Taifa MailTaifa Mail Docs
Domains & Senders

DNS Records Explained

Understand the domain-ownership, SPF, DKIM, DMARC, return-path and MX records used by Taifa Mail.

When you add a domain, Taifa Mail gives you five DNS records: a domain-ownership record, SPF, DKIM, DMARC, and a return-path record. This page explains what each one does and how to set it up correctly. A sixth record - MX - is needed only if you also want to receive mail.

Domain ownership

A verification record proves you control the domain before Taifa Mail will send for it.

FieldValue
TypeTXT
Host_taifa-challenge (shown as _taifa-challenge.yourdomain.com on your domain page)
Valuetaifa-verify=... (the token shown on your domain page)

The dedicated _taifa-challenge label works even when your domain name itself is a website pointed at Netlify, Vercel or similar via CNAME, where DNS does not allow a TXT record at the same name. Tokens published at the root domain (the older instruction) keep working.

You can remove this record after the domain is verified, though leaving it in place does no harm.

SPF (Sender Policy Framework)

SPF tells receiving mail servers which servers are allowed to send email on behalf of your domain.

Record to add:

FieldValue
TypeTXT
Host@ (root domain)
Valuev=spf1 include:mail.govconnect.ke ~all

If you already have an SPF record for another service (Google Workspace, Microsoft 365, etc.), do not create a second one. Merge the includes into a single record:

v=spf1 include:mail.govconnect.ke include:_spf.google.com ~all

A domain must have only one SPF record. Multiple SPF records will cause authentication failures and your emails may be rejected.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to every email you send. Receiving servers use the public key in your DNS to verify the signature.

Record to add:

FieldValue
TypeTXT
Hosttaifa._domainkey
ValueThe public key shown on your Taifa Mail domain page

The full record name will be taifa._domainkey.yourdomain.com. Taifa Mail generates a unique DKIM key pair for each domain you add.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

DMARC tells receiving servers what to do when an email fails SPF or DKIM checks. It also lets you receive reports about authentication results.

Record to add:

FieldValue
TypeTXT
Host_dmarc
Valuev=DMARC1; p=none; rua=mailto:dmarc@mail.govconnect.ke

Taifa Mail generates the DMARC record with p=none so you can publish it safely without affecting delivery. The aggregate reports are routed to Taifa Mail.

  • p=none monitors only and does not protect your domain. The Domain Health check flags this and recommends upgrading once DKIM and SPF pass.
  • p=quarantine tells receivers to send suspicious emails to spam.
  • p=reject is stricter and tells receivers to drop suspicious emails entirely. Use this once you are confident your setup is correct.

To strengthen the policy, change p=none to p=quarantine (or p=reject) in your DNS provider.

Return path

The return-path record routes bounce notifications back to Taifa Mail so delivery failures are recorded against your sends.

FieldValue
TypeCNAME
Hosttaifa-bounce (becomes taifa-bounce.yourdomain.com)
ValueThe target shown on your Taifa Mail domain page

MX (only for receiving mail)

The five records above are all you need to send. To also receive mail - using the Inbox or email forwarding - add an MX record:

FieldValue
TypeMX
Host@ (root domain)
Valuemx1.govconnect.ke
Priority10

An MX record redirects all incoming mail for the domain to Taifa Mail. If the domain already receives mail elsewhere (Google Workspace, Zoho), do not add this record without planning the migration.

Common mistakes

  • Multiple SPF records. A domain can only have one SPF TXT record. Merge all includes into one.
  • Wrong DKIM selector. The host must be exactly taifa._domainkey, not just _domainkey or a different selector name.
  • DMARC set to p=none indefinitely. This provides monitoring but no protection. Move to p=quarantine or p=reject once your records are verified.
  • Forgetting to save. Some DNS providers require you to click Save or Apply after adding records.

Provider-specific notes

Cloudflare -- Add TXT records in the DNS section of your domain. Make sure the proxy toggle is set to "DNS only" (grey cloud) for mail-related records.

Namecheap -- Go to Domain List, click Manage next to your domain, then Advanced DNS. Add TXT records there. Use @ for the root host.

GoDaddy -- Open your domain settings, go to DNS Management, and add TXT records. GoDaddy sometimes appends your domain to the host field automatically, so enter taifa._domainkey without the full domain.

Google Domains -- Navigate to DNS in the sidebar, scroll to Custom Records, and add your TXT entries. Google Domains typically propagates within a few minutes.

On this page