Based on Debian 11 "Bullseye" environment.

DNS records

There are several DNS records to work with the mailing system other than DKIM.

SPF is a must. DMARC is recommended, it doesn't seem to be popular though.
Reverse lookup is strongly recommended, but it depends on your service provider if you can configure this.


With SPF records, DNS will state the servers that can send out the emails. If emails with your domain come from an unknown server, that strongly indicates they are spoofing.
Here is case. This means "The mail from can be sent out from the server shown in MX record." This should be the simplest SPF record for most cases.    IN      TXT     "v=spf1 mx -all"
  • It used to be set "~all" to state "there may be a chance to send out the mail from other servers" considering the mailing lists. This style shouldn't be done now because it ruins the power of SPF mechanisms and now legitimate ML servers should have their own SPF records.

If you have domains that will never send out the mail, SPF record should state that.  IN      TXT     "v=spf1 -all"


DMARC records will tell what to do if both SPF and DKIM verification failed. Additionally, the mail servers will send error reports about the verification failure if you request.    IN     TXT     "v=DMARC1; p=quarantine"
  • DMARC record for the organizational domain will take care of all subdomains. You can declare separately if you need.
  • p: "quarantine" means the server should handle the failed emails as spam.

There are several more options available. Please check them if you want to get the reports or more strict SPF & DKIM verification.

Reverse Lookup

In short, configure the PTR record to point to the mail server domain.

DNS lookup is mainly for converting the domain name ( to the IP address. Reverse lookup is finding the domain name from an IP address. 1 IP address can be assigned to multiple domain names, but reverse can't.
Using this reverse lookup, when mail servers got a connection from a server (e.g., it looks up DNS to IP and does reverse to get the domain name again. If the server domain stated when connecting is the same as the result of reverse lookup, the server is likely to be reliable (not telling a lie about the identity).

The difficult point is, PTR record is under the control of your service provider. It depends on the provider if they allow you to change the PTR records. If you can't, you can name your mail server as the domain name determined by the service provider.

Update History


  • Update typo
  • Change the SPF example to "-all" style from "~all" style
  • Delete DMARC rua option