Why Email Authentication Matters
Without proper authentication, your emails will land in spam — or be rejected entirely. Gmail, Outlook, and Yahoo now require SPF, DKIM, and DMARC for bulk senders.
Even if you're sending a handful of emails per day from your self-hosted Mailcow, these records are essential.
SPF (Sender Policy Framework)
SPF tells receiving mail servers which IP addresses are authorized to send email for your domain.
DNS Record:
yourdomain.com TXT "v=spf1 ip4:YOUR_SERVER_IP -all"v=spf1— Version identifierip4:YOUR_SERVER_IP— Authorize your server's IP-all— Reject mail from all other sources (~allfor soft fail)
Common mistake: Using multiple SPF records. You can only have ONE SPF TXT record per domain. If you need to authorize multiple sources, combine them:
"v=spf1 ip4:1.2.3.4 include:_spf.google.com -all"DKIM (DomainKeys Identified Mail)
DKIM cryptographically signs your emails so receivers can verify they haven't been tampered with.
Mailcow generates DKIM keys automatically. Find yours in the Mailcow admin panel under Configuration → ARC/DKIM Keys.
DNS Record:
dkim._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY_HERE"The public key is a long base64 string. Some DNS providers require you to split it across multiple strings if it exceeds 255 characters.
DMARC (Domain-based Message Authentication, Reporting & Conformance)
DMARC tells receivers what to do when SPF or DKIM checks fail, and where to send reports.
DNS Record:
_dmarc.yourdomain.com TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100"p=quarantine— Mark failing messages as spam (usep=noneinitially for monitoring)rua=mailto:...— Where to send aggregate reportspct=100— Apply policy to 100% of messages
Recommended rollout:
1. Start with p=none to monitor
2. Review DMARC reports for 2-4 weeks
3. Move to p=quarantine
4. Eventually move to p=reject for maximum protection
PTR Record (Reverse DNS)
Often overlooked but critical. The PTR record maps your IP address back to your mail hostname.
In the Hetzner Cloud Console:
1. Go to your server
2. Click Networking
3. Set reverse DNS for your IPv4 to mail.yourdomain.com
Without a matching PTR record, many mail servers will reject your email outright.
Testing Your Configuration
MXToolbox — Check all your DNS records at once:
mxtoolbox.com/domain/yourdomain.comSend a test email to mail-tester.com — it scores your email setup out of 10 and flags issues.
Check headers — Send an email to a Gmail address, then click "Show original" to see SPF/DKIM/DMARC results.
The Complete DNS Setup
For a domain with Mailcow on Hetzner, your DNS should look like:
| Record | Type | Name | Value |
|---|---|---|---|
| A | A | YOUR_IP | |
| MX | MX | @ | mail.yourdomain.com (pri 10) |
| SPF | TXT | @ | v=spf1 ip4:YOUR_IP -all |
| DKIM | TXT | dkim._domainkey | v=DKIM1; k=rsa; p=... |
| DMARC | TXT | _dmarc | v=DMARC1; p=quarantine; rua=... |
| PTR | PTR | YOUR_IP | mail.yourdomain.com |
| SRV | SRV | _autodiscover._tcp | 0 1 443 mail.yourdomain.com |
Our premium guide includes copy-paste DNS configurations and troubleshooting for common deliverability issues with major providers.
Want the Complete Setup Guide?
This blog post covers the basics. Our premium guide includes step-by-step commands, exact configurations, and the solutions to every gotcha we encountered.