How to Set Up Business Email on Your Domain (MX, SPF, DKIM, DMARC)

Running email from you@yourcompany.sa instead of a free Gmail or Hotmail address signals trust and protects your brand. But professional email is more than picking a hostname — it depends on four DNS records working together: MX, SPF, DKIM, and DMARC. Get them right and your mail lands in the inbox, is cryptographically verified as genuine, and can't be easily spoofed by scammers. Get them wrong and your invoices end up in spam, or worse, attackers impersonate your domain.

This guide walks through each record, what it does, and exactly how to configure it. The examples use a hosted business mailbox on Skyline Cloud, but the concepts apply to any mail provider.

Before You Start

You'll need:

• A registered domain (for example, a .sa domain) and access to its DNS zone.
• A business email mailbox provisioned for that domain.
• The DNS values from your provider: MX hostnames, the SPF include, and your DKIM public key/selector.

If you don't have a mailbox yet, create your account on Skyline Cloud and add your domain first. Because Skyline operates in-Kingdom data centres, your mailbox data stays inside Saudi Arabia — relevant for PDPL and NCA/SDAIA data-residency requirements.

The Four Records at a Glance

Step 1 — Configure MX Records

MX (Mail Exchanger) records point your domain at the servers that accept incoming mail. They use a priority value: the lowest number is tried first, higher numbers are fallbacks.

Add these in your DNS zone (use the exact hostnames your provider gives you):

yourcompany.sa.   3600  IN  MX  10  mail.alskyline.com.
yourcompany.sa.   3600  IN  MX  20  mail2.alskyline.com.

Key points:

• The host/name is your bare domain (often entered as @), not www.
• The MX value must be a hostname (an A/AAAA record), never an IP address.
• Remove any old or default MX records (such as those pointing at a previous host) — leftover records cause mail to split or vanish.

Verify after the DNS TTL has passed:

dig +short MX yourcompany.sa

Step 2 — Add an SPF Record

SPF (Sender Policy Framework) is a single TXT record listing the servers authorised to send mail for your domain. Receivers reject or flag mail from servers not on the list.

yourcompany.sa.  3600  IN  TXT  "v=spf1 include:_spf.alskyline.com ~all"

Breaking it down:

• v=spf1 — the SPF version (always first).
• include:_spf.alskyline.com — authorises your provider's sending servers.
• ~all — softfail: mail from other sources is accepted but marked suspicious. Once you're confident, tighten this to -all (hardfail) to reject unauthorised senders outright.

Critical rules:

• You may have only one SPF record per domain. If you send through multiple services (your mailbox provider plus, say, a CRM or marketing tool), merge their includes into a single record:

"v=spf1 include:_spf.alskyline.com include:_spf.othervendor.com ~all"

• SPF allows a maximum of 10 DNS lookups. Too many include: statements cause a permerror and silent delivery failures.

Check it:

dig +short TXT yourcompany.sa

Step 3 — Publish Your DKIM Key

DKIM (DomainKeys Identified Mail) adds a digital signature to every outgoing message using a private key on the mail server. Recipients fetch the matching public key from your DNS and verify the signature, proving the message is genuine and unmodified.

Your provider generates a key pair and gives you a selector (e.g. s1 or default) plus the public key. Publish it as a TXT record at selector._domainkey.yourcompany.sa:

s1._domainkey.yourcompany.sa.  3600  IN  TXT  "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."

Notes:

• The p= value is the long public key from your provider — paste it exactly, with no added spaces or line breaks.
• Some DNS panels split long TXT values into chunked strings automatically; that's fine.
• The selector in DNS must match the selector your mail server signs with.

Verify the public key resolves:

dig +short TXT s1._domainkey.yourcompany.sa

Step 4 — Set a DMARC Policy

DMARC (Domain-based Message Authentication, Reporting & Conformance) ties SPF and DKIM together. It tells receiving servers what to do with mail that fails authentication and where to send reports so you can monitor abuse.

Start in monitoring mode so you don't accidentally block legitimate mail:

_dmarc.yourcompany.sa.  3600  IN  TXT  "v=DMARC1; p=none; rua=mailto:dmarc@yourcompany.sa; fo=1"

• p=none — monitor only; collect reports without affecting delivery.
• rua= — the address that receives aggregate reports.
• After a couple of weeks of clean reports, tighten the policy:

"v=DMARC1; p=quarantine; rua=mailto:dmarc@yourcompany.sa; pct=100"

Progress from p=none → p=quarantine → p=reject as you confirm all your legitimate senders pass. p=reject is the strongest protection against domain spoofing.

Step 5 — Test End to End

Once DNS has propagated:

1. Send a message from your new mailbox to a Gmail account, open it, and choose Show original. Confirm SPF: PASS, DKIM: PASS, and DMARC: PASS.
2. Send a test to a free mail-tester service and aim for a full score.
3. Confirm two-way flow — send to your domain and reply from it.

Common Pitfalls

• Two SPF records. Always merge into one; a second record invalidates both.
• MX pointing to an IP. Use a hostname only.
• Stale TTLs. Lower TTLs to 300 before a migration so changes apply quickly.
• DKIM key truncated when pasted — re-copy the full p= value.

You're Done

With MX, SPF, DKIM, and DMARC in place, your domain sends and receives professional, authenticated email that reaches the inbox and resists spoofing. For managed mailboxes with in-Kingdom data residency and local Arabic support, explore Skyline business email hosting or our broader cloud services.

Ready to put your brand on your email? Get started on Skyline Cloud and add your domain in minutes.