Operations

DNS records — SPF, DKIM, DMARC, MX

Four records. All four required. Skip any of them and Gmail / Outlook will hurt you.

The records

Type	Name	Value (sample)	Why
TXT	`@`	`v=spf1 ip4:135.148.35.116 ~all`	SPF: which IPs may send for this domain
TXT	`mp1._domainkey`	`v=DKIM1; k=rsa; p=MIIBIjAN...`	DKIM: public half of the signing key
TXT	`_dmarc`	`v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com`	DMARC: what to do on alignment failure + where to send reports
MX	`@`	`10 mail.rahstack.dev`	Receiver-side legitimacy check (esp. Outlook)

SPF — what to set

SPF says “these IPs may send mail claiming to be from this domain.” Anything else gets ~all-soft-failed (drops to spam) or -all-hard-failed (rejected outright).

For a tenant on the shared SendBolt pool:

v=spf1 ip4:135.148.35.116 ip6:2604:2dc0:103:7400::/64 ~all

If you also send mail from Google Workspace + a marketing tool, include them with include::

v=spf1 ip4:135.148.35.116 include:_spf.google.com include:_spf.sendwithus.com ~all

SPF has a 10-DNS-lookup limit. Each include: counts. If you hit the limit, consolidate to ip4: /ip6: ranges.

~all vs -all

Use ~all (soft-fail) until DMARC is in p=rejectfor at least 30 days. Then graduate to -all. Switching too early causes false positives on legitimate forwarders.

DKIM — what to set

DKIM signs the message with a private key. The receiver fetches the public key from your DNS and verifies the signature. SendBolt mints the keypair when you add the domain; you only need to publish the public half.

The selector is mp1 by default. After 90-day rotation (W131-G), a new selector mp2 is added and mp1 is retired 7 days later.

Name:  mp1._domainkey
Type:  TXT
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...

The exact p= value is shown on the domain detail page after you add the domain. Copy-button included.

DMARC — what to set

DMARC tells receivers what to do when SPF or DKIM fail alignment with the From header. Three policies:

p=none — “tell me about failures but deliver anyway”
p=quarantine — “put failures in spam”
p=reject — “drop failures entirely”

Start at p=none, watch your rua reports for a week, then move to p=quarantine and eventually p=rejectonce you're confident no legitimate flow is misaligned.

v=DMARC1; p=none; rua=mailto:dmarc-rua@yourdomain.com; pct=100; fo=1

MX — what to set

Even if you don't actually receive mail, publish an MX record. Outlook in particular will silently drop mail from a domain with no MX.

Name:     @
Type:     MX
Priority: 10
Value:    mail.rahstack.dev

If you want to actually receive replies, see the inbound webhook or workspace mailbox docs.

Verifying

After you publish, click Verify on the domain detail page. The verifier polls every 30 seconds; full propagation typically takes 2-5 minutes (longer on some registrars).

From the command line:

dig +short TXT yourdomain.com @1.1.1.1                       # SPF
dig +short TXT mp1._domainkey.yourdomain.com @1.1.1.1       # DKIM
dig +short TXT _dmarc.yourdomain.com @1.1.1.1               # DMARC
dig +short MX yourdomain.com @1.1.1.1                       # MX

Drift detection

SendBolt's W118-D DNS drift detector re-checks all four records every 12 hours. If anything changes (someone fat-fingers DNS, a registrar wipes records on a migration), you get a Slack ping + /admin/observability flag.