What are DNS records used for in sending and receiving mail?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You've set up DNS records for your domain but you're fuzzy on what each one actually does. That's because they're kind of scattered across receiving, sending, and authentication, and if any one of them is wrong, mail can bounce, land in spam, or get rejected outright.

MX records direct incoming mail to the right place. When someone sends you an email, their server looks up your MX record to find out which server should receive it. No MX record, or a broken one, and mail to your domain just bounces. This is critical for receiving but silent when it works.

SPF records tell ISPs which servers are allowed to send mail for your domain. SPF is published as a TXT record with a list of authorized IP addresses. When a mailbox provider receives mail claiming to be from your domain, it checks SPF to verify the sending IP is on your list. If SPF is missing or broken, your mail looks suspicious and can get rejected or junked before the recipient even sees it.

DKIM records prove you wrote the mail. DKIM publishes a public key in a TXT record so ISPs can verify that a message was actually signed by you. If DKIM is misconfigured or missing, ISPs can't verify authenticity and treat your mail as less trustworthy.

DMARC records define what to do with mail that fails authentication. DMARC tells ISPs "if SPF or DKIM fails, reject the mail" (strict) or "quarantine it" (less strict) or "just monitor it" (reporting only). No DMARC policy, and ISPs use their own judgment about suspicious mail. A missing DMARC record doesn't block you, but it leaves the door open for spoofing.

PTR records verify your sending server is legitimate. Reverse DNS (PTR record) maps an IP address back to a domain. If your sending IP doesn't have a PTR record, or if it points to a suspicious hostname, ISPs treat your mail as less trustworthy. It's often overlooked but catches some aggressive spam filters.

A, AAAA, and CNAME records are infrastructure. A records map hostnames to IPv4 addresses. AAAA records do the same for IPv6. CNAME records create aliases. These aren't authentication, but they're how servers find each other. If your tracking domain or ESP domain has a broken CNAME, clicks and opens won't get tracked properly.

Here's what breaks when these go wrong: missing or incorrect MX and your domain can't receive mail at all. Broken or missing SPF, DKIM, or DMARC, and your mail lands in spam or gets rejected outright, killing your reputation. Misconfigured PTR and aggressive ISPs treat you as higher risk. Broken A/CNAME records for tracking domains and your engagement data gets lost.

Check each one right now. Use our free SPF checker, or ask your ESP to walk you through the setup. You need all of these working together to send mail that actually lands in inboxes. If any one is broken, focus there first.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Understand DNS records in plain English.

I've set up DNS records but I'm still fuzzy on why I need SPF, DKIM, and DMARC separately, and what actually happens if one of them is misconfigured. In plain English, what's the difference between each one, and what breaks first if I mess up the configuration?

Edit the yellow boxes, then send to the AI of your choice.