Understand how Sendmarc achieves DNS record delegation and hosting for ease of management.
Sendmarc makes use of various forms of DNS delegation to allow you to seamlessly manage your DMARC, SPF, DKIM, TLS-RPT, MTA-STS, and BIMI configuration through the platform.
This means that you have centralized control of your DNS records related to sender authentication and policy enforcement within a single management platform.
Benefits of Delegation
- Centrally managed portal for all domains
- Near real-time DNS and policy updates
- Smart Import of existing DMARC, SPF and DKIM Public Key records
- Simplified DMARC, SPF, DKIM Public Key, TLS-RPT, MTA-STS and BIMI management
- Less prone to typos and human error in record creation with advanced record validation
- Guided implementation with explanations of all the various policy settings
- Change control and logging of configuration changes
- Access controls to change policies
- Globally redundant DNS hosting infrastructure
- Enhanced DNS security through DNSSEC
DMARC Delegation
Sendmarc handles DMARC delegation using CNAME records, simplifying the process for users. Here’s how it works:
- You'll create your DMARC record in DNS as a CNAME using the values provided by Sendmarc
- This CNAME record points to a raw TXT record hosted by Sendmarc DNS
- When a DNS lookup is performed on your DMARC record, the querying server follows the CNAME to the Sendmarc-hosted address
- The server then retrieves the raw DMARC record with the settings configured in the Sendmarc platform
Example of Sendmarc DMARC record with unique address:
Record Type: | CNAME |
Host: | _dmarc |
Value: | example.com.dmarc.sdmarc.net |
SPF Delegation (Redirect)
Sendmarc handles SPF delegation using the SPF redirect mechanism in the TXT record. Here’s the process:
- You'll update your SPF record in DNS to redirect to a unique Sendmarc address where the raw SPF record is stored
- When a DNS lookup is performed on your SPF record, the querying server follows the redirect to the Sendmarc address
- The server retrieves the raw SPF record with the settings configured in the Sendmarc platform
Example of Sendmarc SPF record with unique address:
Record Type: | TXT |
Host: | @ |
Value: | v=spf1 redirect=_myuniqueidentifier.sdmarc.net |
DKIM Public Key Delegation
Sendmarc handles DKIM Public Key delegation by using NS records to point the _domainkey subdomain to our DNS. Here’s how it works:
- You'll configure your _domainkey subdomain to point to Sendmarc DNS by adding the NS records provided
- The DKIM Public Keys are configured in the platform and stored on Sendmarc DNS
- When a DNS lookup is performed on your DKIM selectors, the querying server checks your domain’s DNS for the selector under your _domainkey subdomain
- Since this subdomain is delegated to Sendmarc DNS, the server retrieves the DKIM Public Keys from there
Example of Sendmarc DKIM record with unique address:
Record Type: | Host: | Value: |
NS | _domainkey | ns1.sendmarc.net. |
NS | _domainkey | ns2.sendmarc.net. |
TLS-RPT and MTA-STS Delegation
Sendmarc handles TLS-RPT and MTA-STS record delegation using CNAME records. Here’s the process:
- TLS-RPT and MTA-STS Records:
- You'll create the CNAME records in your DNS for TLS-RPT and MTA-STS using the values provided by Sendmarc
- These CNAME records point to values hosted on Sendmarc DNS
- When a DNS lookup is performed on your MTA-STS and TLS-RPT records, the querying server checks your domain’s unique Sendmarc address
- The server retrieves the raw TLS-RPT and MTA-STS records configured on the Sendmarc platform
- MTA-STS Policy Hosting:
- The policy is managed and hosted on the Sendmarc Platform
- You'll create a CNAME record in your DNS for the policy using the values provided by Sendmarc
- This CNAME record points to the address where the policy is hosted
- When a receiving server requests the MTA-STS policy, the server looks up the hosting address by following the CNAME record
- The server retrieves the contents of the policy file hosted on the Sendmarc Platform with the values you have configured
Example of Sendmarc TLS-RPT record with unique address:
Record Type: | CNAME |
Host: | _smtp._tls |
Value: | example.com._smtp._tls.sdmarc.net. |
Example of Sendmarc MTA-STS record with unique address:
Record Type: | CNAME |
Host: | _mta-sts |
Value: | example.com._mta-sts.sdmarc.net. |
Example of Sendmarc MTA-STS policy record with unique address:
Record Type: | CNAME |
Host: | mta-sts |
Value: | mta-certs.sendmarc.com. |
BIMI Delegation
Sendmarc handles BIMI delegation using CNAME records. Here’s how it works:
- You'll create your BIMI record in DNS as a CNAME using the values provided by Sendmarc
- This CNAME record points to a raw TXT record hosted by Sendmarc DNS
- When a DNS lookup is performed on your BIMI record, the querying server follows the CNAME to the Sendmarc-hosted address
- The server then retrieves the raw BIMI record with the settings configured in the Sendmarc platform
Example of Sendmarc BIMI record with unique address:
Record Type: | CNAME |
Host: | default._bimi |
Value: | example.com.bimi.sdmarc.net. |
Need Help?
support@sendmarc.com is standing by to assist!