This is an internal documentation. There is a good chance you’re looking for something else. See Disclaimer.
DNS Records for Outgoing Mails
Create SPF Record
As shown below, include:spf.tocco.ch needs to be added to the SPF record. The record shown below may need to be
extended depending on whether another relay is used to send mails from the same domain. Also, ?all is
generally safe but the domain owner may wish to use ~all or -all to avoid that anyone else can send mails using
her domain.
@ IN TXT "v=spf1 … include:spf.tocco.ch ?all"
Warning
~all and -all may lead to mails being rejected or considered spam if the policy is incorrect. Be careful!
Wikipedia has comprehensive article on SPF if more information is needed.
Sample SPF record in Nine web interface
Verify SPF Records
tco mail dns-check-domain ${DOMAIN}
This will show required changes, or nothing if everything is set up properly.
Note
You can also manually check the SPF record:
Enter domain name
Verify there is no errors printed
Verify record contains “include:spf.tocco.ch”
Have a look at Verify Correctness should you require a more comprehensive test. Usually only needed if there are known problems.
Create DKIM Record
Two CNAME records for selectors ch-tocco-1 and
ch-tocco-1 need to be created:
ch-tocco-1._domainkey IN CNAME ch-tocco-1._domainkey.tocco.ch. ch-tocco-2._domainkey IN CNAME ch-tocco-2._domainkey.tocco.ch.
See wikipedia entry on DKIM for more details.
Sample CNAME record for ch-tocco-1 in Nine web interface.
Hint
There used to be a selector called default and one called tocco
(for some domains still configured via dkim variable in Ansible).
These selectors are deprecated and should no longer be created.
Verify DKIM Record
tco mail dns-check-domain ${DOMAIN}
This will show required changes, or nothing if everything is set up properly.
Note
You can also check this manually:
$ dig -t cname +noall +answer ch-tocco-1._domainkey.${DOMAIN} ch-tocco-1._domainkey.${DOMAIN}. 3070 IN CNAME ch-tocco-1._domainkey.tocco.ch. $ dig -t cname +noall +answer ch-tocco-2._domainkey.${DOMAIN} ch-tocco-2._domainkey.${DOMAIN}. 3070 IN CNAME ch-tocco-2._domainkey.tocco.ch.
If there is no output, run dig without +noall +answer and
check the status:
$ dig -t cname ch-tocco-1._domainkey.${DOMAIN}
; <<>> DiG 9.20.23-1~deb13u1-Debian <<>> agogis2.ch
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 27520
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;agogis2.ch. IN A
;; AUTHORITY SECTION:
ch. 658 IN SOA a.nic.ch. dns-operation.switch.ch. 2026062647 900 600 1209600 900
;; Query time: 1 msec
;; SERVER: 10.139.1.1#53(10.139.1.1) (UDP)
;; WHEN: Sat Jun 27 00:02:18 CEST 2026
;; MSG SIZE rcvd: 108
* NXDOMAIN indcates that the record is missing.
* NOERROR indicates that a DNS record of another type exists. Ensure
you created a record of type CNAME. Remove records of any other type.
Have a look at Verify Correctness should you require a more comprehensive test. Usually only needed if there are known problems like mails ending up being classified as spam.
Create DMARC Record
A TXT entry for the name _dmarc needs to be created. Reports about mails rejected or classified as spam are sent
the the mail address specified in the record.
The subdomain policy, sp, may need to be adjusted if the domain owner wishes to send mails from subdomains. The
policy p=none is generally safe but it can also be set to quarantine or reject if a stricter policy is
desired.
_dmarc IN TXT "v=DMARC1;p=none;sp=quarantine;pct=100;rua=mailto:dmarcreports@example.com"
Warning
Be careful with quarantine and reject. If SPF or DKIM records fail to validate the mail is going to be moved
to spam or reject respectively.
Wikipedia has some more details on DMARC.
Sample DMARC record in Nine web interface
Verify Correctness
There are several online services that test the records for you. Mail Tester is one of the simpler ones and it covers all the DNS entries listed above.