Skip to main content

Working with DNS records

Abstract

Understand how setting up SPF and DKIM and verifying DMARC improves email deliverability. Moosend

The Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) help protect email message senders and recipients from spam, spoofing, and phishing:

  • SPF - An email validation system designed to prevent spam email messages by verifying the sender's IP address. SPF allows administrators to specify which hosts are allowed to send email messages from a given domain, by creating a list of authorized hosts in the Domain Name System (DNS) records. Servers use the DNS to check that an email message from a given domain is sent by a host who has permission to do this. Many email clients (Gmail, Verizon, and others) use SPF to validate that the IP address the email was sent from is trustworthy.

  • DKIM - Gives an organization the opportunity to take responsibility for a message while it is in transit. The message is signed with the organization's certificate and a signature is added to the email headers. Many email clients (Yahoo, Gmail, Outlook, and others) check for a valid DKIM signature on incoming email messages.

  • DMARC - Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication, policy, and reporting protocol designed to enhance the security of your email communication. It ensures the destination email systems trust messages sent from your domain and helps the receiving system decide how to handle messages from your domain that fail SPF or DKIM checks.

    Tip

    Moosend validates your sender accounts and notifies you if your DNS record is unverified. To verify your sender account, you must create a DMARC value in your DNS management interface.

    To create a DMARC value, follow the steps in How to create a DMARC value?.

    To create a DMARC value, follow the steps in How To Avoid Hurting Your Emails & Domain Reputation In 2024.

Set up and verify DNS records

Moosend lets you set Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) on your sender accounts. To do this, you must share a public key in your domain’s DNS records.

  1. On the menu bar, click More > Settings.

  2. On the menu on the left, click Senders.

  3. In the SPF/DKIM and DMARC column, you can see which senders have a valid signature.

  4. On the SPF tab or the DKIM tab, copy and paste the necessary information to your domain's DNS records. It takes between 30 minutes to 48 hours before you can move to the next step.

  5. Go to your DNS management system and check that the DMARC TXT record has been added.

  6. Click Verify DNS records.

The DNS record verification process

In Moosend ,the DNS records are re-verified each time a user does the following actions:

  • During the sender domain verification, on the Set up DNS records page, the user clicks Verify DNS records.

  • In the campaign wizard, when the user adds a sender and clicks Next.

Verification takes place for both DKIM, SPF, and DMARC at once, so if one record cannot be verified, verification fails and you will receive an error message.

If there is a subdomain, and it cannot be verified, then its parent domain is also checked. If that parent domain can be verified, then the subdomain is verified as well. It also checks if the domain contains spfa.mailendo.com or its IP addresses, and if it does, then the record is verified.

Verified DNS records keep the verified status for 48 hours. After this time, you can re-verify the records again.

Note

If you have senders on a verified domain and then change the domain settings or delete a DNS value outside of Moosend, for example, on your website or domain management system, all the senders on that domain will become unverified, and you will need to re-verify the domain.

You can also verify your DNS records using external tools.