DNS Configuration Guide

Complete DNS setup guide with provider-specific instructions and troubleshooting tips

Using the DNS Checker Tool

SpoofMon's DNS Checker tool helps you verify that your email authentication records are properly configured. It's your first step in setting up DMARC monitoring.

How to Use the DNS Checker

  1. Navigate to "DNS Checker" in your SpoofMon dashboard
  2. Enter your domain name (e.g., example.com)
  3. Click "Check DNS Records"
  4. Review the results for each record type (SPF, DKIM, DMARC)
  5. Follow the recommendations provided for any issues
Pro Tip

The DNS Checker provides copy-paste ready DNS records when it detects missing or incorrect configurations. Use these as starting points and customize them for your specific needs.

Understanding DNS Record Types

SPF (Sender Policy Framework) Records

SPF Record Basics

Purpose: Specifies which mail servers are authorized to send email for your domain.

Record Type: TXT record

Location: Root domain (example.com)

Basic Format: v=spf1 [mechanisms] [qualifier]

SPF Mechanisms
Mechanism Example What It Does
ip4 ip4:192.168.1.100 Authorizes a specific IPv4 address
ip6 ip6:2001:db8::1 Authorizes a specific IPv6 address
a a:mail.example.com Authorizes IPs that resolve to this hostname
mx mx Authorizes your domain's MX record IPs
include include:_spf.google.com Includes another domain's SPF record
SPF Qualifiers
+all (Pass)

Authorizes all senders (not recommended for security)

~all (SoftFail)

Marks unauthorized emails as suspicious (good for testing)

-all (HardFail)

Rejects unauthorized emails (strictest security)

?all (Neutral)

No policy specified (minimal security)

Common SPF Examples
Google Workspace (Gmail):
v=spf1 include:_spf.google.com ~all
Microsoft 365 (Outlook):
v=spf1 include:spf.protection.outlook.com ~all
Custom Mail Server + Google:
v=spf1 ip4:192.168.1.100 include:_spf.google.com ~all
Multiple Services:
v=spf1 include:_spf.google.com include:sendgrid.net include:_spf.salesforce.com ~all

DKIM (DomainKeys Identified Mail) Records

DKIM Record Basics

Purpose: Provides public key for verifying email signatures.

Record Type: TXT record

Location: [selector]._domainkey.yourdomain.com

Content: Public key and parameters

DKIM Selectors

DKIM selectors allow multiple keys for the same domain. Common selector names:

  • selector1, selector2: Microsoft 365 default selectors
  • google: Google Workspace default selector
  • k1, default: Generic selector names
  • custom names: Based on your email service provider
Where to Get DKIM Records
Email Provider Where to Find DKIM Settings Typical Selector
Google Workspace Admin Console → Apps → Gmail → Authenticate email google._domainkey
Microsoft 365 Admin Center → Exchange → Protection → DKIM selector1._domainkey
selector2._domainkey
SendGrid Settings → Sender Authentication → Domain Authentication s1._domainkey
s2._domainkey
Mailchimp Account → Settings → Domains k1._domainkey

DMARC Records

DMARC Record Basics

Purpose: Defines policy for handling authentication failures.

Record Type: TXT record

Location: _dmarc.yourdomain.com

Format: tag=value pairs separated by semicolons

Essential DMARC Tags
Tag Purpose Values Example
v Version (required) DMARC1 v=DMARC1
p Policy for domain (required) none, quarantine, reject p=quarantine
rua Aggregate report address Email address(es) rua=mailto:[email protected]
ruf Forensic report address Email address(es) ruf=mailto:[email protected]
sp Subdomain policy none, quarantine, reject sp=quarantine
adkim DKIM alignment mode r (relaxed), s (strict) adkim=r
aspf SPF alignment mode r (relaxed), s (strict) aspf=r
DMARC Policy Progression
Phase 1: Monitor
v=DMARC1; p=none; rua=mailto:[email protected]

Collect data without affecting email delivery

Phase 2: Quarantine
v=DMARC1; p=quarantine; rua=mailto:[email protected]

Failed emails marked as spam

Phase 3: Reject
v=DMARC1; p=reject; rua=mailto:[email protected]

Failed emails completely blocked

Provider-Specific Instructions

GoDaddy DNS Management

Adding DNS Records in GoDaddy:
  1. Log into your GoDaddy account
  2. Go to My ProductsDomain Manager
  3. Click DNS next to your domain
  4. Scroll down to the Records section
  5. Click Add to create a new record
  6. Select TXT as the record type
  7. Enter the appropriate information:
    • Name: @ (for SPF) or _dmarc (for DMARC) or selector._domainkey (for DKIM)
    • Value: Your DNS record content
    • TTL: 1 Hour (or 3600 seconds)
  8. Click Save
GoDaddy Specific Notes:
  • Use @ for root domain records (SPF)
  • Don't include the domain name in the Name field
  • Changes can take up to 48 hours to propagate
  • You can verify changes using their DNS lookup tool

Cloudflare DNS Management

Adding DNS Records in Cloudflare:
  1. Log into your Cloudflare dashboard
  2. Select your domain from the list
  3. Go to the DNS tab
  4. Click Add record
  5. Configure the record:
    • Type: TXT
    • Name: @ (SPF), _dmarc (DMARC), or selector._domainkey (DKIM)
    • Content: Your DNS record content
    • TTL: Auto (recommended) or 1 hour
  6. Click Save
Cloudflare Specific Notes:
  • Records are typically active within minutes
  • Cloudflare automatically handles the domain suffix
  • Use the DNS Records overview to verify additions
  • Consider using their Email Security features for additional protection

Amazon Route 53

Adding DNS Records in Route 53:
  1. Sign in to the AWS Management Console
  2. Open the Route 53 console
  3. Go to Hosted zones
  4. Select your domain's hosted zone
  5. Click Create record
  6. Configure the record:
    • Record name: Leave blank (SPF), _dmarc (DMARC), or selector._domainkey (DKIM)
    • Record type: TXT
    • Value: Your DNS record content (in quotes)
    • TTL: 300 seconds (5 minutes)
  7. Click Create records

Namecheap DNS Management

Adding DNS Records in Namecheap:
  1. Log into your Namecheap account
  2. Go to Domain List
  3. Click Manage next to your domain
  4. Click on the Advanced DNS tab
  5. In the Host Records section, click Add New Record
  6. Configure the record:
    • Type: TXT Record
    • Host: @ (SPF), _dmarc (DMARC), or selector._domainkey (DKIM)
    • Value: Your DNS record content
    • TTL: Automatic
  7. Click the (checkmark) to save

Common Configuration Errors

Problem:

Multiple TXT records starting with "v=spf1" exist for the same domain.

Solution:
  1. Combine all SPF mechanisms into a single record
  2. Delete duplicate SPF records
  3. Ensure only one SPF record exists per domain
Example Fix:

Instead of:

v=spf1 include:_spf.google.com ~all
v=spf1 include:sendgrid.net ~all

Use:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

Common Syntax Issues:
  • Missing semicolons between tags
  • Spaces around equals signs
  • Invalid tag values
  • Missing required tags (v, p)
Correct Format:
v=DMARC1; p=quarantine; rua=mailto:[email protected]
Common Errors to Avoid:
  • v = DMARC1 (spaces around =)
  • p=quarantine rua=mailto:... (missing semicolon)
  • p=block (invalid policy value)

Symptoms:
  • DNS Checker shows old or missing records
  • Changes not visible across all DNS servers
  • Inconsistent results from different locations
Solutions:
  1. Wait for full propagation (up to 48 hours)
  2. Check TTL values (lower = faster propagation)
  3. Verify changes in your DNS provider's interface
  4. Use multiple DNS checking tools
  5. Clear local DNS cache if necessary

Problem:

Email service is using a different DKIM selector than what's configured in DNS.

Diagnosis:
  1. Check your email service's DKIM settings
  2. Verify the selector name they're using
  3. Ensure DNS record matches exactly
Solution:
  • Update DNS record to match service's selector
  • Or configure service to use your DNS selector
  • Common selectors: selector1, google, default, k1

Testing and Validation

Recommended Testing Tools

SpoofMon DNS Checker

Built-in tool that provides comprehensive analysis and recommendations

Use DNS Checker
External Validation
  • MXToolbox.com
  • DMARCian.com
  • Google Admin Toolbox

Validation Checklist

Before Going Live:
  • ✅ SPF record includes all legitimate sending sources
  • ✅ DKIM records are published and match email service configuration
  • ✅ DMARC record syntax is correct
  • ✅ DMARC reporting email address is monitored
  • ✅ Start with p=none policy for monitoring
  • ✅ DNS propagation is complete (test from multiple locations)
  • ✅ Send test emails and verify authentication headers
DNS Configuration Best Practices
  1. Always start with DMARC policy p=none to monitor before enforcing
  2. Keep detailed documentation of all DNS changes
  3. Use version control or change logs for DNS records
  4. Test changes thoroughly before implementing strict policies
  5. Monitor DMARC reports closely after DNS changes
  6. Plan for DNS propagation time when making changes
  7. Keep TTL values reasonable (5-60 minutes for testing, 1-24 hours for production)
  8. Regularly audit and update SPF records as email services change
Related Guides
Domain Management Reports Analysis Report Details Dashboard Overview
Quick Actions
Check DNS Manage Domains Contact Support
External Tools
MXToolbox SPF Checker DMARCian Inspector Google DNS Lookup