MailEntriX
Back to Blog
Guides

Complete DNS Setup Guide for Email Marketing: SPF, DKIM, DMARC, BIMI & MTA-STS

Arjun MehtaMarch 28, 202614 min read
DNSSPFDKIMDMARCBIMIMTA-STSdomain healthemail authentication

Complete DNS Setup Guide for Email Marketing

Your DNS configuration is the foundation of email deliverability. Misconfigured records silently push emails to spam. This guide covers every record you need.

SPF Record Configuration

SPF tells receiving servers which IPs are authorized to send email for your domain. A misconfigured SPF record is the number one reason legitimate emails hit spam.

1
Audit every service that sends email on your behalf (ESP, CRM, transactional, internal)
2
Build your SPF record: v=spf1 include:_spf.google.com include:sendgrid.net -all
3
Keep total DNS lookups under 10 (SPF has a hard limit)
4
Use -all (hard fail) instead of ~all (soft fail) for stronger protection
5
Test with dig txt yourdomain.com and online SPF validators
Warning
SPF has a 10 DNS lookup limit. Exceeding this causes SPF to break silently — your emails will fail authentication with no error message. Flatten SPF records using IP ranges when you approach the limit.

DKIM Configuration

DKIM adds a cryptographic signature to every email. Receivers verify the signature against a public key in your DNS. Broken DKIM means failed DMARC alignment.

Tip
Always use 2048-bit DKIM keys. Rotate keys every 6-12 months. Each sending service needs its own DKIM selector — do not share keys between services.

DMARC Setup and Enforcement

DMARC ties SPF and DKIM together with a policy. Start with p=none to monitor, then gradually enforce.

1
Deploy DMARC with p=none and rua= for aggregate reports
2
Collect reports for 2-4 weeks to identify all legitimate senders
3
Fix any SPF/DKIM issues found in reports
4
Move to p=quarantine for 2 weeks
5
Move to p=reject for full enforcement
6
Set up ruf= for forensic reports on failures

BIMI: Brand Indicators for Message Identification

BIMI displays your brand logo next to emails in supported clients (Gmail, Apple Mail). Requires DMARC at p=quarantine or p=reject, plus a Verified Mark Certificate (VMC).

MTA-STS: Enforcing TLS

MTA-STS prevents downgrade attacks by requiring TLS for mail delivery. Publish a policy at .well-known/mta-sts.txt and add a _mta-sts DNS record.

Reverse DNS (PTR Records)

Ensure your sending IPs have matching PTR records. ISPs check that the reverse DNS matches the sending domain. Missing PTR records are a red flag.

Domain Health Monitoring

DNS configuration is not set-and-forget. Records can break when services change IPs, when you add new senders, or when TXT records conflict.

Key Takeaway
A complete DNS setup requires SPF, DKIM, DMARC, BIMI, MTA-STS, and PTR records working together. Monitor continuously — a single broken record can tank deliverability overnight. Use MailEntriX domain health checks to validate your configuration automatically.
Share:TwitterLinkedIn
Previous Article

Building a Custom Verification Widget

Next Article

Domain Reputation Recovery: How to Fix a Damaged Sending Domain

Start verifying emails for free

Join 10,000+ businesses that trust MailEntriX to keep their email lists clean and deliverable.

Get Started Free

Related Articles

Guides8 min read

How Email Verification Works: A Technical Deep Dive

March 20, 2026
Guides10 min read

The Complete Guide to Email Deliverability in 2026

March 18, 2026
Guides7 min read

How to Reduce Email Bounce Rates by 98%

March 15, 2026