New Domain Checklist: The Exact DNS Records You Need Before Sending Any Email

Launching a new domain for your product, outreach, or newsletters is exciting, but it’s also where most deliverability problems start.

If you send email before your DNS is set up properly, you can damage your reputation early and spend weeks trying to recover.

This checklist covers the exact DNS records you should set up before sending a single email.

Decide what you’re using the domain for

Before DNS, get clear on how you’ll use the domain:

• Transactional email (logins, receipts, OTP, product notifications)

• Marketing email (newsletters, promotions)

• Cold outreach (sales emails)

Best practice: separate these by subdomain or even separate domains, so one doesn’t hurt the other.

Examples:

• mail.yourdomain.com for transactional

• news.yourdomain.com for newsletters

• go.yourdomain.com for tracking links (if needed)

1) MX Records (Mail Exchange)

MX records tell the internet where to deliver inbound email for your domain.

If you use Google Workspace or Microsoft 365, you’ll add their MX records.
If you don’t receive mail on this domain, you may still set MX depending on your provider’s requirements, but for most businesses it’s useful to have working inbound mail.

Tip: avoid random “free MX” providers on important domains.

2) SPF Record (Sender Policy Framework)

SPF tells inbox providers which servers are allowed to send email for your domain.

You usually add one SPF TXT record for the root domain.

Example pattern:

• v=spf1 include:yourprovider.com -all

Key rules:

• Only one SPF record per domain (multiple records can break SPF)

• Keep it under the DNS lookup limit (commonly 10 lookups)

• Start conservative and only include what you truly use

SPF is one of the most common sources of silent failure, especially when teams keep adding includes over time.

3) DKIM Record (DomainKeys Identified Mail)

DKIM signs outgoing emails with a cryptographic signature so the recipient can verify the message wasn’t altered and was authorized by your domain.

DKIM is usually one or more DNS records placed at a selector like:

• selector1._domainkey.yourdomain.com

Your email provider will generate:

• the selector name

• the TXT/CNAME record you must publish

Best practices:

• Prefer 2048-bit keys when available

• Keep track of selectors so you can rotate keys later without downtime

4) DMARC Record (Policy + Reporting)

DMARC ties SPF and DKIM together and tells providers what to do if a message fails authentication.

DMARC record lives at:

• _dmarc.yourdomain.com

A safe starter DMARC policy looks like:

• v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; adkim=s; aspf=s; pct=100

What this does:

• p=none monitors without rejecting mail (good for new setup)

• rua= sends aggregate reports so you can see who is sending as you

• adkim and aspf strict alignment (recommended for strong control)

After you confirm everything is aligned and legitimate sources are correct, you can move to:

• p=quarantine then later p=reject

DMARC is the single best control for stopping spoofing and building trust.

5) Optional but strongly recommended: BIMI (Brand logo in inbox)

BIMI can display your brand logo in some inboxes (depends on provider and requirements).

Usually requires:

• DMARC at enforcement (quarantine/reject)

• properly hosted SVG logo

• sometimes a VMC (Verified Mark Certificate)

Not mandatory for sending, but a strong trust signal if you’re building a serious brand.

6) MTA-STS + TLS-RPT (Security and trust signals)

These are not required to send email, but they are increasingly common in well-configured domains.

• MTA-STS: tells other mail servers to require TLS when delivering to you

• TLS-RPT: gives you reports about TLS delivery failures

They help with security posture and visibility, and they can improve trust for some ecosystems.

7) Reverse DNS / PTR (if you send from your own dedicated IP)

If you’re using a dedicated server/IP to send email (not common for early-stage), you need:

• PTR / rDNS matching your sending domain

• correct HELO/EHLO identity

• SPF that authorizes that IP

• a stable sending plan

If you’re using an ESP (SendGrid, Mailgun, SES, Postmark, etc.), they handle most of this for you.

8) Final pre-send checklist (do this before your first campaign)

Before sending real volume:

• Confirm SPF is valid and not exceeding lookup limits

• Confirm DKIM signatures are passing

• Confirm DMARC passes with alignment

• Send test emails to Gmail and Outlook inboxes and check headers

• Start with engaged recipients first

• Ramp volume slowly over the first 2–4 weeks

New domains need a clean start. That first week matters more than people realize.

Wrap-up

If you set up your DNS properly from day one, you avoid 80% of deliverability problems later.

For a new domain, the “must have” list is:

• MX

• SPF

• DKIM

• DMARC (start with p=none, then enforce later)

Everything else makes you stronger, but those four are the foundation.

Gmailo AI helps you verify all of this, spot issues fast, and ship a sending setup that actually reaches the inbox.