Mad Out Reach
Back
Three DNS records on the customer's domain are needed to authenticate outbound mail.
Without them, ESPs (Gmail, Office 365, Yahoo, etc.) will junk or reject your sends.
All three live on the From-header organisational domain
— for this client that's madoutreach.co.uk.
1. SPF
Authorises which servers can send From madoutreach.co.uk.
Type: TXT Name: madoutreach.co.uk (i.e. the apex/root) Content: v=spf1 +a +mx +ip4:<your-smtp-server-IP> ~all
Replace <your-smtp-server-IP> with the public IPv4 of your SMTP host. Use ~all (soft-fail) while warming up; tighten to -all later.
2. DKIM
Public key your SMTP provider gives you. Common selector: default.
Type: TXT Name: default._domainkey.madoutreach.co.uk Content: v=DKIM1; k=rsa; p=<public-key-from-your-SMTP-provider>
If your provider uses a different selector (e.g. google, k1, selector1), use that name instead. The checker will try the common ones automatically.
3. DMARC
Tells receivers what to do with mail that fails SPF/DKIM. Start permissive.
Type: TXT Name: _dmarc.madoutreach.co.uk Content: v=DMARC1; p=none;
After a few weeks of clean traffic, tighten to p=quarantine then p=reject. p=none is monitoring-only — safe starting point.
DNS changes propagate in 1–5 minutes typically; up to a few hours on slow providers. Cron auto-rechecks every 6 hours, but you can hit Verify any time after the customer says they've added the records.