Mailcow requires 7 DNS records: A record for mail hostname, MX record pointing to mail hostname, SPF TXT record authorizing your IP, DKIM TXT record (generated by Mailcow), DMARC TXT record, PTR record (set at VPS provider), and optionally autodiscover/autoconfig CNAME records. Missing any one of these causes deliverability problems.
Mailcow DNS Configuration: MX, SPF, DKIM, DMARC, PTR
The Complete DNS Record Set
Mailcow needs specific DNS records to send and receive email properly. Miss one and you'll have authentication failures, spam folder placement, or outright rejection. For a broader view of email DNS, see our DNS configuration guide and authentication guide.
Here's every record, in the order you should create them.
Record 1: A Record (Mail Hostname)
mail.yourdomain.com A 203.0.113.5
Replace 203.0.113.5 with your VPS IP address. This tells the internet where your mail server lives.
If using Cloudflare: Set this to DNS-only mode (grey cloud icon). Do NOT proxy mail traffic through Cloudflare — it breaks SMTP.
Record 2: MX Record
yourdomain.com MX 10 mail.yourdomain.com
Priority 10 is standard for a single mail server. This tells other servers where to deliver email destined for your domain.
If you only send email (not receive), you technically don't need MX. But having it helps your domain's legitimacy score and enables bounce reply processing.
Record 3: SPF Record
yourdomain.com TXT "v=spf1 ip4:203.0.113.5 -all"
This authorizes only your server's IP to send email for your domain. Use -all (hardfail) for strict enforcement.
If you also use Google Workspace or another service for employee email:
yourdomain.com TXT "v=spf1 ip4:203.0.113.5 include:_spf.google.com -all"
Keep your SPF record optimized — every include costs a DNS lookup toward the 10-lookup limit.
Practitioner note: I see people add
a mxmechanisms to their SPF record out of habit. For Mailcow,ip4:YOUR_IPis all you need from the Mailcow side. Those extra mechanisms waste DNS lookups and add nothing when you're specifying the IP directly.
Record 4: DKIM Record
Mailcow generates DKIM keys automatically. To retrieve yours:
- Log into Mailcow admin panel
- Go to Configuration → Domains
- Click your domain
- Click the DKIM tab
- If no key exists, select 2048-bit and click Generate
- Copy the displayed TXT record
Add it to DNS:
dkim._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBg..."
The default selector is dkim. Mailcow shows the exact record name and value. Copy it exactly — one wrong character and DKIM fails.
Important: Some DNS providers have a 255-character limit per TXT string. A 2048-bit DKIM key exceeds this. Most providers handle it by splitting into multiple strings automatically. If yours doesn't, you'll need to split the p= value into quoted strings:
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhki..." "...remaining key data..."
Record 5: DMARC Record
_dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:[email protected]; fo=1"
Start with p=none to monitor without affecting delivery. The rua address receives aggregate reports showing authentication results.
After 2-4 weeks of monitoring with clean results, advance to p=quarantine, then eventually p=reject. See the DMARC advancement guide for the safe timeline.
Record 6: PTR Record (Reverse DNS)
This is set at your VPS provider, not your DNS registrar. It maps your IP address back to your hostname.
Hetzner Cloud
Server → Networking → IPv4 → click the reverse DNS icon → enter mail.yourdomain.com
OVHcloud
Server management → IP → click the gear icon → Modify reverse → enter mail.yourdomain.com
Vultr
Server → Settings → IPv4 → Reverse DNS → enter mail.yourdomain.com
The PTR record must match your mail hostname exactly. If your A record says mail.yourdomain.com → 203.0.113.5, your PTR must say 203.0.113.5 → mail.yourdomain.com.
Missing PTR records cause immediate rejection by many ISPs, especially Microsoft/Outlook.
Practitioner note: PTR mismatches are the number one DNS issue I fix on new Mailcow deployments. People configure everything else perfectly but forget the PTR because it's in a different dashboard. Check it with
dig -x YOUR_IPbefore sending any email.
Record 7: Autodiscover (Optional)
These help email clients (Outlook, Thunderbird) auto-configure connection settings:
autodiscover.yourdomain.com CNAME mail.yourdomain.com
autoconfig.yourdomain.com CNAME mail.yourdomain.com
Not required for sending, but convenient if you're using Mailcow for receiving email and want easy client setup.
Complete DNS Record Summary
| Record | Type | Name | Value |
|---|---|---|---|
| Mail hostname | A | mail.yourdomain.com | YOUR_SERVER_IP |
| Mail exchange | MX | yourdomain.com | 10 mail.yourdomain.com |
| SPF | TXT | yourdomain.com | v=spf1 ip4:YOUR_IP -all |
| DKIM | TXT | dkim._domainkey.yourdomain.com | (from Mailcow panel) |
| DMARC | TXT | _dmarc.yourdomain.com | v=DMARC1; p=none; rua=mailto:[email protected] |
| Reverse DNS | PTR | YOUR_IP | mail.yourdomain.com |
| Autodiscover | CNAME | autodiscover.yourdomain.com | mail.yourdomain.com |
| Autoconfig | CNAME | autoconfig.yourdomain.com | mail.yourdomain.com |
Verification
After DNS propagation (usually 15 minutes to 24 hours), verify every record:
# Check A record
dig mail.yourdomain.com A +short
# Check MX record
dig yourdomain.com MX +short
# Check SPF
dig yourdomain.com TXT +short
# Check DKIM
dig dkim._domainkey.yourdomain.com TXT +short
# Check DMARC
dig _dmarc.yourdomain.com TXT +short
# Check PTR
dig -x YOUR_SERVER_IP +short
Or use MXToolbox for a visual check of all records at once.
Send a test email to a Gmail address and check the headers: SPF, DKIM, and DMARC should all show pass.
Practitioner note: Set DNS TTL to 300 seconds (5 minutes) while configuring. This speeds up propagation when you inevitably need to fix a typo. Once everything is verified and stable, increase TTL to 3600 (1 hour) to reduce DNS query load.
If DNS configuration feels overwhelming, schedule a consultation — I'll configure all records correctly the first time and verify authentication passes before you send a single email.
Sources
- Mailcow: DNS Configuration
- Cloudflare: Email DNS Records
- RFC 7208: SPF Specification
- RFC 6376: DKIM Specification
v1.0 · April 2026
Frequently Asked Questions
What DNS records does Mailcow need?
Required: A record (mail.domain.com → server IP), MX record (domain.com → mail.domain.com), SPF (v=spf1 ip4:YOUR_IP -all), DKIM (copy from Mailcow admin panel), DMARC (v=DMARC1; p=none; rua=mailto:[email protected]), and PTR (set via VPS dashboard). Optional but recommended: autodiscover and autoconfig CNAMEs.
How do I set up PTR record for Mailcow?
PTR records are set at your VPS provider, not your DNS registrar. In Hetzner Cloud, go to your server → Networking → set reverse DNS to mail.yourdomain.com. On OVHcloud and Vultr, it's in the server networking panel. PTR must match your Mailcow hostname exactly.
Where do I find Mailcow's DKIM key?
In Mailcow admin panel: Configuration → Domains → click your domain → DKIM tab. Mailcow generates a 2048-bit DKIM key. Copy the TXT record value and add it to your DNS at dkim._domainkey.yourdomain.com.
Should I use Cloudflare DNS with Mailcow?
Yes for DNS hosting, but disable the Cloudflare proxy (orange cloud) for mail-related records. The A record for mail.yourdomain.com must be DNS-only (grey cloud). MX records can't be proxied. Proxying mail records breaks SMTP connections.
Why is my Mailcow email going to spam?
Check all DNS records with MXToolbox. The most common causes: missing PTR record, DKIM record not published or wrong selector, SPF record doesn't include server IP, DMARC not set up, or Cloudflare proxy enabled on the mail hostname.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.