Email DNS Records
For a public email server, a set of DNS records are effectively mandatory.
Contents
MX Records
An MX record indicates the domain(s) that should receive mail directed to a (sub)domain.
Multiple target domains can be defined and they will be tried in order according to their priority. The standard is to set the primary mail server with priority 10, then the secondary with priority 20, and so on.
Every (sub)domain that should be able to receive mail must have it's own set of MX records.
The target domain of any MX record should resolve to an A or AAAA record, never a CNAME record nor an IP address. The reason being that reverse DNS is separately required (see PTR Records).
PTR Records
Every mail server that is targeted by an MX record must additionally have a PTR record published to ensure that reverse DNS lookups match.
A PTR record is published for an IP address like 1.2.3.4 as 4.3.2.1.ip-addr.arpa. The record then targets the fully qualified domain name of the host at the IP address.
If hosting through a provider, e.g. AWS, it may be necessary to configure the PTR record within their service.
MTAs, when initiating the connection with a mail server, will parse the name that a recipient server declares. They will then look up the IP address of that name and check if the current connection is with that address exactly. If there is a mismatch, some MTAs will drop the connection.
SPF Record
DKIM Record
DMARC Record
DMARC Report Records
Disabling mail
In addition to all of the above, the best practice for any domains that should not send mail is to publish:
an SPF record indicating that all mail should be rejected ("v=spf1 -all")
an empty DKIM record ("v=DKIM1; p=")
a strict DMARC record ("v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; rua=mailto:[email protected]")
These will prevent spoofing of the domain.