DNS records for mail (internals)

This page has some notes on how DNS records for mail are managed behind the scenes. We assume you have read our main documentation for mail records.

Ad-hoc records

The DB.cam zone file contains manually-maintained additions to the cam.ac.uk zone. This includes mail-related records that can't yet be stored in the IP Register database: TXT records; and CNAME records with underscores in the owner and/or target name.

The DB.cam file isn't included in the published-to-the-University version of the IP Register source code because it contains personal data.

MX records

The list of mail domains supported by the machinery described here is determined by the MX records in the IP Register database.

SPF records

SPF records are added to the cam.ac.uk zone by the spf script, controlled by the SPF configuration file.

The configuration file determines the default SPF records, and the extensions and other special cases.

Amazon SES domains are not included in the SPF configuration file, but are identified by DKIM CNAMEs in the DB.cam zone file. There are about 10 of these.

The spf script also verifies that SPF records do not break the strict SPF size limits. If any are too big the DNS build is aborted to protect against mistakes that can cause mail delivery failures. DNS lookups failures are reported via cronspam without breaking the build.

SPF caveat

The size limit checker implements a subset of the SPF specification: just a: (address) and include: mechanisms. There is a risk that it will break if a third-party mail provider starts using an unsupported SPF feature.

DKIM records

These are either TXT records in the cam.ac.uk zone itself, or CNAMEs pointing elsewhere. DKIM records have _domainkey in the name; the underscore currently prevents CNAMEs from being held in the IP Register database.

The DB.cam file contains a couple of dozen manually-maintained DKIM records, for Amazon SES, various Microsoft Exchage Online tenancies, and some third-party mail service providers. Amazon and Microsoft use CNAMEs, the others vary.

Mail sent via ppsw is signed with d=cam.ac.uk so we only need on DKIM TXT record for everything, not one per domain.

For the main UIS Microsoft Exchage Online tenancy, the dkim script automatically adds DKIM CNAME records if the target TXT records exist in the DNS. If DNS lookups fail then this script continues to use the DKIM CNAMEs from the previous DNS build.

DKIM caveat

The naming scheme for Microsoft Exchage Online DKIM records is based on the mail domain with dots replaced by hyphens. If the mail domain contains hyphens then there is a more complicated encoding which we have not reproduced. Mail domains with hyphens need their DKIM CNAMEs added manually.

DMARC records

At the moment we only have a few DMARC records in DB.cam for institutions that have requested them.

Related Links