DNS settings to send emails

What domain DNS settings are required to send emails in 2021 ?

Email service providers usually require you to verify the sender’s domain
before using their smtp servers. There are two reasons for this:

  1. Prove domain ownership
    by managing the DNS, you prove that you control the sender’s domain
    this means you are not using someone else’s domain (spoofing)

  2. Sending of authenticated emails
    by setting SPF and DKIM authentication, your messages
    are recognized by the recipients as coming from a “real” sender
    if your domain and your smtp provider have a good reputation
    the messages should reach the recipients’ inbox


Email service providers: requirements for verified senders

Below there are some of the major providers we checked, in alphabetical order.
At the end of July 2021, we tested the basic settings required to start sending emails.
The verified domain was “emailperfect.com”. It was registred in 2012 and never used to send emails before.

Provider name DKIM “From”
domain alignment
SPF “Mail-From”
domain alignment
Amazon SES yes (3 CNAME records) NO (@amazonses.com)
Mailgun yes (TXT record) yes (TXT record) Hotmail and Yahoo delivery check*
Mailjet yes (TXT record) NO (@mailjet.com) Hotmail and Yahoo delivery check*
RealSender yes (2 CNAME records) yes (TXT record) dedicated IP address
Sendgrid yes (2 CNAME records) yes (CNAME record) Hotmail delivery check*
Sendinblue NO (sendinblue.com) NO (@aa.d.sender-sib.com) NO sender verification required
Smtp2go yes (1 CNAME record) yes (CNAME record)

* = we sent a message to each of the following mailboxes and noted if anything suggested that we check again:
Gmail, Hotmail, Yahoo, Gmx, Aruba, Tiscali, Exchange Online

Why is a verified sender so important?

In 2021 we consider mandatory that the sender’s domain is authenticated
so that the recipient knows that the sender’s email address has not been forged.
Preemptive authentication checking also greatly reduces the risk of abuse of sending systems.

For this reason we have “deleted” a provider from the list:
It does not require the domain validation before allowing them to send messages.

What is domain alignment?

When sending a message, we are dealing with two domains:

  1. in the senders’s From address, that is visible to the recipients
  2. in the Mail-From address (also called “envelope sender” or “return-path”),
    that is hidden and managed directly by the ESP to receive the bounced mails

The “domain alignment” requirement is summarized in this sentence:
“when a sender authenticates their email using SPF and/or DKIM,
at least one of the domains must align with the sending From domain”

CNAME record and TXT record, which one is best?

For DKIM authentication, a CNAME record is easier to implement.
The same result can be achieved by adding a 2048-bit TXT record but it is more complicated.
In addition, delegation of the DKIM record via CNAME allows your provider
to modify its key when necessary for security reasons.

For SPF authentication using a CNAME record means that the Mail-From address
will be a subdomain managed by your email service provider, such as: bounce.your-company-name.org.
The provider will handle both SPF authentication and bounced messages.

TXT record for SPF authentication is the best choice with email servers such as Zimbra or Exchange,
where each sender receives the bounced messages directly.
There is only one TXT record for domain authentication,
it may be difficult to maintain if you manage multiple smtp servers.

What is a dedicated IP address?

The “Internet Protocol address” or “IP address”
is similar to a telephone number on your home phone or mobile device.

Most SMTP services provide “shared” IP addresses to their customers.
Each time a mailing is sent, a different IP address is assigned.

“Dedicated IP address” means that your email sending IP address will not change over time.
This provides great control over the sender’s reputation that cannot be harmed by the use of others.

Should we manage the company’s domain DNS settings directly?

Not necessarily, because it requires some technical skills.

The company management should be aware that a few changes in the DNS settings
can lead to serious consequences such as:

ยป back to top