Senders & Domains

DNS Setup (SPF/DKIM/DMARC)

Proper DNS configuration is critical for email deliverability. This page explains each record and how Cleanmails uses them.

For step-by-step instructions on adding these records, see Adding Domains.

SPF (Sender Policy Framework)

SPF tells receiving servers which IPs are authorized to send email for your domain.

  • Cleanmails auto-generates the SPF value using your server's public IP
  • Format: v=spf1 ip4:YOUR_IP ~all
  • The ~all (softfail) is recommended over -all (hardfail) during initial setup

DKIM (DomainKeys Identified Mail)

DKIM cryptographically signs each email so receivers can verify it wasn't tampered with.

  • Cleanmails generates a 2048-bit RSA key pair when you add a domain
  • The private key is stored encrypted in the database
  • Every outgoing email is signed with the private key
  • Selector: postal (configurable per domain)
  • DNS record: postal._domainkey.yourdomain.com

DMARC (Domain-based Message Authentication)

DMARC tells receivers what to do when SPF or DKIM fails.

  • Default policy: p=none (monitor only, no blocking)
  • Recommended to start with none and move to quarantine after confirming deliverability
  • The rua tag specifies where aggregate reports are sent

MX Records

MX records are needed if you want to receive replies through your domain (recommended for reply detection).

  • Point MX to your mail server hostname
  • Priority 10 is standard

Verification

Cleanmails performs real DNS lookups when you click "Verify":

  • SPF: Looks up TXT records for v=spf1
  • DKIM: Looks up TXT at postal._domainkey.yourdomain.com and compares the p= value
  • MX: Checks for any MX records on the domain
  • DMARC: Looks up TXT at _dmarc.yourdomain.com

Domain status becomes active when both SPF and DKIM pass.