Based on Debian 10 "Buster" environment.

DNS records

There are several DNS records to work with the mailing system other than DKIM.

SPF is one of the must, and DMARC is for the combination of SPF and DKIM.
Reverse lookup is also important to state your domain existence, but it depends on your service provider if you can configure this.


With SPF records, DNS will tell from which server mails should be sent out. If the mail of your domain comes from an unknown server, that strongly indicates the mail spoofing.
Here is case. This means "The mail from can be sent out from the server descrived in MX record. There may be a chance to be sent out from other servers."

mail    IN      TXT     "v=spf1 mx -all"

In case for domains that will never send out the mail, this can be stated as follows.

nomail  IN      TXT     "v=spf1 -all"


DMARC records will tell what to do if both SPF and DKIM verification failed. Additionally, the mail servers will send error reports about the verification failure. This information can be a trigger to find out the miss-configuration.

_dmarc    IN     TXT     "v=DMARC1; p=quarantine;"
  • DMARC record for the organizational domain will take care of all subdomains. You can declare separately if you need.
  • p: "quarantine" means the server should handle the failed mails as spams.
  • rua: Servers will send the daily report to the address.
  • There is "ruf" to ask for the immediate failure notice, but it is discourages concerning PII that may be included in the report.

The reports are written in xml format and attached as a compressed file. There are several free web services that parse to visualize the contents. If you have many reports that should be aggregated, please consider using non-free upgraded service.

Reverse Lookup

In short, configure the PTR record to point the mail server domain name from the IP address.

DNS lookup is mainly for converting the domain name ( to the IP address. Reverse lookup is finding the domain name from an IP address. 1 IP address can be assigned to multiple domain names, but reverse can't.
Using this reverse lookup, when mail servers got connection from a server (e.g., it looks up DNS to IP, and does reverse to get the domain name again. If the server domain stated when connecting is the same as the result of reverse lookup, the server is likely to be reliable (not telling a lie about the identity).

The difficult point is, PTR record is under control of your service provider. It depends on the provider if they allow you to change the PTR records. If you can't, you can name your mail server as the domain name determined by the service provider.