The 7 DNS records every self-hosted email sender needs

Email is unusual: a complete sender setup has seven distinct DNS records spread across three or four record types. Miss one and the wire still moves messages, but mailbox providers will quietly demote you to the spam folder. Publish all seven and you cross the "everything Google asks for" threshold from /guide/email-deliverability.

Order matters: SPF and DKIM should land before DMARC starts enforcing alignment, otherwise legitimate mail gets quarantined. The standing rule across vendors is also "wait for DNS to propagate" — allow at least 30 minutes between publishing a record and asking the mailbox provider to re-check.

MX records (RFC 1035 §3.3.9) tell the world where to deliver inbound mail for your domain. Even if your sending domain is "outbound only" (you do not read replies on it), an MX record is still required — many mailbox providers downgrade reputation for domains with no MX, on the theory that legitimate senders accept replies. A single record pointing at any reachable mail server suffices, even if that server only delivers to a postmaster mailbox.

SPF (RFC 7208) is a single TXT record listing which IPs are authorised to send for the domain. The hard rule: total recursive DNS lookups must stay under 10 (RFC 7208 §4.6.4). Each include: consumes one; nested includes count cumulatively. ip4: / ip6: mechanisms cost zero lookups, so collapse old includes into explicit IP ranges if your count creeps up.

End with -all (hard-fail) once you have verified all legitimate sending sources are covered. If you are not sure yet, start with ~all (soft-fail) and tighten to -all after two weeks of clean DMARC reports.

DKIM (RFC 6376) publishes the public half of a signing keypair as a TXT record at {selector}._domainkey.{domain}. The "selector" is an identifier you choose — vendor-specific or arbitrary. For SES, AWS gives you three CNAMEs that resolve into AWS-managed TXT records (so AWS can rotate keys without you touching DNS):

For self-hosted Postal or Postfix+OpenDKIM, you generate the keypair locally, configure the MTA to sign, and publish the public half as a TXT:

Whichever path you take, verify with dig TXT {selector}._domainkey.{domain} before declaring DKIM done.

DMARC (RFC 7489) goes at _dmarc.{domain}. Skipping the p=none ramp is the most common mistake — jumping straight to p=reject against a domain whose mail flows you do not yet fully understand will silently bounce legitimate mail (forwarders, mailing lists, third-party CRM senders).

Read the daily aggregate XML reports landing in your rua mailbox between stages. Tools like Postmark's DMARC analyzer or self-hosted Parsedmarc visualise them; the bare XML is dense but readable.

By default, AcelleMail open-pixel and click-tracking URLs come from your install's primary domain. Mailbox providers like to see consistent root domains across the From, the link clicks, and the unsubscribe URL — all on the same registered domain. Branding-wise, links pointing at tracker.yourcompany.com are also more trust-signaling than links pointing at links.acellemail.com.

Once the CNAME resolves, AcelleMail rewrites all click-tracking URLs in outgoing messages to use it. The unsubscribe-link domain follows the same rule (and the same CNAME).

MTA-STS (RFC 8461) tells other senders "always require TLS when delivering to my MX". Without it, an attacker on the path can downgrade a TLS-capable handshake to cleartext. With it, the sending server refuses to deliver if TLS cannot be established. Implementation is one TXT record pointing at a hosted policy file:

Run the policy in mode: testing for the first week, then flip to mode: enforce. Many bulk senders skip MTA-STS — deploying it is a free trust signal.

BIMI (Brand Indicators for Message Identification) is the youngest of the seven and the only one not yet a finalised RFC, but it is supported by Gmail, Yahoo, Apple Mail, Fastmail, and other clients in production. The deal: publish a TXT record pointing at an SVG logo and (optionally) a Verified Mark Certificate (VMC), and supporting clients display the logo next to your messages in the inbox list.

Preconditions: a DMARC policy of at least p=quarantine (BIMI is not honoured under p=none), and the SVG must be SVG Tiny Portable / Secure (SVG-PS). Acceptance varies: Gmail requires a paid VMC ($1,500/year via DigiCert / Entrust) for full inbox-list display; Yahoo and Apple accept BIMI without VMC. Open-rate lifts of 5-20% are commonly reported in published case studies.

After publishing, send yourself a test message and check the headers. Gmail web: open the message, click the three-dot menu, "Show original". Look for:

Three pass verdicts is the bar. Anything less — fail, softfail, neutral — means a record is wrong, or DNS has not propagated yet, or the mail body is being modified in transit (rare). Cross-check with the canonical Authentication-Results header (RFC 8601) spec if a verdict is ambiguous.