Guide
DNS Records Every Email Sender Needs
Five DNS records control whether your email gets delivered. Miss one and email silently fails — often in ways that are hard to diagnose. Here's what each record does and how to verify it's correct.
Email depends on DNS the way HTTPS depends on certificates — invisible until it breaks. Five records cover most of what operators need: MX, SPF, DKIM, DMARC, and PTR for sending IPs. Miss one and symptoms look like “random spam folder” or “works from Gmail but not Outlook.” This page ties them together. Deep dives: MX, SPF, DKIM, DMARC, PTR. For end-to-end context, read email deliverability after you understand each record.
Teams often optimise one layer — perfect DMARC while PTR is wrong — and still see spam placement. Verify holistically. SaaS mail hides complexity; self-hosted mail exposes every gap immediately in bounces and deferrals.
The five records
- MX — where inbound mail for the domain should be delivered.
- SPF — which servers may send mail using your domain in the envelope path.
- DKIM — public key for verifying signatures on outbound mail.
- DMARC — policy for receivers when SPF/DKIM do not align.
- PTR — reverse DNS for a sending IP; expected for many MTA filters.
MX record — receiving email
MX records point to mail hosts with priorities. You need at least one reachable host accepting SMTP for your domain. Misconfigured MX means mail queues or bounces. Reference: MX DNS.
SPF record — authorising senders
TXT at the domain used in SPF evaluation (often the envelope domain). Single string, watch lookup limits. SPF DNS and SPF guide.
DKIM record — signing email
TXT at selector._domainkey. Publish complete keys; partial keys fail open verification. DKIM DNS.
DMARC record — enforcing policy
TXT at _dmarc. Start with p=none and reporting; tighten when aligned. DMARC DNS and DMARC guide.
PTR record — reverse DNS
For your sending IP, PTR should resolve to a hostname that forward-resolves back to the same IP. Self-hosted mail depends on this. PTR DNS.
How they work together
Inbound: MX directs mail to your provider. Outbound: SPF authorizes sending IPs/includes; DKIM signs content; DMARC ties policy to the From: domain alignment; PTR supports IP-level trust. A gap in any layer surfaces as spam placement or rejects — not always “SMTP 550.”
Example: marketing sends through an ESP with DKIM pass but From: uses the root domain while SPF only covers the ESP’s bounce domain — DMARC may fail alignment until you align signatures or SPF. Another: transactional mail from a subdomain without its own SPF/DKIM while strict policies expect the parent — test every stream.
Google and Yahoo bulk-sender rules pushed teams to publish at least baseline DMARC even at p=none. That does not replace SPF/DKIM quality; it forces visibility via rua reporting so you cannot ignore drift.
How to verify all five at once
Use DNS Preflight — it walks MX, SPF, DKIM, DMARC, and PTR-related checks with a health score so you do not chase five tabs.
Tool: Validate MX, SPF, DKIM, DMARC, and PTR-related signals in one pass.
Step by step
FAQ
What DNS records do I need for email?
Five: MX (receive email), SPF (authorise senders), DKIM (sign messages), DMARC (enforce policy), and PTR (reverse DNS for your sending IP).
Which records are required vs optional?
MX is required to receive email. SPF, DKIM, and DMARC are required for reliable delivery. PTR is required for self-hosted mail servers.
How do I check all my email DNS records at once?
Run DNS Preflight — it checks all five in one pass with a health score.
Can I skip DMARC if I have SPF and DKIM?
Not anymore. Google and Yahoo require DMARC for bulk senders. Even p=none is sufficient to meet the requirement.
What is the most important record to set up first?
SPF — it's the fastest to add and blocks the most basic spoofing. Then DKIM, then DMARC.