This is an internal documentation. There is a good chance you’re looking for something else. See Disclaimer.

DNS Records for Outgoing Mails

Create SPF Record

As shown below, include:spf.tocco.ch needs to be added to the SPF record. The record shown below may need to be extended depending on whether another relay is used to send mails from the same domain. Also, ?all is generally safe but the domain owner may wish to use ~all or -all to avoid that anyone else can send mails using her domain.

@ IN TXT "v=spf1 … include:spf.tocco.ch ?all"

Warning

~all and -all may lead to mails being rejected or considered spam if the policy is incorrect. Be careful!

Wikipedia has comprehensive article on SPF if more information is needed.

../../_images/nine_spf.png

Sample SPF record in Nine web interface

Verify SPF Records

tco mail dns-check-domain ${DOMAIN}

This will show required changes, or nothing if everything is set up properly.

Note

You can also manually check the SPF record:

  1. Go to https://mxtoolbox.com/spf.aspx

  2. Enter domain name

  3. Verify there is no errors printed

  4. Verify record contains “include:spf.tocco.ch”

Have a look at Verify Correctness should you require a more comprehensive test. Usually only needed if there are known problems.

Create DKIM Record

Two CNAME records for selectors ch-tocco-1 and ch-tocco-1 need to be created:

ch-tocco-1._domainkey IN CNAME ch-tocco-1._domainkey.tocco.ch.
ch-tocco-2._domainkey IN CNAME ch-tocco-2._domainkey.tocco.ch.

See wikipedia entry on DKIM for more details.

../../_images/nine_dkim.png

Sample CNAME record for ch-tocco-1 in Nine web interface.

Hint

There used to be a selector called default and one called tocco (for some domains still configured via dkim variable in Ansible). These selectors are deprecated and should no longer be created.

Verify DKIM Record

tco mail dns-check-domain ${DOMAIN}

This will show required changes, or nothing if everything is set up properly.

Note

You can also check this manually:

$ dig -t cname +noall +answer ch-tocco-1._domainkey.${DOMAIN}
ch-tocco-1._domainkey.${DOMAIN}. 3070 IN CNAME    ch-tocco-1._domainkey.tocco.ch.

$ dig -t cname +noall +answer ch-tocco-2._domainkey.${DOMAIN}
ch-tocco-2._domainkey.${DOMAIN}. 3070 IN CNAME    ch-tocco-2._domainkey.tocco.ch.

If there is no output, run dig without +noall +answer and check the status:

$ dig -t cname ch-tocco-1._domainkey.${DOMAIN}

; <<>> DiG 9.20.23-1~deb13u1-Debian <<>> agogis2.ch
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 27520
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;agogis2.ch.                      IN      A

;; AUTHORITY SECTION:
ch.                       658     IN      SOA     a.nic.ch. dns-operation.switch.ch. 2026062647 900 600 1209600 900

;; Query time: 1 msec
;; SERVER: 10.139.1.1#53(10.139.1.1) (UDP)
;; WHEN: Sat Jun 27 00:02:18 CEST 2026
;; MSG SIZE  rcvd: 108

* NXDOMAIN indcates that the record is missing.
* NOERROR indicates that a DNS record of another type exists. Ensure
  you created a record of type CNAME. Remove records of any other type.

Have a look at Verify Correctness should you require a more comprehensive test. Usually only needed if there are known problems like mails ending up being classified as spam.

Create DMARC Record

A TXT entry for the name _dmarc needs to be created. Reports about mails rejected or classified as spam are sent the the mail address specified in the record.

The subdomain policy, sp, may need to be adjusted if the domain owner wishes to send mails from subdomains. The policy p=none is generally safe but it can also be set to quarantine or reject if a stricter policy is desired.

_dmarc IN TXT "v=DMARC1;p=none;sp=quarantine;pct=100;rua=mailto:dmarcreports@example.com"

Warning

Be careful with quarantine and reject. If SPF or DKIM records fail to validate the mail is going to be moved to spam or reject respectively.

Wikipedia has some more details on DMARC.

../../_images/nine_dmarc.png

Sample DMARC record in Nine web interface

Verify Correctness

There are several online services that test the records for you. Mail Tester is one of the simpler ones and it covers all the DNS entries listed above.