Email Authentication Setup Checklist

Cloud Server for Email
infrastructure@cloudserverforemail.com · +372 602 3545 · cloudserverforemail.com
Email Authentication Setup Checklist
SPF · DKIM · DMARC · BIMI · PTR — Complete Setup Verification
Version 2026-04 · Cloud Server for Email
SPF (Sender Policy Framework)
  • SPF record published at sending domain root (@ IN TXT "v=spf1 ...")
  • All sending IP addresses included in SPF mechanisms (ip4: entries)
  • Record ends with ~all (SoftFail) or -all (Fail) — not +all
  • SPF record does not exceed 10 DNS lookup limit (count: a, mx, include, redirect, exists, ptr directives)
  • SPF verified: use mxtoolbox.com/spf or similar — result: Pass for all sending IPs
  • MAIL FROM domain (envelope sender) aligns with From: header domain
Example SPF: v=spf1 ip4:203.0.113.1 ip4:203.0.113.2 ~all
DKIM (DomainKeys Identified Mail)
  • DKIM key pair generated: 2048-bit RSA minimum (4096-bit optional, larger = more CPU)
  • Private key configured in MTA signing configuration (PowerMTA: dkim-key directive)
  • Public key published as TXT record at: [selector]._domainkey.[sending-domain]
  • Selector name is meaningful and documented (e.g., 's1', 'key2026', 'mail')
  • DKIM signing verified: send test email, check Authentication-Results header for "dkim=pass"
  • DKIM alignment: d= tag in DKIM-Signature matches From: domain (or is a parent domain)
  • Key rotation schedule established: rotate annually minimum, quarterly recommended
  • Old selector left active for 48 hours after rotation to allow in-flight message verification
  • Separate DKIM key per sending domain (not one shared key for all domains)
Verify: echo "v=DKIM1; k=rsa; p=[public key]" | openssl pkey -pubin -text -noout — should show 2048-bit or higher
DMARC (Domain-based Message Authentication)
  • DMARC record published at _dmarc.[sending-domain] as TXT record
  • Initial policy: p=none (monitoring only — do not start at quarantine or reject)
  • Aggregate reporting (rua) tag configured with valid email address: rua=mailto:dmarc@yourdomain.com
  • Failure reporting (ruf) tag configured: ruf=mailto:dmarc@yourdomain.com
  • DMARC reports being received and reviewed (check inbox daily for first 30 days)
  • DMARC report shows SPF alignment pass and DKIM alignment pass for all legitimate mail
  • After 30 days clean: advance to p=quarantine pct=5 (5% enforcement)
  • After 60 days clean: advance to p=quarantine pct=100
  • After 90 days clean: advance to p=reject pct=5, then p=reject pct=100
Example DMARC: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; fo=1; adkim=s; aspf=s
PTR Records (Reverse DNS)
  • Every sending IP has a PTR record (request from IP hosting provider / Cloud Server for Email)
  • PTR record resolves to a hostname (e.g., mail1.yourdomain.com)
  • Hostname's A record resolves back to the same IP (forward-confirmed rDNS)
  • PTR hostname matches PowerMTA EHLO/HELO hostname exactly
  • PTR record does not contain generic hosting provider hostname (must be custom)
  • Verify: dig -x [sending IP] +short — should return your custom hostname
BIMI (Brand Indicators for Message Identification) — Optional
  • DMARC at p=reject or p=quarantine (required before BIMI)
  • Brand logo prepared: SVG format, square aspect ratio, simple design that works at 32×32px
  • Verified Mark Certificate (VMC) obtained from DigiCert or Entrust (required for Gmail BIMI)
  • BIMI record published at default._bimi.[domain]: v=BIMI1; l=[logo URL]; a=[VMC URL]
  • Logo hosted at HTTPS URL (SVG file must be valid and accessible)
  • Verified in Gmail: send to Gmail account and check for brand logo in inbox
Ongoing Maintenance Reminders
  • DKIM keys rotated at least annually (calendar reminder set: ___________)
  • SPF record updated whenever sending IPs change
  • DMARC aggregate reports reviewed monthly minimum
  • New sending subdomains get their own SPF + DKIM + DMARC before first send
Cloud Server for Email configures full authentication (SPF, DKIM, DMARC, PTR) for all managed infrastructure clients as part of onboarding. BIMI configuration available on request. Contact infrastructure@cloudserverforemail.com.