Email DNS Records in BIND Zone Files

MX, SPF, DKIM, DMARC, MTA-STS, and TLS reporting records written safely

Email-related DNS records are ordinary DNS records with protocol-specific meaning. named-checkzone can validate the BIND syntax, but it cannot prove that a mailbox provider will accept your SPF, DKIM, or DMARC policy. Use DNS validation first, then test with email-specific tools.

MX Records

MX records tell other mail systems where to deliver mail. Lower preference values are tried first.

@       IN  MX  10 mail1.example.test.
@       IN  MX  20 mail2.example.test.
mail1   IN  A       192.0.2.30
mail2   IN  A       192.0.2.31

If the mail exchanger name is inside the same zone, include address records for it unless another zone already provides them.

SPF Records

SPF is published as a TXT record. A domain should normally publish one SPF TXT record at a given owner name; multiple SPF records at the same name can cause mail receivers to treat SPF as invalid.

@       IN  TXT  "v=spf1 mx ip4:192.0.2.0/24 -all"

Quote SPF values in BIND. Unquoted TXT data can be parsed as multiple character-strings, which may not be what you intended.

DKIM Records

DKIM keys are TXT records under a selector name below _domainkey. Long keys must be split into multiple quoted strings inside one TXT record; DNS clients concatenate those strings.

selector1._domainkey IN TXT (
    "v=DKIM1; k=rsa; "
    "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A..."
)

The selector name is chosen by your mail system. If your mail provider gives you a selector, use it exactly.

DMARC Records

DMARC is published at _dmarc. Start with reporting-only policy if you need visibility before enforcement.

_dmarc IN TXT "v=DMARC1; p=none; rua=mailto:[email protected]"

Move from p=none to p=quarantine or p=reject only after confirming legitimate mail passes SPF or DKIM alignment.

MTA-STS and TLS Reporting

MTA-STS and SMTP TLS reporting also use TXT records. MTA-STS additionally requires an HTTPS policy file at a well-known host, which zone validation cannot check.

_mta-sts    IN  TXT  "v=STSv1; id=2026051501"
_smtp._tls  IN  TXT  "v=TLSRPTv1; rua=mailto:[email protected]"

Validation Checklist

MX records include numeric priorities and fully qualified mail exchanger names.
In-zone mail exchanger names have A or AAAA records.
SPF, DKIM, DMARC, MTA-STS, and TLS reporting TXT values are quoted.
Long DKIM keys are split into multiple quoted strings inside one TXT record, not multiple records.
DMARC report addresses are real mailboxes or aliases that can receive aggregate reports.

Editing mail DNS? Validate the zone syntax before changing production records.

Open the Validator