DNS on Sender Audit Blog

Email and DNS: Every Record You Need to Know

Sun, 26 Apr 2026 00:00:00 +0000

DNS is the invisible foundation of email. Without the right records, your emails won’t be delivered, authenticated, or encrypted. Here are all the DNS records a sending domain needs to know and configure.

Overview

Record	Type	Role
MX	MX	Where to deliver emails for your domain
SPF	TXT	Who can send for your domain
DKIM	TXT/CNAME	Public key for verifying signatures
DMARC	TXT	SPF + DKIM alignment policy
MTA-STS	TXT + HTTPS	Enforce TLS encryption
TLS-RPT	TXT	Reports on TLS failures
BIMI	TXT	Verified logo in the inbox
PTR	PTR	Reverse DNS for your sending IPs

MX: Where to Deliver Emails

The MX (Mail Exchange) record specifies which servers receive emails for your domain.

Reading and Understanding DMARC Reports (RUA)

Sun, 05 Apr 2026 00:00:00 +0000

You’ve configured DMARC with a rua= tag and reports are starting to arrive. But what do you do with these often incomprehensible XML files? This guide teaches you how to read them, interpret them, and take concrete action.

What Is a DMARC RUA Report

An RUA (Report URI Aggregate) report is an XML file sent daily by mailbox providers (Google, Microsoft, Yahoo, etc.) to the address defined in your DMARC record.

DKIM RSA Key Size: 1024 vs 2048 Bits and the Future with Ed25519

Sat, 14 Mar 2026 00:00:00 +0000

Your DKIM setup works, signatures pass. But have you checked the size of your RSA key? A key that’s too short is a ticking time bomb: it could be cracked, allowing an attacker to sign emails on your behalf.

The History of DKIM Keys: From 512 to 2048 Bits

2012: The End of 512-Bit Keys

In 2012, researchers demonstrated that a 512-bit RSA key could be cracked in under 72 hours using cheap cloud computing power. The result: anyone could impersonate a domain using a 512-bit key and send perfectly DKIM-signed emails.

How to Configure DMARC to Protect Your Domain

Wed, 18 Feb 2026 00:00:00 +0000

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that protects your domain against spoofing and phishing. In this guide, we’ll walk through how to set it up properly.

Why DMARC Is Essential

Without DMARC, anyone can send emails pretending to be your domain. The consequences are serious:

Phishing: malicious actors can impersonate your brand
Damaged reputation: ISPs may penalize your domain
Lost trust: your recipients can no longer tell which emails are legitimate

According to the FBI, business email compromise (BEC) scams, many of which exploit missing DMARC, caused over $2.7 billion in losses in 2022 alone.

DKIM: Sign Your Emails to Prove Their Authenticity

Sat, 24 Jan 2026 00:00:00 +0000

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. The receiving server can verify that the message wasn’t altered in transit and that it came from an authorized sender. It’s the second pillar of email authentication, after SPF.

How DKIM Works, The Simple Version

Think of it like sending a letter with a wax seal. The recipient can verify the seal isn’t broken (the message is intact) and that the seal matches your crest (you’re the legitimate sender).

SPF: The Complete Guide to Authorizing Your Sending Servers

Sat, 17 Jan 2026 00:00:00 +0000

SPF (Sender Policy Framework) is the first line of defense in email authentication. It lets you declare in your DNS which servers are allowed to send email for your domain. Simple on the surface, it hides subtleties that trip up even experienced admins.

What Does SPF Actually Do?

When a receiving server gets an email from contact@yourdomain.com, it asks one question: “Is this server allowed to send for this domain?”