DNS settings to send emails
What domain DNS settings are required to send emails ?
Email service providers usually require you to verify the senderâs domain
before using their smtp servers. There are two reasons for this:
-
Prove domain ownership
by managing the DNS, you prove that you control the senderâs domain
this means you are not using someone elseâs domain (spoofing) -
Sending of authenticated emails
by setting SPF and DKIM authentication, your messages
are recognized by the recipients as coming from a ârealâ sender
if your domain and your smtp provider have a good reputation
the messages should reach the recipientsâ inbox
Summary:
- Email service providers: requirements for verified senders
- Why is a verified sender so important?
- What is domain alignment?
- CNAME record and TXT record, which one is best?
- What is a dedicated IP address?
- Should we manage the companyâs domain DNS settings directly?
Email service providers: requirements for verified senders
Below there are some of the major providers we checked, in alphabetical order.
At the end of July 2021, we tested the basic settings required to start sending emails.
The verified domain was âemailperfect.comâ. It was registred in 2012 and never used to send emails before.
Provider name | DKIM âFromâ domain alignment |
SPF âMail-Fromâ domain alignment |
Notes |
---|---|---|---|
Amazon SES | yes (3 CNAME records) | NO (@amazonses.com) | |
Mailgun | yes (TXT record) | yes (TXT record) | Hotmail and Yahoo delivery check* |
Mailjet | yes (TXT record) | NO (@mailjet.com) | Hotmail and Yahoo delivery check* |
RealSender | yes (2 CNAME records) | yes (TXT record) | dedicated IP address |
Sendgrid | yes (2 CNAME records) | yes (CNAME record) | Hotmail delivery check* |
Smtp2go | yes (1 CNAME record) | yes (CNAME record) |
* = we sent a message to each of the following mailboxes and noted if anything suggested that we check again:
Gmail, Hotmail, Yahoo, Gmx, Aruba, Tiscali, Exchange Online
Why is a verified sender so important?
In 2021 we consider mandatory that the senderâs domain is authenticated
so that the recipient knows that the senderâs email address has not been forged.
Preemptive authentication checking also greatly reduces the risk of abuse of sending systems.
For this reason we have âdeletedâ a provider from the list:
It does not require the domain validation before allowing them to send messages.
What is domain alignment?
When sending a message, we are dealing with two domains:
- in the sendersâs From address, that is visible to the recipients
- in the Mail-From address (also called âenvelope senderâ or âreturn-pathâ),
that is hidden and managed directly by the ESP to receive the bounced mails
The âdomain alignmentâ requirement is summarized in this sentence:
âwhen a sender authenticates their email using SPF and/or DKIM,
at least one of the domains must align with the sending From domainâ
CNAME record and TXT record, which one is best?
For DKIM authentication, a CNAME record is easier to implement.
The same result can be achieved by adding a 2048-bit TXT record but it is more complicated.
In addition, delegation of the DKIM record via CNAME allows your provider
to modify its key when necessary for security reasons.
For SPF authentication using a CNAME record means that the Mail-From address
will be a subdomain managed by your email service provider, such as: bounce.your-company-name.org.
The provider will handle both SPF authentication and bounced messages.
TXT record for SPF authentication is the best choice with email servers such as Zimbra or Exchange,
where each sender receives the bounced messages directly.
There is only one TXT record for domain authentication,
it may be difficult to maintain if you manage multiple smtp servers.
What is a dedicated IP address?
The âInternet Protocol addressâ or âIP addressâ
is similar to a telephone number on your home phone or mobile device.
Most SMTP services provide âsharedâ IP addresses to their customers.
Each time a mailing is sent, a different IP address is assigned.
âDedicated IP addressâ means that your email sending IP address will not change over time.
This provides great control over the senderâs reputation that cannot be harmed by the use of others.
Should we manage the companyâs domain DNS settings directly?
Not necessarily, because it requires some technical skills.
The company management should be aware that a few changes in the DNS settings
can lead to serious consequences such as:
- bring website visitors to another web server
- redirect incoming messages to a different mail server
- break email authentication so that messages are considered as spam or rejected