D
DramWell Docs
Knowledge Base/mail/dns and deliverability
Mail Server

DNS & Deliverability

Configure and verify the DNS records required for DramWell mail — MX, SPF, DKIM, and DMARC — and test deliverability to major providers.

intermediate8 min read

Overview

Email deliverability depends on four DNS records that authenticate DramWell's mail server to receiving providers: MX (routing), SPF (sender authorization), DKIM (message signing), and DMARC (policy enforcement). All four must be correctly configured and consistent with each other. Missing or misconfigured records result in mail being rejected or silently marked as spam at major providers.

Required DNS Records

MX Record

The MX record tells other mail servers where to deliver mail for dramwell.ai.

Type Host Value Priority
MX dramwell.ai mail.dramwell.ai 10

Verify with:

dig MX dramwell.ai

Expected output: dramwell.ai. 3600 IN MX 10 mail.dramwell.ai.

SPF Record

SPF authorizes mail.dramwell.ai to send mail on behalf of dramwell.ai.

Type Host Value
TXT dramwell.ai v=spf1 mx ~all

mx resolves the current MX record and authorizes those IPs. ~all uses a soft fail for unauthorized senders (marks as suspicious rather than rejecting). Do not use -all (hard fail) until you have confirmed all legitimate sending sources are covered — a misconfiguration with hard fail will cause legitimate mail loss.

Verify with:

dig TXT dramwell.ai

DKIM Record

DKIM signs outgoing messages with a private key held by Stalwart. Receiving servers verify the signature using the public key published in DNS.

Generating a DKIM key:

  1. Log in to the Stalwart admin panel at https://mail.dramwell.ai/admin.
  2. Go to Configuration > SMTP > Signing.
  3. Click Generate New Key and select RSA-2048 or Ed25519.
  4. Stalwart displays the public key and the DNS record value to publish.

DNS record to publish:

Type Host Value
TXT <selector>._domainkey.dramwell.ai v=DKIM1; k=rsa; p=<public_key>

The selector is a short label (e.g., mail2024) chosen when generating the key. It appears in the DKIM-Signature header of outgoing messages.

Verify with:

dig TXT mail2024._domainkey.dramwell.ai

Allow up to 48 hours for DNS propagation before testing DKIM validation.

DMARC Record

DMARC ties SPF and DKIM together and tells receivers what to do when a message fails authentication.

Type Host Value
TXT _dmarc.dramwell.ai v=DMARC1; p=quarantine; rua=mailto:dmarc@dramwell.ai
Tag Value Meaning
p quarantine Send failing messages to spam rather than reject them outright
rua mailto:dmarc@dramwell.ai Aggregate reports of authentication failures are sent to this address

Start with p=quarantine. Once you have confirmed all legitimate mail is passing SPF and DKIM (watch the aggregate reports for 2–4 weeks), upgrade to p=reject.

Verify with:

dig TXT _dmarc.dramwell.ai

Testing Deliverability

Mail-Tester

Send a test message to the address shown at mail-tester.com and view your score out of 10. A score of 9 or 10 indicates proper configuration. Scores below 8 usually mean a missing or misconfigured DNS record.

MXToolbox

Use mxtoolbox.com/SuperTool.aspx to run individual DNS checks:

  • MX Lookup — Verifies MX records and connectivity to port 25
  • SPF Record Lookup — Validates SPF syntax and authorization chain
  • DKIM Lookup — Validates the public key record for a given selector
  • DMARC Lookup — Checks DMARC policy and reporting configuration

Send a Test to Gmail

Send a message from a dramwell.ai address to a Gmail account. In Gmail, open the message, click More (three dots), and select Show original. Look for the Authentication-Results header:

  • spf=pass — SPF is working
  • dkim=pass — DKIM is working
  • dmarc=pass — DMARC policy is satisfied

Any value other than pass identifies which record needs attention.

Tips

  • Keep your DKIM private key backed up in a secure secret store. If the Stalwart container is lost or rebuilt, you will need the private key to restore signing continuity — generating a new key requires a DNS update and a propagation wait.
  • Check the DMARC aggregate reports (sent to dmarc@dramwell.ai) monthly. They show which IP addresses are sending mail claiming to be from dramwell.ai, which is useful for detecting spoofing attempts.
  • Never publish multiple SPF records for the same domain. If you need to authorize additional sending services (e.g., a marketing platform), add their include: mechanism to the existing TXT record rather than creating a second one.

Related Articles

Was this article helpful?