DNS Records

In This Article: 

To send emails from Mailtrap, you’ll need to add several records to your domain registrar or manager. This serves two purposes:

  • It gives Mailtrap a guarantee that you own the domain and have the right to send from it.
  • It lets the mailbox providers know that you’re an authenticated server and boosts your email deliverability.

DNS (Domain Name System) is a naming system used to identify devices and resources available on the internet. Each domain (for example, google.com) can have a number of records (known as DNS records) attached to it. They usually serve identification and authentication purposes and often aim to keep unwanted guests away.

The domain in question refers to the domain you wish to send emails from. For example, if we were to send emails from marketing@mailtrap.io, we would be adding the DNS records for mailtrap.io. 

To set up an account with Mailtrap Sending, you’ll need to add five DNS records to your domain:

  • CNAME domain verification
  • SPF
  • DKIM (2)
  • DMARC

You’ll find the details for each in your domain settings. Select Sending Domains from the Sending menu. Enter the name of the domain you wish to send emails from. Then, use the DNS records as visible on the page below:

Follow the instructions for adding the records as described in the Domain Setup article.

Once all records have been added and successfully verified, you’ll then be able to send emails from a given domain.

DNS records explained

There are many different DNS record types. Mailtrap uses only a few of them to ensure that you’re a legitimate sender and to help improve your email deliverability. 

Domain verification (CNAME type), as the name suggests, is used for verification purposes. With CNAME, Mailtrap verifies that you’re an owner of a domain and can send emails on its behalf.

SPF (TXT type) is a very common authentication method. It specifies which IP addresses (mail servers) are authorized to send emails on your behalf. Each service you use to send emails should be included in your SPF record.

When an email arrives onto a mail server of a recipient, an SPF check is performed. A mail server verifies who the sender of a message is (here: smtp.mailtrap.live). Simultaneously, it checks if there’s an SPF record attached to your domain. If it finds one and it includes smtp.mailtrap.live, the check is successful.

When you insert your domain name, Mailtrap checks if there’s already an existing SPF record. If it doesn’t find any, it will create one like this:

v=spf1 include:_spf.smtp.mailtrap.live -all

However, if an SPF record already exists, Mailtrap will return an enhanced version of it that contains all the existing mail servers as well as Mailtap’s server. For example:

v=spf1 include:_spf.google.com include:sendgrid.net include:_spf.smtp.mailtrap.live ~all

DKIM (CNAME type) is another popular authentication method. It’s an encrypted digital signature attached to each of your emails. When an email is sent, the headers and the body of a message are signed using Mailtrap’s private key and sent along with a message.

The values of your DKIM records ( rwmt1.dkim.smtp.mailtrap.live and rwmt2.dkim.smtp.mailtrap.live) point to the location of Mailtrap’s public key. When a message arrives, a mailbox provider fetches the public key and uses it to recreate a signature with the contents of an email it just received. Finally, it compares its version with the original DKIM signature. If there’s a match, a DKIM check is successful.

There’s a reason for including two DKIM records in your DNS. The public keys rotate regularly for increased security. Rotating an active key could result in a momentary mismatch between a DKIM signature and a public key in your DNS. To avoid that, we rotate only one of the keys at a time while another key remains active.

DMARC (TXT type) is an email authentication protocol that adds another layer of security, known as domain alignment. It also allows you to publish policies that instruct mailbox providers on how to treat your emails if they fail either of the earlier checks.

They may reject them or quarantine them (put them into spam) but they may also do nothing. The latter approach is used as the default Mailtrap policy and is the most suitable for maintaining a high email deliverability rate.

Why is it important to add all these DNS records?

We require all these records to be present for two reasons.

The first is your security. You certainly don’t want someone else to be sending emails on your behalf. Adding a Domain Authentication record is simple but people outside your organization can’t do it if they can’t access a domain manager or registrar for your domain. 

What’s more, having all three authentication methods in place effectively prevents spoofing of your account. Neither of these methods is bulletproof. But when all three are combined, it becomes very, very difficult to perform any phishing on your account.

The second reason is about the mailbox providers themselves. It’s no secret that they treat authenticated emails more favorably. They’re more likely to accept them and deliver them straight into the recipient’s inboxes. When they receive a fully authenticated email, mailbox providers have more confidence that you are who you say you are and that a message has not been tampered with on the way.

Adding all these DNS records doesn’t guarantee 100% email deliverability but you won’t be very far from that when sending emails with Mailtrap.

How does the DNS records update work?

When you add new DNS records to your domain, the domain provider publishes them on your behalf. Depending on the provider you use, it may take anywhere from a few seconds to even 72 hours for the changes to be applied. Unfortunately, it’s not something we can influence.

Once you’ve added the records, press the Verify All button on Mailtrap to see whether the changes are already reflected. If all circles turn green, you’re all set and can proceed to the next step.

If any of the verifications fail, Mailtrap will retake the test in an hour and continue doing so every hour, until it finds all five records. At any point, you can also perform a check manually by again pressing the Verify All button.

To verify if the new DNS records are already visible, you may also want to run a DNS lookup yourself, using tools like DNS Checker. If either record is still not visible and Mailtrap checks fail, consider contacting your domain provider to inquire about this. 

Note: Mailtrap will continue verifying the required DNS records even after you’ve fully verified a domain. If you remove or edit any of the records, a verification will fail on the next check and no further emails will be sent until this is fixed.

Tips for adding DNS records

The process for adding DNS records is slightly different for each provider, and the naming can also differ. In the Domain Setup article, we cover the configuration for Cloudflare, GoDaddy, and Google Domains. We’ve also shared tips for adding each specific record in case you host your domain elsewhere.

One thing to keep in mind is the syntax for DKIM records. Some domain providers may expect postfix instead of a regular syntax provided by Mailtrap. For example, instead of rwmt1._domainkey, you’ll need to add rwmt1._domainkey.yourdomain.com.

Also be aware of adding the SPF record as an SPF DNS type, still present in many domain managers. This type has been deprecated and all SPF records are meant to be added as a TXT type.

When asked about TTL, follow the default values.

If you’re on AWS Route53, rather than add DNS records, copy the JSON configuration with the respective button.

Still need help? Contact Us Contact Us