What are the DNS records required for configuring DMARC?

DMARC uses Sender Policy Framework (SPF) and DomainKeys identified mail (DKIM) to determine the authenticity of an email message and recognize whether a message is coming from your domain. As part of your DMARC setup, we provide Domain Name System (DNS) records with these authentication details. Learn how to add these records to your domain provider

SPF records

By verifying the sending server's IP address, SPF helps detect domain spoofing. SPF does this by verifying the IP address against a list of allowed IP addresses for your domain published on the DNS record.

When a recipient’s mail server receives a new email, it checks the SPF record for your domain. When it can verify the email’s domain in the SPF record, the server accepts the email.

To authenticate with SPF, we use the Bounce record in the form of a CNAME to verify that you own the domain.

DKIM CNAME records

DKIM ensures that email content is kept safe from tampering. DKIM does this by having a digital signature as part of of the email, which can be verified against your domains DNS record. By publishing the DKIM records on your domain's DNS record, you grant us permission to sign emails on your domain's behalf.

When a Jira product or Confluence sends an email, we add DKIM signatures to the email header and secure them with public key cryptography. We use this public key in the DKIM signature to verify whether messages are authentic.

We define the unique cryptographic key in DKIM records in the form of CNAME records. We include two DKIM records in case one key needs to be rotated.

Bounce records

If the recipient’s server rejects the email, the bounced email is sent to the mail server indicated in the Bounce record. For example, if the recipient’s server concludes that an email fails DMARC, then the email is rejected. We provide the Bounce record in the form of a CNAME record.