Set Up DKIM, SPF and Reverse DNS to Improve Mail Deliverability

Introduction

DomainKeys Identified Mail (DKIM) is a protocol that contributes to DMARC compliance and requests the sender origin to take responsibility for sent messages that can be verified by mailbox providers. Essentially, it enables the outbound domain to digitally sign email to provide legitimacy for the recipient. Together with SPF, DKIM will significantly increase email delivery rates. It is not hard to implement DKIM on your own. At the end of this tutorial, we should achieve both SPF and DKIM Passes when we check ‘Show original’ of an email sent to our Gmail.

SPF-DKIM-pass

Prerequisites

To follow along with this tutorial, you will need the following:

  • Email hosting provider (e.g. Zoho, Google and MXroute)
  • DNS management (e.g. cPanel, DirectAdmin and CloudFlare)
  • Knowing where to find MXDKIM and SPF records associated with your email provider.

Step 1 – Add DKIM (TXT) Record

We will use MXroute as our email hosting provider for this tutorial. After adding a new domain in the admin panel, a bunch of records will be auto generated at the DNS Management page. The only DNS record we will use from this page is the DKIM key. Find a record that has a bunch of text starting with “v=DKIM1; k=rsa; …

DKIM keys
This is what a DKIM key looks like.

That is what we need to copy to our clipboard, to add as TXT record at CloudFlare DNS Management.

CloudFlare DNS add TXT DKIM
Add TXT record for DKIM at CloudFlare DNS Management.

Remember to exclude double quotes “ or else dkim=fail when we check an email in Gmail > Show original

dkim fail Gmail show original

Step 2 – Add SPF (TXT) Record

The SPF record was provided via email by my email hosting provider to add as TXT record in CloudFlare DNS Management.

"v=spf1 include:mxroute.com -all"

Out of curiosity, I went to a SPF record generator spfwizard.net to verify the SPF record.

SPF wizard generate DNS entry
Selecting recommended options and adding multiple (owned) server IP.

So, this is my final SPF record which differs from what my email hosting provider sent me. We will add this as TXT record to our DNS just like we add DKIM in Step 1spf=pass with or without quotes when tested with Gmail > Show original. However, since DKIM will only pass without double quotes, we will standardize and not use them for all TXT records.

"v=spf1 mx a include:mxroute.com -all"
In SPF recordWhat it means?My opinion
mxAllow servers listed as MX to send email for this domain.MX records in DNS are purely for email purposes. If listed, I don’t see any reasons not to allow them to send email.
aAllow current IP address of the domain to send email for this domain.One of my website contact form is using PHP mail() function and other uses include send email from Linux command line with mail -s e.g. in Bash scripts or cron. Therefore, I feel is alright to allow this plus you sort of own the IP belonging to your server.
ipv4List any IP address(es) or subnet(s) authorized to deliver or relay mail for example.comI am sending emails from my server with Postfix MTA and I had configured my email hosting provider as relayhost in /etc/postfix/main.cf hence with or without my server IP inclusion does not make any difference to dkim=pass and spf=pass. However, if you are to send emails from your server without a hosting provider, then adding this might help. Also, you should include ipv4 if you run your own email servers.
includeAny 3rd party domain(s) or service(s) that may deliver emails for your domain.This is pretty standard and it depends on your mail provider. For example,
Zoho – include:zoho.com
Google – include:_spf.google.com
Exchange – include:spf.protection.outlook.com
-allHow strict should be the servers treating the emails?If you’re not going to use -all, then don’t bother with SPF at all.
ptrTests whether the DNS reverse-mapping for <ip> existsDo not use because the PTR mechanism has been deprecated according to RFC 7208.

Step 3 – Add MX Record

When we sign up or create a new account with an email hosting provider, we will usually receive a bunch of information via email. This includes information such as DNS MX/ TXT records, IMAP/ SMTP server, IMAP/ SMTP/ POP3 ports and Webmail login. If not, we will need to refer to their Knowledge base or User Guide to find them.

example.mxroute.com (Priority 10)
example-relay.mxroute.com (Priority 20)

We will add the two MX records with different Mail server and Priority values to CloudFlare DNS Management. Some email providers, for example, Zoho provides up to three MX records mx.zoho.com, mx2.zoho.com and mx3.zoho.com

CloudFlare DNS add MX records
Add two MX records for different Mail server with Priority 10 and 20.

Note that these MX domains might return the same IP when we ping them because the providers want to reserve the ability to add backup relays later or room for unusual circumstances or a change in behavior.

Step 4 – PTR Record Reverse DNS Lookup

Reverse DNS resolution (rDNS) is used to determine the domain name associated to an IP address through the uses of PTR records. In my experience, both DKIM and SPF records setup are more popular but this will be added bonus to our email credibility if the PTR record is set up correctly. We can use the SolusVM management to configure the reverse DNS for our VPS.

Edit reverse DNS under network in SolusVM but some VPS providers disabled it.

One important scenario where reverse DNS is important is when we run our own email servers because many email servers on the Internet are configured to reject incoming emails from IP addresses which does not have reverse DNS. Since we are passing our emails to the email providers server to send out on our behalf, it is more important to check that their server has a valid PTR record. We can check using Reverse Lookup tool at Mxtoolbox.

MXtoolbox reverse lookup
My email hosting provider set up valid reverse DNS to its server.

We can also use command line in Windows and Linux to perform a reverse DNS lookup.

C:\Users\Me>nslookup <ip of email hosting server>
$ dig -x <ip of email hosting server>

Step 5 – Using secure SMTP connections TLS

For most servers TLS is the recommended option. If your SMTP provider offers both SSL and TLS options, we should use TLS.

WordPress mail SMTP TLS
Mail SMTP setup with TLS encryption for WordPress

Conclusion

It takes very little effort to set up DKIM and SPF record to prevent email spoofing. There are numerous guides and SPF generator online and the email hosting providers documentation are very detailed if you are using popular ones like Zoho or Google. As for reverse DNS and PTR records, these are not so critical unless you are running your own email server. Besides following these technical steps to improve email delivery rates, we must also practice email etiquette. E.g. don’t use spam words and provide the opt-out option for newsletters.

Leave a Reply

Your email address will not be published. Required fields are marked *