Required DNS Records (MX, SPF, DKIM, DMARC)

To activate your domain, TrekMail looks for four key DNS records. You’ll copy the exact values from your dashboard into your DNS provider — and we’ll show you what’s missing if anything doesn’t match.

Who this is for

• System administrators configuring DNS.
• Users troubleshooting delivery issues or "Red" DNS status.

The four pillars of email DNS

1. MX Record (Receiving Mail)

Host: @ (or your domain root) Value: mail.trekmail.net Priority: 10

This redirects incoming email to our servers.

• Common Mistake: Leaving old MX records (like Google or GoDaddy) alongside the TrekMail one. This splits your mail and causes lost messages. Remove all other MX records.

2. SPF Record (Authorized Senders)

Host: @ Required Include: include:spf.trekmail.net

SPF (Sender Policy Framework) is a whitelist of IPs allowed to send as you.

• If you have no SPF record: Create a TXT record with v=spf1 include:spf.trekmail.net -all.
• If you already have SPF: Edit your existing record to add our include.
  • Bad: Two separate TXT records.
  • Good: v=spf1 include:spf.google.com include:spf.trekmail.net -all.

Note on SPF Failures: If you see SPF failures in DMARC reports but DKIM passes, this is often normal. It typically means mail was forwarded (e.g., Gmail auto-forwarding) or passed through a security gateway. DMARC should still pass via DKIM alignment. Only investigate if both SPF and DKIM fail.

3. DKIM Record (Digital Signature)

Host: dkim._domainkey Value: (Unique long string starting with v=DKIM1...)

DKIM (DomainKeys Identified Mail) proves the email hasn't been tampered with.

• Provisioning: If the value says "Generating...", click Verify DNS and wait a moment.
• Formatting: Some DNS providers (like Route53) want the value split into quotes; most just want the full string. Paste it exactly as shown.

4. DMARC Record (Policy Enforcement)

Host: _dmarc Value: v=DMARC1; p=quarantine; rua=mailto:dmarc@trekmail.net

DMARC ties SPF and DKIM together.

• Policies (p):
  • none: Watch mode. (Good for starting).
  • quarantine: Put failing mail in Spam. (Recommended).
  • reject: Bounce failing mail. (Advanced, strictest).
• TrekMail's Check: We look for any valid v=DMARC1 record. You are free to customize tags like rua (reporting address) as you see fit.

5. Advanced Deliverability (Recommended)

While not strictly required for basic flow, we recommend adding these records to improve security and deliverability reporting. Read the full guide on Recommended Records.

TLS Reporting (TLS-RPT)

Host: _smtp._tls Value: v=TLSRPTv1; rua=mailto:tlsrpt@trekmail.net

• Purpose: Allows other mail servers to report encryption failures when connecting to your domain.

MTA-STS

MTA-STS Policy (TXT): Host: _mta-sts Value: v=STSv1; id=<auto-assigned> (TrekMail sets the ID automatically — copy the exact value from your dashboard)

MTA-STS CNAME: Host: mta-sts Value: mta-sts.trekmail.net

• Purpose: Enforces strict TLS encryption for incoming mail, preventing downgrade attacks.

Common mistakes & quick fixes

• Symptom: SPF status is "Conflict".
  • Fix: Check for multiple TXT records starting with v=spf1. You can only have one.
• Symptom: DNS changes aren't showing up.
  • Likely Cause: TTL (Time To Live). If your old records had a TTL of 1 hour, it might take 1 hour for validators to see the change. TrekMail tries to bypass cache, but global propagation takes time.