How to set up Sender Domain Authentication
With the IIJ Managed DNS Service, you can register TXT and CNAME records for supporting sender domain authentication (SPF, DKIM, and DMARC).
For information on the content to be registered in TXT or CNAME records, contact the manager of your email service.
If you are using the "IIJ Secure MX Service," see the item of "Usage Method of Each Functions > Using Email Authentication" in the "Basic Functions Manual" from Manuals/Downloads of "IIJ Secure MX Service."
[ Note ]
- When editing NS records registered in a zone of "IIJ Managed DNS Service" to support sender domain authentication, make sure to disable the DNSSEC setting in advance. (After a disabling operation has been made, make sure to wait until the status of DNSSEC changes to "Disabled.")
- When the NS records to be edited are NS records for the DKIM signature setting of the "IIJ Secure MX Service," see "Q. When deleting an NS record for the IIJ Secure MX Service and registering a CNAME record required to set a DKIM signature for the service, do I need to disable the DNSSEC setting for the target zone in advance?"
- When the NS records to be edited are NS records for the DKIM signature setting of the "IIJ Secure MX Service," see "Q. When deleting an NS record for the IIJ Secure MX Service and registering a CNAME record required to set a DKIM signature for the service, do I need to disable the DNSSEC setting for the target zone in advance?"
- If you change NS records before the DNSSEC setting is disabled, you may have problems with name resolution.
- It takes several days to enable or disable the DNSSEC setting. Leave time in the schedule for enabling or disabling the DNSSEC setting. Refer to "DNSSEC Management" for more information.
Setting Examples when Registering Sender Domain Authentication with TXT or CNAME Records
[ Note ]
The settings shown below are examples when performing registration with TXT or CNAME records.
If you perform registration using records other than TXT and CNAME records, register records in accordance with the requirements specified by the administrator of the sender email server.
Note that the data input to the "Register Record to be Added" screen is a setting example. Be careful not to configure the settings using the same data in the setting example.
Registering TXT Records for SPF
When the description format is as follows
XXX.example.jp. IN TXT "v=spf1 include:spf.XXX.example.jp -all"
Specify as shown below in "Record Management" on the control panel for this service to register records.
[ Note ]When registering records, pay attention to the following points.
- Assign a dot (.) to the end of the domain name to be described in Name.
- When using the default value for TTL, check the "Default TTL" box. To set any other value, uncheck the "Default TTL" box and enter a desired value.
- For information on the content to be described in Value, contact the administrator of your sender email server or refer to the information in the related documents and on the related websites.
- The authentication method may change depending on the parameter value.
- Described contents are not supported by this service.
If you are using the "IIJ Secure MX Service," see "Usage Method of Each Functions > Using Email Authentication > Using Outbound SPF" in the "Basic Functions Manual" from Manuals/Downloads of "IIJ Secure MX Service."
- Registration of records other than TXT records may be required depending on the specification of the sender email server. For more information, contact the administrator of the sender email server.
When adding information to an existing SPF record
Adding "include:spf.XXX.example.jp" with the following description format
XXX.example.jp. IN TXT "v=spf1 +ip4:192.0.2.0/24 -all"
Specify as shown below in "Record Management" on the control panel for this service to register records.
[ Note ]When registering records, pay attention to the following points.
- Assign a dot (.) to the end of the domain name to be described in Name.
- When using the default value for TTL, check the "Default TTL" box. To set any other value, uncheck the "Default TTL" box and enter a desired value.
- Describe Value in a single line. If described in two or more lines, SPF will not operate normally.
- To describe multiple values in Value, separate each value with a single-byte space.
- For information on the content to be described in Value, contact the administrator of your sender email server or refer to the information in the related documents and on the related websites.
- An SPF record should be no more than about 450 bytes (characters) due to the RFC.
- The authentication method may change depending on the parameter value.
- Described contents are not supported by this service.
- If you are using the "IIJ Secure MX Service," see "Usage Method of Each Functions > Using Email Authentication > Using Outbound SPF" in the "Basic Functions Manual" from Manuals/Downloads of "IIJ Secure MX Service."
- Registration of records other than TXT records may be required depending on the specification of the sender email server. For more information, contact the administrator of the sender email server.
Registering TXT Records for DKIM
When the description format is as follows
XXX._domainkey.example.jp. IN TXT "v=DKIM1; k=rsa; p=XXXXXXXXXXXXXXXXXXXXXXX"
Specify as shown below in "Record Management" on the control panel for this service to register records.
[ Note ]When registering records, pay attention to the following points.
- Assign a dot (.) to the end of the domain name to be described in Name.
- When using the default value for TTL, check the "Default TTL" box. To set any other value, uncheck the "Default TTL" box and enter a desired value.
- For information on the content to be described in Value, contact the administrator of your sender email server or refer to the information in the related documents and on the related websites.
- The authentication method may change depending on the parameter value.
- Described contents are not supported by this service.
- If you are using the "IIJ Secure MX Service," see "Usage Method of Each Functions > Using Email Authentication > Using Outbound DKIM" in the "Basic Functions Manual" from Manuals/Downloads of "IIJ Secure MX Service."
- Registration of records other than TXT or CNAME records may be required depending on the specification of the sender email server. For more information, contact the administrator of the sender email server.
When the number of characters in double quotes (") which are to be registered in Value exceeds 255
When the description format is as follows
XXX._domainkey.example.jp. IN TXT "v=DKIM1; k=rsa; p=1111111111111111111111111111111111111111111111111111111111111/2222222222222222222222222222222222222222222222222222222/3333/444444444444444444444444444444444444444/555555/6666666666/77777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777/888888888888888888/999999999999999999999999999999999"
Separate the value into groups of 255 or less characters, enclose each group in double quotes ("), and insert a single-byte space between groups.
Refer to "Q. How can I describe a value consisting of 256 or more characters to register it in Value in a TXT record?" for information on how to describe characters in Value.
In the following example, the characters are separated into two groups at a slash (/) which is the 200th character.
Although it looks like a new line starts at the position where the value is separated in the example, the actual value in Values is described in a single line without a line break.
Registering CNAME Records for DKIM
When the description format is as follows
XXX._domainkey.example.jp. IN CNAME XXX.dkim.example.jp.
Specify as shown below in "Record Management" on the control panel for this service to register records.
[ Note ]
- Assign a dot (.) to the end of the domain name to be described in Name and Values.
- When using the default value for TTL, check the "Default TTL" box. To set any other value, uncheck the "Default TTL" box and enter a desired value.
- For information on the content to be described in Value, contact the administrator of your sender email server or refer to the information in the related documents and on the related websites.
- The authentication method may change depending on the parameter value.
- Described contents are not supported by this service.
If you are using the "IIJ Secure MX Service," see "Usage Method of Each Functions > Using Email Authentication > Using Outbound DKIM" in the "Basic Functions Manual" from Manuals/Downloads of "IIJ Secure MX Service."
- Registration of records other than TXT or CNAME records may be required depending on the specification of the sender email server. For more information, contact the administrator of the sender email server.
Registering TXT Records for DMARC
When the description format is as follows
_dmarc.example.jp. IN TXT "v=DMARC1; p=XXXX; rua=mailto:XXX@XXX.example.jp"
Specify as shown below in "Record Management" on the control panel for this service to register records.
[ Note ]When registering records, pay attention to the following points.
- Assign a dot (.) to the end of the domain name to be described in Name.
- When using the default value for TTL, check the "Default TTL" box. To set any other value, uncheck the "Default TTL" box and enter a desired value.
- For information on the content to be described in Value, contact the administrator of your sender email server or refer to the information in the related documents and on the related websites.
- The authentication method may change depending on the parameter value.
- Described contents are not supported by this service.
If you are using the "IIJ Secure MX Service," see "Usage Method of Each Functions > Using Email Authentication > Using Outbound DMARC" in the "Basic Functions Manual" from https://help.iij.ad.jp/admin/service/manual/mx/index.cfm?serviceIdList=IIJ.MX of "IIJ Secure MX Service."
- Registration of records other than TXT records may be required depending on the specification of the sender email server. For more information, contact the administrator of the sender email server.
Related FAQs
Please see FAQs about sender domain authentication setting published in the following Q&A.
- Q. Is record registration for sender domain authentication supported?
- Q. Is there a DNS look-up limit for SPF records?
- Q. Is it possible to verify a 2048-bit electronic signature for DKIM records?
- Q. Do I need to pay an additional cost for using sender domain authentication?
- Q. Can I ask you to check for errors in the DNS records I have registered?
- Q. Can I register a 2048-bit DKIM public key?
- Q. Is there an upper limit of the number of characters to be registered in Value in a TXT record?
- Q. I cannot register a TXT record due to an error saying, "An invalid Value is included."
- Q. How can I describe a value consisting of 256 or more characters to register it in Value in a TXT record?
- Q. The relevant zone name is added to Name and Value arbitrarily when I attempt to register a record.
- Q. When deleting an NS record for the IIJ Secure MX Service and registering a CNAME record required to set a DKIM signature for the service, do I need to disable the DNSSEC setting for the target zone in advance?
- Q. When deleting an NS record for the IIJ Secure MX Service and registering a CNAME record required to set a DKIM signature for the service, an error saying, "A DS record has been registered automatically." appears.