.

The subdomain policy, sp, may need to be adjusted if the domain owner wishes to send mails from subdomains. The policy p=none is generally safe but it can also be set to quarantine or reject if a stricter policy is desired.

_dmarc IN TXT "v=DMARC1;p=none;sp=quarantine;pct=100;rua=mailto:dmarcreports@example.com"

Warning

Be careful with quarantine and reject. If SPF or DKIM records fail to validate the mail is going to be moved to spam or reject respectively.

Wikipedia has some more details on DMARC.

../../_images/nine_dmarc.png

Sample DMARC record in Nine web interface

Verify Correctness

There are several online services that test the records for you. Mail Tester is one of the simpler ones and it covers all the DNS entries listed above.