DNS Records Explained
Understand the domain-ownership, SPF, DKIM, DMARC, return-path and MX records used by Taifa Mail.
When you add a domain, Taifa Mail gives you five DNS records: a domain-ownership record, SPF, DKIM, DMARC, and a return-path record. This page explains what each one does and how to set it up correctly. A sixth record - MX - is needed only if you also want to receive mail.
Domain ownership
A verification record proves you control the domain before Taifa Mail will send for it.
| Field | Value |
|---|---|
| Type | TXT |
| Host | _taifa-challenge (shown as _taifa-challenge.yourdomain.com on your domain page) |
| Value | taifa-verify=... (the token shown on your domain page) |
The dedicated _taifa-challenge label works even when your domain name itself is a website
pointed at Netlify, Vercel or similar via CNAME, where DNS does not allow a TXT record at the
same name. Tokens published at the root domain (the older instruction) keep working.
You can remove this record after the domain is verified, though leaving it in place does no harm.
SPF (Sender Policy Framework)
SPF tells receiving mail servers which servers are allowed to send email on behalf of your domain.
Record to add:
| Field | Value |
|---|---|
| Type | TXT |
| Host | @ (root domain) |
| Value | v=spf1 include:mail.govconnect.ke ~all |
If you already have an SPF record for another service (Google Workspace, Microsoft 365, etc.), do not create a second one. Merge the includes into a single record:
A domain must have only one SPF record. Multiple SPF records will cause authentication failures and your emails may be rejected.
DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to every email you send. Receiving servers use the public key in your DNS to verify the signature.
Record to add:
| Field | Value |
|---|---|
| Type | TXT |
| Host | taifa._domainkey |
| Value | The public key shown on your Taifa Mail domain page |
The full record name will be taifa._domainkey.yourdomain.com. Taifa Mail generates a unique DKIM key pair for each domain you add.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
DMARC tells receiving servers what to do when an email fails SPF or DKIM checks. It also lets you receive reports about authentication results.
Record to add:
| Field | Value |
|---|---|
| Type | TXT |
| Host | _dmarc |
| Value | v=DMARC1; p=none; rua=mailto:dmarc@mail.govconnect.ke |
Taifa Mail generates the DMARC record with p=none so you can publish it safely without affecting delivery. The aggregate reports are routed to Taifa Mail.
p=nonemonitors only and does not protect your domain. The Domain Health check flags this and recommends upgrading once DKIM and SPF pass.p=quarantinetells receivers to send suspicious emails to spam.p=rejectis stricter and tells receivers to drop suspicious emails entirely. Use this once you are confident your setup is correct.
To strengthen the policy, change p=none to p=quarantine (or p=reject) in your DNS provider.
Return path
The return-path record routes bounce notifications back to Taifa Mail so delivery failures are recorded against your sends.
| Field | Value |
|---|---|
| Type | CNAME |
| Host | taifa-bounce (becomes taifa-bounce.yourdomain.com) |
| Value | The target shown on your Taifa Mail domain page |
MX (only for receiving mail)
The five records above are all you need to send. To also receive mail - using the Inbox or email forwarding - add an MX record:
| Field | Value |
|---|---|
| Type | MX |
| Host | @ (root domain) |
| Value | mx1.govconnect.ke |
| Priority | 10 |
An MX record redirects all incoming mail for the domain to Taifa Mail. If the domain already receives mail elsewhere (Google Workspace, Zoho), do not add this record without planning the migration.
Common mistakes
- Multiple SPF records. A domain can only have one SPF TXT record. Merge all includes into one.
- Wrong DKIM selector. The host must be exactly
taifa._domainkey, not just_domainkeyor a different selector name. - DMARC set to
p=noneindefinitely. This provides monitoring but no protection. Move top=quarantineorp=rejectonce your records are verified. - Forgetting to save. Some DNS providers require you to click Save or Apply after adding records.
Provider-specific notes
Cloudflare -- Add TXT records in the DNS section of your domain. Make sure the proxy toggle is set to "DNS only" (grey cloud) for mail-related records.
Namecheap -- Go to Domain List, click Manage next to your domain, then Advanced DNS. Add TXT records there. Use @ for the root host.
GoDaddy -- Open your domain settings, go to DNS Management, and add TXT records. GoDaddy sometimes appends your domain to the host field automatically, so enter taifa._domainkey without the full domain.
Google Domains -- Navigate to DNS in the sidebar, scroll to Custom Records, and add your TXT entries. Google Domains typically propagates within a few minutes.