Complete Guide to Authenticate an Email Domain in DNS
Introduction
Domain authentication is essential to ensure the deliverability and security of your emails. This guide covers the steps to correctly configure the necessary DNS records for SPF, DKIM, and DMARC, along with common troubleshooting solutions and advanced tips such as setting up DKIM keys longer than 255 characters.
1. Required Records for Authentication
To authenticate an email domain, you need to configure the following records in your DNS provider:
1.1 SPF (Sender Policy Framework)
-
Record type: TXT
-
Recommended value:
v=spf1 include:yourdomain.com ~all -
Purpose: Defines which servers are allowed to send emails on behalf of your domain.
1.2 DKIM (DomainKeys Identified Mail)
-
Record type: TXT
-
Name: Generated by your email marketing platform (example:
default._domainkey.yourdomain.com) -
Value: Provided by the platform, something like:
v=DKIM1; k=rsa; p=PUBLIC_KEY -
Purpose: Digitally signs emails to prevent spoofing.
1.2.1 Configuring DKIM Keys Longer than 255 Characters
-
Steps:
- Divide the DKIM public key into segments of no more than 255 characters.
- Wrap each segment in double quotes (
"). - Insert the segments sequentially in the value field of the TXT record.
-
Example of a correct record:
"first_255_characters_of_the_key" "remaining_characters_of_the_key"
1.3 DMARC (Domain-based Message Authentication, Reporting & Conformance)
-
Record type: TXT
-
Name:
_dmarc.yourdomain.com -
Recommended value:
v=DMARC1; p=none; rua=mailto:reports@yourdomain.com -
Purpose: Defines policies for unauthenticated emails and generates reports.
2. How to Add Records in DNS
General Step-by-Step
- Access your DNS provider's control panel (Cloudflare, GoDaddy, Namecheap, etc.).
- Navigate to the DNS management section.
- Add a new TXT record for each of the above values.
- Save the changes and wait for propagation (may take up to 48 hours).
3. Common Issues and How to Resolve Them
3.1 The SPF Record is Not Working
- Common error:
"SPF PermError: too many DNS lookups" - Cause: The SPF record exceeds the 10 DNS lookup limit.
- Solution:
- Reduce the number of include directives.
- Use subdomains to delegate parts of the configuration.
- Replace
a,mx, andptrwithip4orip6where possible.
3.2 The DKIM Record Was Not Validated
- Common error:
"DKIM missing or incorrect" - Cause:
- The TXT record was not entered correctly.
- The provider’s DNS does not support long keys.
- The DKIM key includes extra or misplaced characters or whitespace.
- Solution:
- Ensure the TXT was copied correctly with no line breaks.
- If the key exceeds 255 characters, split it into segments (see section 1.2.1).
- Verify that your DNS provider supports DKIM and use an alternative if needed.
3.3 DMARC Is Not Generating Reports
- Common error: No emails received for reporting.
- Cause:
- The
ruaorruffield is incorrectly formatted. - The DNS provider hasn’t yet propagated the configuration.
- The report server rejected the emails.
- The
- Solution:
- Ensure the email in the
ruafield can receive messages and isn’t being filtered. - Use a DMARC analyzer to verify that records are properly configured.
- Confirm DMARC record propagation using tools like MXToolbox.
- Ensure the email in the
4. Test and Verify Your Configuration
- SPF: Use MXToolbox SPF Checker
- DKIM: Test at DKIM Core Validator
- DMARC: Use DMARC Analyzer
5. Additional Considerations
- Propagation Time: After adding or modifying DNS records, allow up to 48 hours for full propagation.
- Verification: Use tools like MXToolbox to verify that your records are correctly configured.
- Expert Help: If you encounter difficulties, contact your DNS or email platform’s support team.