DNS Configuration for postchi.io Brand Domain
Overview
These DNS records configure postchi.io to send system emails (password resets, verifications, notifications) with maximum deliverability and reputation protection.
🔑 Generated DKIM Keys
Private Key (Add to Database)
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCdBIKyP0JBdZfy
QIjI17avl7ZXVkG4MiYCpHct7LIbzoVavZYMuXaVU+SdXOVm+kfTf9n/poJuzlbu
iaQK1vZqJk9J4GHdXLcPwhNodB9Maz3Dgm9Zk2+DE0mkjUY2febIznsKlUEGVODc
a3j1lmANsQurmlVs242ZHLxAl2/OZ4e6aq+zP6rbZL5Z+TuTQ7n5bvFPo2ovG2Z8
8pL9ZOrD9UUjStFPDUHvM7ddq3TfGp8VyWM7MnGdifX5hYOoEahXfxwPKSVFKUNd
VuO0s6Bdx4jA3qEQbdrUONE2d2YJlTpGz3gg7+9h+MMOIHxGRGgDikWvYNICxnjH
JNWYF7CRAgMBAAECggEABjOh5+FowAYhgL98x5YBkLDo0k1FXj2Y07zkOiuho0iG
at2XGhyPKvm7y11acDVNdfSUSy0r9K1wsI4+LPFtnSazNgNHSkN5tYUgWB1SCSYp
M9oohLy2iFJQM9AiqE9TuLWzFWlsvo/Gq94Q0n5kf9Xw1I/NdPW9A4Gni9OPZnMP
gz0TqD2pbEW5NpsHHvyFXkFomJi9rQoiL2iJyulrhvVWI4wMclZthCISv7R5Z4n9
QxGX8ayDS9BKuytfPussFD1Un7a6w6aE07xYX9s3N8SgX5u0RSpvJpOVOOdYA9qA
JpdCboSypN+fMu/pP2RMPt9G7KvmP2Mx3JI8l3pGYwKBgQDUvyajM/zdpsN2eo1b
JQV38BUecWBLdBl97Cs0nM1yVpFgcIpDXkvxnfNsCpb68muSWi27daB64mtXPqCy
jb/zhkg7pmTYCoCwTfcsnWuetae7JkxsrNSjIDEthOIyXOsmwmqNQ0L1zykcC7mJ
TvXidvxLFTrXPlezfoFkfn91FwKBgQC88NK4jMdPXPdfrMLip4qGAJIpTi64SvlI
MluMhMSGYlO2uMQ23wPjIHwwcilh8LMf0IoZeqiQrzGOBRt3hWKq76J+ABjDeYe+
AajKZ+ABwdp2AWsaJO0A0DFlCuHOoTDGtot8Xkfu+/bCf1mg/49vbaV8zsev+Kg0
0MNeu6dglwKBgQCwCrSYG67EYvgfE+3gW9QYmQuAs2RxS1LExiZCVPYUBNorKTTf
5imFd6Qz5NdmNC8bXY+2LPFsfetAuEwVNAKAKr+ezGNp+dbfDMTZoDGrlLmEvX5D
9wfFLCBFgE4ESqsy2XF+Dwhbit6DnJgcrL/+c2L1Zk3YSngbyTScyagCZQKBgQC2
kQUsamuUVkJ54leV50pE3XxeCTu/vEJP7sjjaM71A0Hcx4BhfPEmoJcfwNAX4RtU
XI90uz7yPzblAi5eOTbz8QXUNoe3KlFt2fCdU+3yBLzxVcGFy7RvGrz/45n5rWuS
N4VksT1UwYbYvXF/zjFs/Efx52Swttbh4e9GNJExFQKBgDjIX4Mpy176ocMX4aT9
BZvwHwKl11D1jTuorrEmnJhlyGQyCtHmlL1SeggHYaF68z0t/I2lgUcHdQz92DCR
m5HIgX8IDOyc1q951bNnYgOzoX9mlBMg9//qARrOfXZMH9KQXUzxOIp0mSD1c8qs
VtMGzSe1cU1AKtd9OnborcM8
-----END PRIVATE KEY-----
Action Required: Save this private key securely and add it to the database for the postchi.io domain record.
📋 DNS Records to Add
1. SPF Record
Purpose: Specifies which servers are allowed to send email for postchi.io
Type: TXT
Name: postchi.io (or @ if using root)
Value: v=spf1 ip4:YOUR_SMTP_SERVER_IP -all
TTL: 3600
⚠️ Action Required: Replace YOUR_SMTP_SERVER_IP with your actual SMTP server IP address.
Strict Policy Explanation:
ip4:YOUR_IP- Only this IP can send-all- Reject all other IPs (strict)- For brand domain, we want strict authentication
2. DKIM Record
Purpose: Cryptographic signature to verify email authenticity
Type: TXT
Name: default._domainkey.postchi.io
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnQSCsj9CQXWX8kCIyNe2r5e2V1ZBuDImAqR3LeyyG86FWr2WDLl2lVPknVzlZvpH03/Z/6aCbs5W7omkCtb2aiZPSeBh3Vy3D8ITaHQfTGs9w4JvWZNvgxNJpI1GNn3myM57CpVBBlTg3Gt49ZZgDbELq5pVbNuNmRy8QJdvzmeHumqvsz+q22S+Wfk7k0O5+W7xT6NqLxtmfPKS/WTqw/VFI0rRTw1B7zO3Xat03xqfFcljOzJxnYn1+YWDqBGoV38cDyklRSlDXVbjtLOgXceIwN6hEG3a1DjRNndmCZU6Rs94IO/vYfjDDiB8RkRoA4pFr2DSAsZ4xyTVmBewkQIDAQAB
TTL: 3600
Note: The public key is embedded in the value above. This matches the private key generated.
DKIM Selector: default
3. DMARC Record
Purpose: Policy for handling authentication failures + reporting
Type: TXT
Name: _dmarc.postchi.io
Value: v=DMARC1; p=quarantine; rua=mailto:dmarc@postchi.io; ruf=mailto:dmarc@postchi.io; pct=100; adkim=s; aspf=s
TTL: 3600
Policy Explanation:
p=quarantine- Quarantine emails that fail authentication (safer than reject initially)rua=mailto:dmarc@postchi.io- Aggregate reports sent hereruf=mailto:dmarc@postchi.io- Forensic reports sent herepct=100- Apply policy to 100% of emailsadkim=s- Strict DKIM alignment (domain must match exactly)aspf=s- Strict SPF alignment (domain must match exactly)
Why Strict Alignment?
For brand/system emails, we want maximum security. The sending domain (postchi.io) must exactly match the authenticated domain.
4. MX Records (for Bounce Handling)
Purpose: Receive bounce messages and delivery notifications
Type: MX
Name: postchi.io
Priority: 10
Value: s1.mx.postchi.io
TTL: 3600
Type: MX
Name: postchi.io
Priority: 20
Value: s2.mx.postchi.io
TTL: 3600
Note: Ensure s1.mx.postchi.io and s2.mx.postchi.io have A records pointing to your mail servers.
5. Reverse DNS (PTR Record)
Purpose: Maps IP back to domain for authentication
⚠️ Action Required: Contact your hosting provider to set up PTR record:
IP Address: YOUR_SMTP_SERVER_IP
PTR Record Value: mail.postchi.io
Most hosting providers (AWS, DigitalOcean, Linode) have a control panel for this.
Why Important?
- Many email servers reject mail if PTR doesn't match
- Critical for deliverability
🔍 Verification Steps
After adding DNS records, verify them:
1. Check SPF
dig TXT postchi.io +short
Should return: "v=spf1 ip4:YOUR_IP -all"
2. Check DKIM
dig TXT default._domainkey.postchi.io +short
Should return: "v=DKIM1; k=rsa; p=MII..."
3. Check DMARC
dig TXT _dmarc.postchi.io +short
Should return: "v=DMARC1; p=quarantine; ..."
4. Check MX
dig MX postchi.io +short
Should return both MX records
5. Check PTR (Reverse DNS)
dig -x YOUR_SMTP_SERVER_IP +short
Should return: mail.postchi.io.
📧 Testing Email Authentication
Use these free tools to test your configuration:
-
Mail-Tester - https://www.mail-tester.com/
- Send test email to provided address
- Get score out of 10
- Shows SPF, DKIM, DMARC status
-
MXToolbox - https://mxtoolbox.com/SuperTool.aspx
- Check DNS records
- Check blacklists
- Check SMTP
-
Google Postmaster Tools - https://postmaster.google.com/
- Add your domain
- Monitor reputation
- See spam rates
-
Microsoft SNDS - https://postmaster.live.com/snds/
- Register your IP
- Monitor reputation with Microsoft
🎯 Expected Results
After proper configuration, emails from noreply@postchi.io should:
✅ Pass SPF authentication ✅ Pass DKIM authentication ✅ Pass DMARC alignment ✅ Land in inbox (not spam) ✅ Show "Signed by postchi.io" in Gmail ✅ Display proper "via" domain
📝 Database Setup
After DNS is configured, add the postchi.io domain to your database:
INSERT INTO "Domain" (
id,
domain,
"organizationId",
"dkimSelector",
"dkimPrivateKey",
"verificationStatus",
"createdAt",
"updatedAt"
) VALUES (
'GENERATE_CUID',
'postchi.io',
'YOUR_SYSTEM_ORGANIZATION_ID',
'default',
'-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCdBIKyP0JBdZfy...',
'VERIFIED',
NOW(),
NOW()
);
⚠️ Action Required:
- Replace
GENERATE_CUIDwith a new CUID - Replace
YOUR_SYSTEM_ORGANIZATION_IDwith your system organization ID - Use the full private key from the top of this document
⏱️ DNS Propagation
DNS changes can take up to 48 hours to propagate globally, but usually complete within:
- SPF/TXT Records: 1-4 hours
- MX Records: 1-4 hours
- DKIM Records: 1-4 hours
- PTR Records: Immediate (set by hosting provider)
Tip: Use dig commands above to check if changes have propagated to your location.
🚨 Troubleshooting
Emails going to spam?
- Check all DNS records are properly configured
- Ensure PTR record is set
- Verify IP is not blacklisted (use MXToolbox)
- Check DMARC reports for failures
- Warm up IP if brand new (see dedicated-ip-strategy)
DKIM signature failing?
- Verify DKIM public key in DNS matches private key
- Check selector is "default"
- Ensure no extra spaces in DNS record
- Private key must be in database exactly as shown above
SPF failing?
- Verify IP address in SPF record is correct
- Ensure emails are sent from that IP
- Check for typos in SPF record
📚 Additional Resources
- Dedicated IP Strategy - Full strategy for IP management
- Email Deliverability Testing - Testing procedures
- SPF RFC 7208
- DKIM RFC 6376
- DMARC RFC 7489
✅ Implementation Checklist
- Add SPF TXT record (replace IP with your server IP)
- Add DKIM TXT record (use public key above)
- Add DMARC TXT record
- Add MX records (2 records)
- Set up PTR record with hosting provider
- Wait for DNS propagation (1-4 hours)
- Verify all records with
digcommands - Add domain to database with private key
- Send test email via mail-tester.com
- Register domain with Google Postmaster Tools
- Register IP with Microsoft SNDS
- Monitor first 100 emails for deliverability
- Set up DMARC report monitoring
Last Updated: 2025-12-15 DKIM Keys Generated: 2025-12-15 Selector: default