Table of contents
Example H2
Example H3
Example H4
Experience
Agent Frank

Get a uniquely crafted email delivered in your inbox in seconds

It's being carefully crafted by AI
Please check your mailbox
Something went wrong. Please try again
Learn more
Get insights delivered straight into your inbox every week!
Blog
Tutorials & Guides

DNS Verification Checklist for Mailboxes

By
Iga Wójtowicz
November 5, 2025
5 min read
Share on

Setting up DNS records for email can make or break your deliverability. Without proper DNS verification, your emails risk being flagged as spam or rejected entirely. Here's what you need to know:

  • Key DNS Records: Configure MX, SPF, DKIM, DMARC, and PTR records to secure and authenticate your domain's email.
  • Why It Matters: Misconfigured records can lead to phishing vulnerabilities, delivery failures, or spam folder placement.
  • Automation Saves Time: Tools like Primeforge reduce setup from 24 hours to 30 minutes, minimizing errors and ensuring compliance with industry standards.

Checklist Overview:

  1. Confirm domain ownership.
  2. Verify MX records for correct email routing.
  3. Ensure you have a single, accurate SPF record.
  4. Set up DKIM for email signing and integrity.
  5. Implement DMARC policies for reporting and protection.
  6. Align PTR records with your mail server's IP.

Testing your setup with tools like MXToolbox ensures proper propagation and functionality. Automating the process can save time and effort, especially for businesses managing multiple domains.

Required DNS Records for Mailbox Setup

To ensure smooth email delivery, your domain needs five essential DNS records: MX, SPF, DKIM, DMARC, and PTR. Each plays a specific role in email authentication and routing, and any misconfiguration can lead to delivery problems.

MX Records

MX (Mail Exchange) records determine which mail servers are responsible for receiving emails for your domain. These records use priority numbers to establish the order of servers, with lower numbers indicating higher priority. For example, an MX record with a priority of 10 will take precedence over one with a priority of 20.

It's crucial to configure these records accurately and ensure they only reference servers you manage. Incorrect settings could result in misrouted emails or downtime.

SPF Records

SPF (Sender Policy Framework) records help prevent email spoofing by listing the servers and IP addresses authorized to send emails on behalf of your domain. Here's an example of an SPF record:

v=spf1 ip4:192.0.2.0/24 include:_spf.google.com -all

To optimize your SPF setup:

  • Limit your domain to one SPF record.
  • Regularly update the record to remove outdated IPs.
  • Use the -all mechanism to block unauthorized senders.

Tools and automated solutions can simplify SPF management and reduce errors.

DKIM Records

DKIM (DomainKeys Identified Mail) adds a layer of authentication by attaching a digital signature to outgoing emails. This signature ensures that the message hasn’t been tampered with during transit and confirms it originated from your domain.

Setting up DKIM involves:

  1. Generating a public/private key pair.
  2. Publishing the public key as a DNS TXT record (e.g., default._domainkey.example.com).
  3. Configuring your mail server to sign outgoing emails.

For added security, rotate your keys every 6–12 months. Proper DKIM alignment is essential for passing authentication checks with major email providers like Gmail and Outlook, ensuring your emails are trusted and delivered.

DMARC Records

DMARC (Domain-based Message Authentication, Reporting & Conformance) records provide instructions to receiving servers on how to handle emails that fail SPF or DKIM checks. They also designate where to send reports about email activity. Here's an example of a DMARC record:

_dmarc.example.com IN TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com"

A phased approach is recommended:

  • Start with p=none to monitor email traffic.
  • Gradually move to p=quarantine to flag unauthenticated emails.
  • Finally, use p=reject to block unauthorized messages entirely.

This step-by-step method reduces phishing risks while maintaining email deliverability and providing time to fine-tune your setup.

PTR Records

PTR (Pointer) records, also known as reverse DNS records, map an IP address back to a domain name. Email providers and ISPs in the U.S. often rely on PTR records to verify that the sender's IP matches the domain, which helps prevent spam.

For example, if your mail server’s IP is 203.0.113.1, its PTR record should resolve to a hostname like mail.example.com. Properly configured PTR records boost your sender reputation and reduce the chances of your emails being flagged as spam.

Manual configuration can be time-consuming and prone to errors, often taking over 24 hours. However, automated tools like Primeforge can streamline the process, completing it in about 30 minutes while adhering to industry standards.

DNS Verification Checklist

After setting up your DNS records, it's crucial to verify them to ensure everything functions properly before sending emails. This step helps catch errors early and improves email deliverability.

Verify Domain Ownership

Begin by checking your domain's registration details using your registrar's tools. Ensure that the registrant name, contact details, and expiration date match your organization's records. This step is essential to prevent unauthorized access or domain hijacking, which could disrupt mailbox verification.

For example, if your domain is still registered under a former employee's name, it could delay or block the mailbox setup process. Cross-check these details with your registrar's records to avoid issues before moving on to configure your email.

Once ownership is confirmed, the next step is verifying your MX records.

Confirm MX Records

Use tools like MXToolbox or command-line utilities (e.g., dig, nslookup) to confirm that your MX records are correctly pointing to your mail server's hostnames. For instance, Google Workspace requires MX records pointing to aspmx.l.google.com with specific priority values, while Microsoft 365 uses its own unique hostnames.

Be careful to avoid typos or incorrect configurations, such as assigning the wrong priority values. For example, setting a priority of 10 instead of 1 for Google Workspace can lead to delivery failures. Ensure global resolution is functioning properly as part of your propagation testing.

Validate SPF Records

Next, confirm you have only one SPF record per domain to prevent authentication conflicts. Use tools like EmailListVerify or MXToolbox to validate your SPF record’s syntax and ensure you’re not exceeding the 10 DNS lookup limit.

Your SPF record must include all authorized mail servers. A typical SPF record might look like this: v=spf1 include:_spf.google.com include:servers.mcsv.net ~all. If you exceed the 10 DNS lookup limit, the SPF validation will fail automatically, which can cause legitimate emails to be flagged as spam.

Check DKIM Records

After validating SPF, move on to your DKIM setup. Generate a DKIM key pair through your email provider, and publish the public key as a TXT record in DNS. The record, often formatted like default._domainkey.example.com, must resolve correctly for email authentication.

Use DNS tools to verify that the record resolves properly and that your emails are being signed. If DKIM records are missing or misconfigured, authentication will fail, reducing your email deliverability. Once the DNS record is published, enable DKIM signing in your email provider’s settings.

Confirm DMARC Policies

Start with a DMARC policy of p=none to monitor email authentication without blocking messages. Publish the DMARC record as a TXT record, such as: _dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:reports@example.com". This approach allows you to identify issues before implementing stricter policies.

Review aggregate reports to understand how your email authentication is performing. Once you’re confident in your SPF and DKIM setup, gradually move to stricter policies like p=quarantine and then p=reject. This phased approach minimizes the risk of legitimate emails being blocked.

After verifying DMARC, check your PTR records for alignment with your sending IP.

Verify PTR Records

Ensure that your mail server’s IP address has a proper PTR record (reverse DNS) that resolves back to your domain. For example, if your mail server's IP is 192.0.2.1, it should resolve to mail.example.com. Use DNS tools to confirm this setup.

Mismatched PTR records can lead to emails being flagged as spam or outright rejected. This step is especially important in the U.S., where many ISPs rely on reverse DNS validation to combat spam and maintain secure email standards.

Test DNS Propagation

After making DNS changes, allow 24–48 hours for full propagation. Use tools like MXToolbox, EmailListVerify, or command-line utilities to test your records from multiple global locations. These tools can help verify that all records - MX, SPF, DKIM, DMARC, and PTR - are resolving consistently.

For faster results, automated solutions like Primeforge can complete this process in about 30 minutes, compared to manual testing, which can take up to 24 hours.

A study by EmailListVerify found that domains with misconfigured SPF or DMARC records were three times more likely to be blacklisted. Regular DNS audits and monitoring, as recommended by DevOps experts, can reduce email deliverability issues by up to 80%.

DNS Propagation and Monitoring

After setting up your DNS records, keeping an eye on propagation and performance is crucial. This ensures that the configurations you’ve verified continue to support reliable email delivery. Remember, DNS changes don’t take effect instantly - they need time to update across the globe.

DNS Propagation Timelines

Typically, DNS propagation takes about 24–48 hours worldwide. However, using low TTL (Time-To-Live) settings can speed up the process. TTL values between 300–600 seconds are ideal for faster propagation during active changes. Once everything is stable, increasing TTL to one hour or more helps maintain efficiency.

For example, Primeforge simplifies DNS setup significantly, completing the process in roughly 30 minutes. This is a huge time saver compared to the 24+ hours often needed for manual configuration. Their automated system handles DMARC, SPF, DKIM, and custom domain tracking seamlessly, making it easier to get started.

Now, let’s explore the tools that can help you monitor DNS performance effectively.

Monitoring Tools

To verify global DNS resolution, tools like MXToolbox, DNSChecker, or Dig are excellent options. These tools allow you to confirm whether your DNS changes have propagated and are resolving correctly worldwide.

For more comprehensive monitoring, deliverability platforms such as DMARCLY and EasyDMARC offer real-time authentication testing. For instance, DMARCLY has a convenient feature where you can send an email to check@dmarcly.com, and they’ll provide a detailed report on your SPF, DKIM, and DMARC configurations.

Many DNS providers, including Cloudflare, Route 53, and Google Cloud DNS, also offer built-in tools. These include dashboards that notify you of configuration changes or resolution issues.

If you’re managing multiple domains, Primeforge offers bulk DNS update capabilities. This feature allows you to monitor and adjust DNS configurations across several domains from one platform, making it easier to handle complex email operations.

While real-time monitoring is invaluable, conducting regular audits adds another layer of security and reliability.

Regular DNS Audits

For organizations managing multiple domains or running high-volume email campaigns, quarterly DNS audits are a must. These audits help uncover outdated records, security risks, and configuration conflicts that could harm email deliverability.

During an audit, review all critical DNS records - MX, SPF, DKIM, DMARC, and PTR - for errors like duplicates or outdated entries. For example, you might find an SPF record still referencing the IP of a decommissioned server, which could lead to authentication failures and security vulnerabilities.

A 2023 report by DMARCLY revealed that domains with active DMARC monitoring and regular DNS audits saw a 25% drop in phishing attempts and a 20% boost in email deliverability. Additionally, organizations with consistent monitoring reported up to 30% fewer email delivery failures compared to those without regular oversight.

A case study from Infraforge demonstrated how a marketing agency managing multiple client domains reduced email delivery failures by 30% over six months. They achieved this by automating DNS monitoring and conducting regular audits. This allowed them to quickly address issues like outdated SPF records and missing DKIM keys.

Documentation is another critical part of the audit process. Keeping an updated record of all DNS configurations ensures your team can troubleshoot issues efficiently and onboard new members with ease.

Between formal audits, automated monitoring tools can provide continuous oversight. These tools can detect unauthorized changes, configuration drift, and performance issues before they escalate, helping you maintain a robust email authentication setup.

Troubleshooting DNS Configuration Errors

Even with the best preparation and following the checklist above, DNS configuration errors can still disrupt email delivery. Identifying these issues quickly and addressing them can save hours of frustration and keep your outreach campaigns running smoothly. If verification tools highlight problems, here’s how to tackle them effectively.

Common DNS Setup Errors

SPF Record Conflicts
Make sure there’s only one SPF record per domain. If multiple TXT records start with "v=spf1", SPF authentication may fail completely. This can lead to receiving servers rejecting your emails or flagging them as suspicious - a common issue with outdated configurations.

DKIM Key Problems
DKIM failures often result from mismatched public key entries in DNS, inconsistent selectors, or expired keys. For instance, if your mail server rotates keys but the DNS records aren’t updated, all DKIM signatures will fail, disrupting email authentication.

Missing or Incorrect MX Records
MX records are essential for email delivery. If these records are missing or misconfigured, incoming emails might bounce back, causing communication breakdowns. Properly configured MX records ensure emails are routed to the correct mail server.

PTR (Reverse DNS) Mismatches
PTR mismatches can be a major hurdle, especially for cold outreach. If your mail server’s IP address doesn’t have a matching PTR record for your sending domain, it may trigger spam filters or lead to outright rejections. This is particularly common with shared hosting environments where PTR records are often overlooked.

Once you’ve identified these errors, here’s what you can do to resolve them.

How to Fix DNS Issues

Start by using diagnostic tools like MXToolbox, DMARCLY, or command-line utilities such as dig and nslookup to detect duplicate records, missing entries, or configuration mismatches.

  • Fixing SPF Records: Consolidate all authorized senders into a single SPF record and delete any duplicates. Remember, a domain should only have one SPF record.
  • Resolving DKIM Failures: Check that the public key in your DNS matches the private key used by your mail server. Ensure selectors are consistent across both systems.
  • Correcting MX Records: Update your DNS management panel to point to the correct mail server addresses. Be patient - DNS changes can take up to 48 hours to propagate globally.
  • Addressing PTR Record Issues: Work with your hosting provider to ensure your mail server’s IP address has a properly configured PTR record.

If problems persist after initial fixes, re-audit your DNS entries using multiple tools. If issues remain unresolved after 48 hours, share detailed logs with your hosting or email provider for further assistance.

To reduce the likelihood of encountering these errors, consider automating your DNS configuration.

Automated DNS Setup Benefits

Manual DNS setup is prone to mistakes, especially when managing multiple domains or complex email setups. This is where Primeforge shines. It automates DNS configuration for DMARC, SPF, DKIM, and custom domain tracking, following industry standards. Automation reduces the risk of typos, omissions, and conflicts, ensuring a smoother setup process.

Manual DNS setup can take over 24 hours, particularly when working with providers like Google or Microsoft. In contrast, Primeforge completes the process in about 30 minutes, saving time and effort. This is especially helpful for organizations handling multiple domains or scaling their email operations.

Manual DNS Setup Automated DNS Setup (Primeforge)
High risk of mistakes Reduces human error
Time-intensive for bulk changes Handles bulk updates easily
Requires technical know-how User-friendly for non-experts
Limited monitoring Includes monitoring and reporting tools

Another standout feature of Primeforge is its ability to perform bulk DNS updates. Instead of manually updating each domain, you can adjust settings for multiple domains at once with just a few clicks. The platform also takes care of routine tasks like updating DKIM keys or reviewing SPF records, minimizing the risk of authentication failures caused by outdated DNS entries.

Final Checklist Summary

Getting your DNS records right is essential for successful cold outreach. A single misstep can lead to emails landing in spam folders or bouncing altogether.

After setting up your DNS records, use this checklist to ensure everything is in order: confirm domain ownership, verify correct MX records, ensure there’s only one SPF record, check that DKIM keys match, activate DMARC policies with reporting enabled, and align PTR records. Once configured, test DNS propagation using lookup tools and send test emails to major providers to confirm proper authentication.

Keep in mind, DNS changes can take up to 48 hours to fully propagate worldwide. For instance, a Microsoft 365 user in November 2023 shared that incomplete SPF and DKIM setups resulted in a 97% email success rate, with occasional failures caused by DNS timeouts.

If you’re managing multiple domains, tools like Primeforge can save you a lot of time. Primeforge automates DMARC, SPF, DKIM, and custom domain tracking in just 30 minutes - compared to manual setups that can take over 24 hours.

"For each mailbox you buy with Primeforge, we take care of setting up DMARC, SPF, DKIM and custom domain tracking, following industry best practices."
– Primeforge

Additionally, Primeforge’s bulk DNS update feature simplifies managing multiple domains. With just a few clicks, you can adjust settings across all domains, minimizing human error and maintaining consistent configurations with continuous monitoring.

FAQs

How does Primeforge's automated DNS setup enhance email deliverability compared to manual configuration?

Primeforge takes the hassle out of DNS setup by automatically handling key records like DKIM, DMARC, and SPF. These records are configured following established best practices, ensuring your email system is optimized to improve deliverability and minimize the likelihood of emails ending up in spam.

By automating this process, Primeforge not only saves you time but also eliminates the risk of manual mistakes. This means you can maintain a reliable and polished email presence effortlessly. Plus, with its ability to adapt to changing standards, your email campaigns stay ahead of the curve.

What happens if a domain has multiple SPF records, and how can this issue be fixed?

Having more than one SPF record for a domain can create problems with email authentication. When this happens, email servers may struggle to verify the sender's identity properly, which could lead to emails bouncing back or being flagged as spam. That's because email servers are designed to handle just one SPF record per domain.

The fix? Combine all your SPF entries into a single record while sticking to the correct SPF syntax. For instance, consolidate all your authorized sending sources into one v=spf1 record. If you're using tools like Primeforge, their automated DNS setup can simplify this process and help you avoid configuration mistakes.

Why should you regularly review your DNS records, and what tools can help ensure accurate configurations?

Keeping a close eye on your DNS records is crucial for the stability and security of your email system. Outdated or incorrect DNS settings can lead to serious problems, like emails not being delivered, lower deliverability rates, or even exposing your domain to spoofing and phishing attacks. Regular audits of your DNS records help ensure they meet the latest standards for SPF, DKIM, and DMARC - the key protocols for email authentication.

Using tools like Primeforge can make this process much easier. With features like automated DNS setup, bulk updates, and real-time verification, these tools not only save you time but also minimize the chance of human error. By leveraging solutions like these on a regular basis, you can keep your email infrastructure running smoothly while safeguarding its performance and deliverability.

Related Blog Posts