The Domain Name System (DNS) is the foundation of email delivery, translating human-readable domain names into machine-readable IP addresses. Understanding DNS is crucial for managing email infrastructure effectively.
Learn more about DNS →Email authentication protocols work together to verify sender identity and protect against spoofing. Each protocol has unique strengths and weaknesses, and they're most effective when used together.
Compare authentication protocols →The Domain Name System (DNS) is a hierarchical and distributed naming system that translates human-readable domain names (like haply.co) into machine-readable IP addresses (like 192.168.1.1) that computers use to identify each other on the network. Think of DNS as the internet's phone book or address directory.
DNS is fundamental to email delivery for several critical reasons:
DNS is organized in a hierarchical tree structure, with each level in the hierarchy responsible for a different part of a domain name.
mail.haply.co
Reading from right to left:
Your company uses multiple domains:
This multi-domain strategy provides flexibility for different purposes, including separating mass email sending to protect your main domain's reputation.
When you type a domain name in your browser or send an email, DNS resolution converts that domain name to an IP address through a series of steps:
Your computer sends a query to a DNS resolver (usually provided by your ISP)
If the resolver doesn't know the answer, it starts at the root servers
The root server directs the resolver to the appropriate TLD server (.co in your case)
The TLD server directs the resolver to the authoritative name servers for your domain (haply.co)
The authoritative name server returns the IP address for the requested domain
The resolver caches this information to speed up future requests
DNS records have a Time-to-Live (TTL) value that determines how long they can be cached before a new query is required.
When making changes to DNS records that affect email delivery (like SPF, DKIM, or MX records), it's important to consider TTL values to understand how quickly changes will propagate.
Several types of DNS records are crucial for email delivery:
Mail Exchange (MX) records specify the mail servers responsible for accepting email for your domain.
The numbers (10, 20) indicate priority - lower numbers are tried first.
Address (A) records map domain names to IPv4 addresses. AAAA records map to IPv6 addresses.
These records are essential for mail servers to be reachable.
Text (TXT) records store text information in DNS and are crucial for email authentication.
TXT records are used for:
DNS plays a critical role in email authentication by providing a trusted, distributed database for storing verification information.
Sender Policy Framework (SPF) uses DNS TXT records to list all servers authorized to send email on behalf of your domain.
Example SPF Record for Haply Robotics:
This record authorizes both Google (your main provider) and Mailjet (for notifications and mass sending) to send emails on behalf of haply.co.
DomainKeys Identified Mail (DKIM) uses DNS TXT records to publish public keys that verify email signatures.
Example DKIM Record:
The "selector" is a unique identifier for the key, allowing you to use different keys for different email sources (e.g., google._domainkey.haply.co for Google and mailjet._domainkey.haply.co for Mailjet).
Domain-based Message Authentication, Reporting & Conformance (DMARC) uses DNS TXT records to publish policies for handling emails that fail SPF or DKIM checks.
Example DMARC Record:
This record tells receiving servers to quarantine (send to spam) emails that fail authentication, and to send aggregate reports to dmarc-reports@haply.co.
For Haply Robotics with multiple domains, consider:
Email authentication is critical for protecting your domain from spoofing and ensuring your legitimate emails reach the inbox. While SPF, DKIM, and DMARC each provide valuable protection on their own, they work best when implemented together as a comprehensive authentication strategy.
Imagine Alice wants to send a letter to Bob, but there are imposters who might try to send fake letters pretending to be from Alice. How can Bob verify the letter is really from Alice?
Alice telling the post office: "I only send letters through these specific mailboxes." The post office checks if the letter came from one of those mailboxes.
Alice using a unique wax seal that only she possesses. Bob can verify the seal hasn't been broken and matches Alice's known seal pattern.
Alice giving Bob instructions: "If the letter doesn't come from my mailboxes OR the seal is broken, please put it in the suspicious pile and let me know."
"SPF verifies the sender's IP address against a list of authorized sending servers."
With your setup using both Google Workspace and Mailjet across multiple domains, SPF is essential but challenging. You need to authorize both services in your SPF records for each domain:
This allows both Google and Mailjet to send on behalf of haply.co, but SPF alone won't protect against all types of spoofing.
"DKIM adds a digital signature to verify the email hasn't been tampered with and comes from an authorized sender."
For your multi-provider setup, you'll need separate DKIM selectors for each service:
Google Workspace DKIM:
google._domainkey.haply.co IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GC..."
Mailjet DKIM:
mailjet._domainkey.haply.co IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GC..."
This allows both services to sign emails with their own keys, but DKIM alone doesn't provide policy enforcement.
"DMARC builds on SPF and DKIM by providing policy enforcement and reporting for authentication failures."
For your multi-domain setup, a phased DMARC implementation is recommended:
Phase 1: Monitoring (p=none)
_dmarc.haply.co IN TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@haply.co"
Phase 2: Quarantine (p=quarantine)
_dmarc.haply.co IN TXT "v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc-reports@haply.co"
Phase 3: Rejection (p=reject)
_dmarc.haply.co IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc-reports@haply.co"
This gradual approach allows you to monitor authentication results before enforcing stricter policies.
Each authentication protocol addresses different aspects of email security, and they complement each other to provide comprehensive protection.
| Security Aspect | SPF | DKIM | DMARC |
|---|---|---|---|
| Verifies sending server | ✓ | ✗ | ✗ |
| Verifies email content integrity | ✗ | ✓ | ✗ |
| Works with email forwarding | ✗ | ✓ | ✗ |
| Enforces authentication policy | ✗ | ✗ | ✓ |
| Provides authentication reporting | ✗ | ✗ | ✓ |
| Verifies header alignment | ✗ | ✗ | ✓ |
For Haply Robotics, implementing all three protocols across your domains provides these benefits:
Implementation Recommendation:
For your multi-domain strategy, implement all three protocols on each domain, but consider using different DMARC policies based on each domain's purpose: