Why you should add email authentication to your DNS

Some folks can be hesitant to touch their DNS records, but here's why you should add email authentication protocols into your DNS.
image of email and dns

The Domain Name System (DNS) is one of the core services on the Internet. It’s not much of an exaggeration to state that if DNS is down, the Internet is down.

For some organizations, such as Internet service providers, a DNS outage can generate very bad press. Even in an enterprise network, an outage can be very expensive in terms of time and money.

This has understandably made many people very hesitant to touch anything related to DNS.

For those who don’t work with DNS daily, it can seem like “dark art”: something very complicated that requires special knowledge to work properly. This perception makes newcomers very nervous about making any changes to DNS because they are afraid of breaking something. Once DNS is set up, people do not want to touch it, just in case their change causes a problem.

We also see many cases where the person who originally set up the DNS is no longer with the company, and the people who take on the responsibility do not have the in-depth knowledge to feel confident making changes to the existing system.

In reality, there are two sides to configuring DNS:

  1. The complicated
  2. The simple

In the complicated column, we would be setting up services such as DNSSEC, which uses a public/private key configuration to sign DNS responses cryptographically. This requires a great deal of operational knowledge to get right and is not widely deployed.

Luckily, email authentication changes are nowhere near as complicated and can be made without impacting other systems that rely on DNS.

Email authentication and DNS

There are two aspects to email services in DNS:

  1. Mail server locations
  2. Mail authentication configuration

Server location services (known as MX records) provide details for anyone looking for an organization’s email servers. Configuring these records is straightforward but not required when configuring email authentication.

Modern-day email authentication consists of three main protocols:

Each of the three standards relies on DNS to work (for more on the nitty-gritty of these standards, check out DMARC, DKIM, & SPF Explained).

Determining the contents of the DNS updates can be time-consuming, but services like Valimail make this easy. Once you have determined the correct contents, adding the records to DNS is a very straightforward process.

Using text (TXT) records in DNS

DMARC, SPF, and DKIM configurations use text (TXT) records in DNS. Text records are a way to associate additional information, in this case security information, with a DNS record. Each has a separate function and format, but the DNS changes are the same.

One important thing to note about inserting email authentication records into DNS: It will not break the resolution of any other services.

Services such as web servers, accounting systems, etc., typically use Address (A or AAAA) records, and email requires mail exchange (MX) records. Configuring email authentication does not touch these types of records.

Email authentication is performed using TXT records. Any service that is not performing email authentication will ignore this data.

In short, even if the authentication-related TXT records don’t work, you won’t hurt any other services.

Also, remember that it is best practice to start authentication in monitoring mode. That way, even if you get the email authentication TXT records wrong, the worst that will happen is that emails will continue to be delivered as before, just without being authenticated.

Monitoring mode allows you to test that the configuration is correct without affecting mail delivery and should always be the first step.

Inserting email authentication is simple

Hopefully, this blog has given you more confidence about changing DNS for email authentication.

If you are adding records to support email authentication capabilities, you can feel confident that inserting these records into DNS is not difficult — and you are not going to break other systems.

With this new information, you’re ready to set up your DNS with email authentication and monitor your domains.

Get started for free
with Monitor

Start your path to DMARC enforcement with a panoramic view of the traffic being sent on your behalf.
No trial offers, credit cards, or obligations.

Explore all Valimail
has to offer

Go one step further than visibility…Take action! Reach DMARC enforcement faster. Stay compliant with evolving sender requirements. All while protecting your brand.

Phishing and BEC protection starts with your domain — verify your DMARC status with the Valimail Domain Checker.