Email DNS Configuration¶
Proper DNS configuration is critical for email deliverability and security. This guide covers all DNS records required for InteSys email hosting.
Required Records¶
MX Records¶
MX (Mail Exchange) records tell other mail servers where to deliver email for your domain.
Priority Matters
The lower number (10) has higher priority. The secondary MX (20) acts as a fallback if the primary is temporarily unavailable. Always configure both records.
SPF Record¶
SPF (Sender Policy Framework) declares which mail servers are authorized to send email on behalf of your domain.
Understanding SPF mechanisms:
| Mechanism | Meaning |
|---|---|
include:_spf.intesys.io | Authorize InteSys mail servers |
~all | Soft fail for unauthorized senders (recommended starting point) |
-all | Hard fail — reject unauthorized senders (stricter, use after testing) |
SPF Lookup Limit
SPF allows a maximum of 10 DNS lookups. If you use multiple email providers, be careful not to exceed this limit. Use our Email Auth Validator to check your record.
DKIM Record¶
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing email, allowing receivers to verify the message was not altered in transit.
InteSys generates your DKIM key pair during setup. Add the provided CNAME record:
Alternatively, if you received a TXT record with the public key:
intesys._domainkey.example.com. 3600 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQ..."
DMARC Record¶
DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together and tells receiving servers what to do with messages that fail authentication.
Start with monitoring mode:
_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; pct=100"
After confirming legitimate mail passes, move to enforcement:
_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100"
| Policy | Behavior |
|---|---|
p=none | Monitor only — no action on failures (use during initial setup) |
p=quarantine | Mark failures as spam |
p=reject | Reject failures outright (maximum protection) |
DMARC Ramp-Up
We recommend starting with p=none for at least 2 weeks while reviewing DMARC aggregate reports. Then move to p=quarantine with pct=10 and gradually increase to 100% before switching to p=reject.
Optional Records¶
Autodiscover / Autoconfig¶
These records enable automatic email client configuration:
autodiscover.example.com. 3600 IN CNAME autodiscover.intesys.io.
autoconfig.example.com. 3600 IN CNAME autoconfig.intesys.io.
MTA-STS¶
MTA-STS enforces TLS encryption for incoming email, preventing downgrade attacks:
You also need to host a policy file at https://mta-sts.example.com/.well-known/mta-sts.txt.
TLSRPT¶
SMTP TLS Reporting enables receiving servers to send you reports about TLS connection failures:
_smtp._tls.example.com. 3600 IN TXT "v=TLSRPTv1; rua=mailto:[email protected]"
Verification¶
After configuring all records, verify your setup using the InteSys Email Auth Validator at intesys.io/tools. The tool checks SPF, DKIM, and DMARC records and reports any issues.
Complete DNS Example¶
; MX
example.com. 3600 IN MX 10 mx1.intesys.io.
example.com. 3600 IN MX 20 mx2.intesys.io.
; SPF
example.com. 3600 IN TXT "v=spf1 include:_spf.intesys.io -all"
; DKIM
intesys._domainkey.example.com. 3600 IN CNAME intesys._domainkey.intesys.io.
; DMARC
_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:[email protected]"
; Autodiscover
autodiscover.example.com. 3600 IN CNAME autodiscover.intesys.io.
autoconfig.example.com. 3600 IN CNAME autoconfig.intesys.io.
; MTA-STS and TLS Reporting
_mta-sts.example.com. 3600 IN TXT "v=STSv1; id=20260330"
_smtp._tls.example.com. 3600 IN TXT "v=TLSRPTv1; rua=mailto:[email protected]"