What DNS records do I need for email?

Minimum: MX (receiving), SPF (sending authorization), DKIM (signing), DMARC (policy). For sending servers: PTR (reverse DNS). Optional but recommended: BIMI (brand logo), MTA-STS (transport security), TLS-RPT (encryption reporting).

How long do DNS changes take to propagate?

Depends on TTL (Time to Live). Most changes propagate within 1-4 hours. Some DNS providers cache aggressively and may take up to 48 hours. Lower your TTL before making changes (set to 300 seconds), make the change, then restore TTL after verification.

Can I have multiple MX records?

Yes, and you should for redundancy. Use priority values: MX 10 (primary), MX 20 (secondary). If the primary server is unavailable, email routes to the secondary. Most hosted email (Google Workspace, M365) provides multiple MX records.

What is a PTR record and do I need one?

PTR (Pointer) records map an IP address to a hostname (reverse DNS). Required if you run your own mail server — many ISPs reject email from IPs without PTR records. Not needed if you use an ESP (they manage their own PTR records).

Should I use Cloudflare proxy for email records?

No. MX records, DKIM records, and SPF records must NOT be proxied through Cloudflare. Set these to 'DNS only' (gray cloud, not orange cloud). Proxying email DNS records breaks email delivery.

DNS Configuration for Email: The Complete Guide

The Complete DNS Record Map

1. MX Records (Receiving Email)

MX records tell other servers where to deliver email for your domain.

Google Workspace:

yourdomain.com  MX  1   ASPMX.L.GOOGLE.COM
yourdomain.com  MX  5   ALT1.ASPMX.L.GOOGLE.COM
yourdomain.com  MX  5   ALT2.ASPMX.L.GOOGLE.COM
yourdomain.com  MX  10  ALT3.ASPMX.L.GOOGLE.COM
yourdomain.com  MX  10  ALT4.ASPMX.L.GOOGLE.COM

Microsoft 365:

yourdomain.com  MX  0  yourdomain-com.mail.protection.outlook.com

Self-hosted (Mailcow):

yourdomain.com  MX  10  mail.yourdomain.com

Priority: Lower number = higher priority. Server tries MX 1 first, then MX 5, etc.

2. SPF Record (Sending Authorization)

Single TXT record listing all authorized senders.

yourdomain.com  TXT  v=spf1 include:_spf.google.com include:sendgrid.net -all

Rules:

One SPF record per domain
Maximum 10 DNS lookups
End with -all (hardfail) for maximum protection

Full guide: SPF, DKIM, DMARC guide

3. DKIM Records (Cryptographic Signing)

One or more TXT/CNAME records per signing service. Each uses a unique selector.

Google Workspace:

google._domainkey.yourdomain.com  TXT  v=DKIM1; k=rsa; p=PUBLIC_KEY

SendGrid (CNAME):

s1._domainkey.yourdomain.com  CNAME  s1.domainkey.u1234.wl567.sendgrid.net
s2._domainkey.yourdomain.com  CNAME  s2.domainkey.u1234.wl567.sendgrid.net

Mailgun:

smtp._domainkey.yourdomain.com  TXT  k=rsa; p=PUBLIC_KEY

No limit on DKIM records — configure one for each sending service.

4. DMARC Record (Authentication Policy)

_dmarc.yourdomain.com  TXT  v=DMARC1; p=none; rua=mailto:[email protected]

Start at p=none, advance to p=reject over 6-12 weeks. Full guide: DMARC setup

5. PTR Record (Reverse DNS)

Maps your sending IP to a hostname. Required for self-hosted mail servers.

Set in your VPS provider's dashboard (not your domain DNS). See our PTR records guide for detailed setup.

IP: 203.0.113.10 → mail.yourdomain.com

If using an ESP (Mailgun, SendGrid), they manage PTR for their IPs.

6. BIMI Record (Brand Logo)

default._bimi.yourdomain.com  TXT  v=BIMI1; l=https://yourdomain.com/logo.svg; a=https://yourdomain.com/vmc.pem

Requires DMARC at p=quarantine or p=reject. Full guide: BIMI setup

7. MTA-STS Records (Transport Security)

_mta-sts.yourdomain.com  TXT  v=STSv1; id=20260331
mta-sts.yourdomain.com   A    YOUR_HOSTING_IP (or CNAME)

Plus a policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt Full guide: MTA-STS setup

8. TLS-RPT Record (Encryption Reporting)

_smtp._tls.yourdomain.com  TXT  v=TLSRPTv1; rua=mailto:[email protected]

Common DNS Mistakes

1. Multiple SPF Records

Wrong:

yourdomain.com  TXT  v=spf1 include:_spf.google.com -all
yourdomain.com  TXT  v=spf1 include:sendgrid.net -all

Right:

yourdomain.com  TXT  v=spf1 include:_spf.google.com include:sendgrid.net -all

Merge into ONE record. If you're hitting the 10-lookup limit, see our SPF optimization guide.

2. Cloudflare Proxy on Email Records

MX, DKIM, and SPF records must NOT be proxied (orange cloud). Set to DNS-only (gray cloud).

3. Missing DKIM After ESP Migration

Old ESP's DKIM records left in DNS, new ESP's records not added. DKIM fails silently. Always add new records BEFORE removing old ones.

4. SPF Exceeding 10 Lookups

Too many includes = permerror = SPF fails for everything. Use MXToolbox SPF Lookup to count. Fix: Multi-sender SPF guide

5. Wrong DKIM Hostname

domainkey.yourdomain.com instead of _domainkey.yourdomain.com (note the underscore). Or selector.domainkey instead of selector._domainkey.

Verification

After configuring all records, verify with:

MXToolbox: MX Lookup, SPF Lookup, DKIM Lookup, DMARC Lookup
Mail-Tester: Send a test email, get a comprehensive score
Gmail headers: Send to Gmail → Show Original → check Authentication-Results

Practitioner note: DNS is where most email infrastructure fails. Not because the concepts are hard, but because one typo, one missing underscore, one extra space breaks authentication silently. Always verify after every DNS change. Use MXToolbox — it takes 30 seconds and prevents hours of debugging.

Practitioner note: Before making DNS changes: lower the TTL to 300 seconds (5 minutes). Wait for the old TTL to expire. Then make your change. This means mistakes propagate and can be fixed in minutes instead of hours.

If you need DNS configured correctly for your complete email infrastructure, schedule a consultation.

Sources

RFC 5321: SMTP (MX Records)
RFC 7208: SPF
RFC 6376: DKIM
RFC 7489: DMARC

v1.0 · March 2026