Email Deliverability and DNS Records: What You Need to Know

Email deliverability — the ability to get your emails into recipients' inboxes rather than spam folders — depends heavily on your DNS configuration. Missing or misconfigured DNS records is one of the most common reasons emails end up in spam.

The DNS Records That Affect Email

Several DNS record types work together to authenticate your email and tell receiving servers that your messages are legitimate:

MX Records

Mail Exchanger (MX) records tell other mail servers where to deliver email for your domain. Without MX records, no one can send email to your domain. You can have multiple MX records with different priorities for redundancy:

example.com.  3600  IN  MX  10  mail1.example.com.
example.com.  3600  IN  MX  20  mail2.example.com.

The lower number has higher priority. If the primary server (priority 10) is unavailable, email is delivered to the backup (priority 20).

SPF Records

Sender Policy Framework (SPF) is a TXT record that specifies which servers are allowed to send email on behalf of your domain. When a receiving server gets an email claiming to be from your domain, it checks your SPF record to verify the sending server is authorized.

example.com.  3600  IN  TXT  "v=spf1 include:_spf.google.com include:sendgrid.net -all"

DKIM Records

DomainKeys Identified Mail (DKIM) adds a digital signature to your outgoing emails. The public key is published as a DNS TXT record, and receiving servers use it to verify the signature. This proves the email was not tampered with in transit.

selector1._domainkey.example.com.  3600  IN  TXT  "v=DKIM1; k=rsa; p=MIGf..."

DMARC Records

Domain-based Message Authentication, Reporting, and Conformance (DMARC) ties SPF and DKIM together and tells receiving servers what to do with emails that fail authentication. It also provides reporting so you can monitor authentication results.

_dmarc.example.com.  3600  IN  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; pct=100"

How These Records Work Together

1. You send an email from your domain.
2. The receiving server checks your SPF record to see if the sending IP is authorized.
3. It verifies the DKIM signature using the public key in your DNS.
4. It checks your DMARC policy to decide what to do if SPF or DKIM fails.
5. Based on all three checks, the email is delivered to the inbox, sent to spam, or rejected.

Common Email DNS Mistakes

• Missing SPF record — Without SPF, anyone can spoof your domain. Many providers will flag or reject your email.
• SPF too many lookups — SPF has a 10 DNS lookup limit. Exceeding this causes SPF to fail silently. Flatten your SPF record if you use many services.
• No DMARC record — Without DMARC, you have no visibility into who is sending email as your domain and no policy enforcement.
• DKIM key rotation — DKIM keys should be rotated periodically. Old or compromised keys undermine your authentication.

Properly configured email DNS records are not optional — they are essential. Check your domain's email authentication using our Nameserver Lookup Tool and fix any gaps before they cost you deliverability.