Skip to content

DNS setup

Below you can find a list of recommended DNS records. While some are mandatory for a mail server (A, MX), others are recommended to build a good reputation score (TXT/SPF) or used for auto-configuration of mail clients (SRV).


Reverse DNS of your IP address

Make sure that the PTR record of your IP address matches the FQDN of your mailcow host: ${MAILCOW_HOSTNAME} 1. This record is usually set at the provider you leased the IP address (server) from.

The minimal DNS configuration

This example shows you a set of records for one domain managed by mailcow. Each domain that is added to mailcow needs at least this set of records to function correctly.

# Name              Type       Value
mail                IN A
autodiscover        IN CNAME (your ${MAILCOW_HOSTNAME})
autoconfig          IN CNAME (your ${MAILCOW_HOSTNAME})
@                   IN MX 10 (your ${MAILCOW_HOSTNAME})

Note: The mail DNS record which binds the subdomain to the given ip address must only be set for the domain on which mailcow is running and that is used to access the web interface. For every other mailcow managed domain, the MX record will route the traffic.


In the example DNS zone file snippet below, a simple SPF TXT record is used to only allow THIS server (the MX) to send mail for your domain. Every other server is disallowed but able to ("~all"). Please refer to SPF Project for further reading.

# Name              Type       Value
@                   IN TXT     "v=spf1 mx a -all"

It is highly recommended to create a DKIM TXT record in your mailcow UI and set the corresponding TXT record in your DNS records. Please refer to OpenDKIM for further reading.

# Name              Type       Value
dkim._domainkey     IN TXT     "v=DKIM1; k=rsa; t=s; s=email; p=..."

The last step in protecting yourself and others is the implementation of a DMARC TXT record, for example by using the DMARC Assistant (check).

# Name              Type       Value
_dmarc              IN TXT     "v=DMARC1; p=reject;"

The advanced DNS configuration

SRV records specify the server(s) for a specific protocol on your domain. If you want to explicitly announce a service as not provided, give "." as the target address (instead of ""). Please refer to RFC 2782.

# Name              Type       Priority Weight Port    Value
_autodiscover._tcp  IN SRV     0        1      443 (your ${MAILCOW_HOSTNAME})
_caldavs._tcp       IN SRV     0        1      443 (your ${MAILCOW_HOSTNAME})
_caldavs._tcp       IN TXT                              "path=/SOGo/dav/"
_carddavs._tcp      IN SRV     0        1      443 (your ${MAILCOW_HOSTNAME})
_carddavs._tcp      IN TXT                              "path=/SOGo/dav/"
_imap._tcp          IN SRV     0        1      143 (your ${MAILCOW_HOSTNAME})
_imaps._tcp         IN SRV     0        1      993 (your ${MAILCOW_HOSTNAME})
_pop3._tcp          IN SRV     0        1      110 (your ${MAILCOW_HOSTNAME})
_pop3s._tcp         IN SRV     0        1      995 (your ${MAILCOW_HOSTNAME})
_sieve._tcp         IN SRV     0        1      4190 (your ${MAILCOW_HOSTNAME})
_smtps._tcp         IN SRV     0        1      465 (your ${MAILCOW_HOSTNAME})
_submission._tcp    IN SRV     0        1      587 (your ${MAILCOW_HOSTNAME})


Here are some tools you can use to verify your DNS configuration:


Optional DMARC Statistics

If you are interested in statistics, you can additionally register with some of the many below DMARC statistic services - or self-host your own.


It is worth considering that if you request DMARC statistic reports to your mailcow server and your mailcow server is not configured correctly to receive these reports, you may not get accurate and complete results. Please consider using an alternative email domain for receiving DMARC reports.

It is worth mentioning, that the following suggestions are not a comprehensive list of all services and tools available, but only a small few of the many choices.


These services may provide you with a TXT record you need to insert into your DNS records as the provider specifies. Please ensure you read the provider's documentation from the service you choose as this process may vary.

Email test for SPF, DKIM and DMARC:

To run a rudimentary email authentication check, send a mail to check-auth at and wait for a reply. You will find a report similar to the following:

Summary of Results
SPF check:          pass
"iprev" check:      pass
DKIM check:         pass
DKIM check:         pass
SpamAssassin check: ham


The full report will contain more technical details.

Fully Qualified Domain Name (FQDN)

  1. A Fully Qualified Domain Name (FQDN) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname, the domain name, and the Top Level Domain (TLD for short). In the example of the hostname would be mx, the domain name mailcow and the TLD email