DNS records for mail

Mail delivery in the University is restricted to known SMTP servers, and this restriction is enforced by the CUDN port blocks.

This means you may not advertise a device as a mail server, either by headers (such as the "From:" field) in any email, or by MX RR or by any other formal or informal means. You must also send mail via a recognized mail server; there is a separate page with advice on sending email from computers on the CUDN.

Mail domains

Mail domains must be set up by Hostmaster and Postmaster staff in the UIS. Please contact ip-register@uis.cam.ac.uk and/or mail-support@uis.cam.ac.uk if you need any changes.

Mail domains are represented by MX records in the DNS. (The Internet mail specifications allow message delivery to hosts with address records but no MX records, but the rules in Cambridge require MX records only.) Although mail domains are represented in the IP Register database, control is not delegated to institution computer officers.

SPF records

SPF records are entries in the DNS that describe which mail servers are permitted to send email 'from' a mail domain. For more information about SPF records, see http://www.openspf.org

The standard SPF records that we publish for most mail domains under the cam.ac.uk domain say that mail is permitted from the entire CUDN IP address space and Microsoft Office 365 Exchange Online.

Other IP addresses are marked "neutral" (i.e. neither positively permitted nor explicitly forbidden).

Specifically, our standard SPF record is:

cam.ac.uk. TXT "v=spf1 include:mx.cam.ac.uk include:spf.protection.outlook.com ?all"

The SPF record published at mx.cam.ac.uk covers the whole CUDN IP address space. This name is also used for incoming mail via the central mail relay. Despite the name, the SPF record covers the entire CUDN and is not specific to the central mail relays. We re-used this name for SPF because it is conveniently short and mail-related.

Please let ip-register@uis.cam.ac.uk know if you need any changes to your mail domain's SPF record, or if you want an opt-out.

SPF for third-party mail service providers

If you are using one or more off-site mail service providers, we recommend that they are set up on provider-specific subdomains. There are more details about third-party mail service providers in our rules for administring a mail domain.

This is because there is a strict limit on the size and complexity of SPF records, and we want to avoid hitting that limit. We can help you with setting up subdomains for mail service providers - please contact ip-register@uis.cam.ac.uk.

DKIM and DMARC records

DomainKeys Identified Mail (DKIM) is another, more sophisticated mechanism for authenticating mail servers, using cryptographic signatures.

Domain-based Message Authentication, Reporting, and Conformance (DMARC) adds a policy system to SPF and DKIM which allows sites more control over how authentication failures should be treated.

Like SPF, DKIM and DMARC are based on putting TXT records in the DNS. At the moment we do not have a systematic setup for DKIM and DMARC in the way we do for SPF records.

Control over TXT records is not delegated, so please contact ip-register@uis.cam.ac.uk with details of any DKIM or DMARC records that you need. For mail servers on the CUDN we may need to discuss the details with mail-support@uis.cam.ac.uk.