Add an SPF record:
# Strict SPF (recommended)
example.com. IN TXT "v=spf1 mx a -all"
# Relaxed SPF (if using external services)
example.com. IN TXT "v=spf1 mx a include:_spf.google.com ~all"
mailcow generates DKIM keys automatically:
# Get DKIM public key
docker compose exec rspamd-mailcow rspamadm dkim_keygen -d example.com
# Or via UI: Configuration → Mail Setup → Domains → Edit → DKIM
Add to DNS:
dkim._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkq..."
Start with quarantine, then move to reject after validation:
# Quarantine policy (recommended start)
_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com; pct=100"
# Reject policy (after testing)
_dmarc.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; pct=100"
/.well-known/mta-sts.txt on your web server:version: STSv1
mode: enforce
mx: mail.example.com
max_age: 604800
_mta-sts.example.com. IN TXT "v=STSv1; id=20240101"
DANE allows publishing TLSA records so sending MTAs can validate your TLS certificate via DNSSEC. Only enable this if your domain is correctly signed with DNSSEC and you understand the operational impact of certificate rotations.