📧 DMARC and SPF Configuration for a Centralized Mail Server

Overview

This guide outlines how to configure SPF and DMARC for multiple domains that all send mail through a single centralized mail server — mail.bubuit.net. The goal is to maintain consistent authentication across all domains, simplify future maintenance, and prevent email spoofing.

1. Central Mail Server

Hostname: mail.bubuit.net
IPv4: 116.202.112.180

The central mail server manages all outgoing and incoming mail for the network’s domains, including bubuit.net, intxtonic.net, and dynproxy.net.

2. SPF Configuration

Sender Policy Framework (SPF) is an authentication standard used to specify which servers are authorized to send mail for a domain. It helps prevent spammers from sending messages that appear to come from your domain.

2.1 Main Domain (`bubuit.net`)

@       IN  TXT  "v=spf1 mx a ip4:116.202.112.180 -all"

Authorizes the mail server’s A record and MX host.
Defines which IP addresses are permitted to send mail for the domain.

2.2 Alias Domains

Domains that also send through the same mail server should inherit the main SPF policy:

@       IN  TXT  "v=spf1 include:bubuit.net -all"

Inherits the SPF policy from bubuit.net.
Simplifies management — updates to bubuit.net automatically apply to all aliases.

2.3 Difference Between `include:` and `a:`

Syntax	Purpose	Example	Behavior
`a:mail.bubuit.net`	Authorizes only the IP of `mail.bubuit.net`	IPs of `mail.bubuit.net`	Narrow scope — single host
`include:bubuit.net`	Imports the entire SPF policy from another domain	SPF of `bubuit.net`	Broad scope — reusable policy

For centralized mail systems, include:bubuit.net is the preferred approach.

3. DMARC Configuration

After defining authorized senders with SPF, the next step is implementing DMARC, which builds on both SPF and DKIM to ensure that messages pass authentication and alignment. DMARC adds visibility and improves protection against spoofing.

3.1 Main Domain (`bubuit.net`)

_dmarc  IN  TXT  "v=DMARC1; p=reject; sp=reject; aspf=s; adkim=s"

p=reject: Reject messages that fail DMARC.
sp=reject: Apply the same policy to subdomains.
aspf=s / adkim=s: Enforce strict SPF and DKIM alignment.
pct=100: (optional; default is 100%) Apply to all mail.

3.2 Alias Domains

_dmarc  IN  TXT  "v=DMARC1; p=reject; sp=reject; aspf=s; adkim=s"

Alias domains use the same strict DMARC policy to ensure consistent protection across the network.

3.3 Optional Reporting

To receive DMARC reports for monitoring:

rua=mailto:dmarc@bubuit.net

Add this tag only if you wish to collect and review DMARC activity data.

4. MX and Host Records

Each alias domain routes mail through the main server:

@      IN  MX  10  mail.bubuit.net.
mail   IN  CNAME  mail.bubuit.net.

The CNAME ensures that any IP address changes to the main mail host automatically apply to all aliases.

5. No-Mail Domains

For domains or subdomains that will never send email:

_dmarc  IN  TXT  "v=DMARC1; p=reject; sp=reject; aspf=s; adkim=s"

This protects against spoofing and impersonation even for domains that do not send legitimate mail.

6. Verification and Testing

To verify DNS records and confirm proper configuration, run these commands:

dig +short TXT _dmarc.bubuit.net   # Check DMARC record for the main domain
dig +short TXT _dmarc.intxtonic.net  # Verify alias domain DMARC configuration
dig +short TXT _dmarc.dynproxy.net   # Inspect DMARC setup for dynproxy.net
dig +short TXT @bubuit.net TXT       # Display all TXT records for bubuit.net

To test outbound email authentication and alignment:

swaks -f test@intxtonic.net -t check-auth@verifier.port25.com --server mail.bubuit.net  # Send a test email for analysis

7. Summary Table

Domain Type	SPF Record	DMARC Record	MX Record
Main (bubuit.net)	`v=spf1 mx a ip4:116.202.112.180 -all`	`v=DMARC1; p=reject; sp=reject; aspf=s; adkim=s`	`mail.bubuit.net.`
Alias (intxtonic.net, dynproxy.net, etc.)	`v=spf1 include:bubuit.net -all`	`v=DMARC1; p=reject; sp=reject; aspf=s; adkim=s`	`mail.bubuit.net.`
No-Mail Domain	(none)	`v=DMARC1; p=reject; sp=reject; aspf=s; adkim=s`	(none)

✅ Best Practices and Troubleshooting

To conclude, here are key recommendations and practical troubleshooting tips:

Best Practices

Maintain a single SPF policy in bubuit.net.
Reference it in all alias domains via include:bubuit.net.
Use strict DMARC alignment (adkim=s, aspf=s).
Apply sp=reject to secure subdomains.
Add a CNAME mail → mail.bubuit.net for simplified maintenance.

Troubleshooting Tips

SPF Fail: Check for missing or incorrect include: statements or typos in hostnames.
DMARC Fail: Ensure DKIM signing domains match the From: domain and SPF passes for authorized IPs.
Propagation Issues: Wait for DNS TTL expiration or verify using dig with @8.8.8.8 to query Google DNS.

By applying these configurations, all domains in your network will share a unified, secure, and easily maintained email authentication system.