Configure the MX and SPF records in the DNS host to set up Mailprotector email security for the domain.
Before You Begin
Allow Mailprotector Addresses through the Firewall
This step was covered in Requirements for Adding a CloudFilter Domain. If it has not yet been completed and a firewall is present in the environment that would deny traffic unless the IP addresses are added to the allow list, please add them now.
Allow Mailprotector's IP addresses through your firewall before making DNS changes. Find the complete list of IP addresses here:
- Inbound transport IP addresses:
52.0.70.91, 52.0.74.211, 52.0.31.31
- Outbound transport IP addresses:
52.1.23.3, 52.1.140.110, 52.7.80.136, 52.1.182.179, 54.84.14.167, 54.84.246.51, 54.152.160.215, 52.22.79.245, 52.20.59.36, 52.0.21.132, 52.22.72.116, 52.3.94.45, 52.1.62.31, 54.208.239.9, 54.172.220.45, 18.204.234.187, 18.232.37.98, 52.1.21.150, 52.5.166.138, 54.164.123.4, 54.164.131.225, 54.173.10.57, 34.194.188.63, 18.214.85.87, 107.23.53.12, 35.153.239.198, 3.209.199.18, 35.169.41.199, 34.237.235.151, 3.209.239.254, 54.236.173.181, 35.168.124.141, 34.226.13.126, 44.214.97.8, 54.152.9.48, 3.230.164.228, 3.223.110.73, 13.223.147.144, 13.219.151.166, 54.227.105.44, 100.26.64.202, 13.223.213.111, 52.86.179.225, 54.81.158.64, 52.45.220.202, 54.144.192.87, 54.173.173.19, 13.218.2.25
We recommend confirming connectivity between Mailprotector and the domain's mail server after allowing these addresses.
Optimize DNS Propagation
To speed up MX and SPF record propagation, lower the TTL (Time to Live) setting for your DNS records to 60-300 seconds a day or two before making the change. This tells Internet name servers to check for updates more frequently, so your new MX and SPF records will propagate faster once you make the DNS record changes.
If you wish to increase the TTL values after propagation is complete, please be sure to note the existing values before shortening them.
Update DNS Records
MX Records
Make note of the existing MX records for the domain. Add the following new MX records to the DNS host:
| Priority | Value |
|---|---|
| 10 | domain-tld.inbound.emailservice.io |
| 20 | domain-tld.inbound.emailservice.co |
| 30 | domain-tld.inbound.emailservice.cc |
Replace domain-tld with the newly added Mailprotector domain name.
For example, use mailprotector-com for the domain mailprotector.com.
Only the Priority 10 record is required, as the Priority 20 and Priority 30 records are provided for redundancy and load balancing.
Once the new records are added, it is safe to delete all previously existing MX records to prevent spammers from bypassing Mailprotector's filtering.
SPF Record
Add Mailprotector's SPF include statement to the domain's SPF record to authorize our servers to send mail on the domain's behalf. Add the following include statement to the existing SPF record:
include:spf.us.emailservice.io
Example 1: If the current SPF record is
v=spf1 include:spf.protection.outlook.com -all, update it to:
v=spf1 include:spf.protection.outlook.com include:spf.us.emailservice.io -allExample 2: If the current SPF record is v=spf1 include:_spf.google.com -all, update it to:
v=spf1 include:_spf.google.com include:spf.us.emailservice.io -all
Ensure the SPF record includes all authorized mail senders for your domain.
After DNS Record Updates
Configure Inbound and Outbound Security
After changing your MX and SPF record, configure your email platform's inbound security:
- Microsoft 365: Set up the inbound connector 2 to 24 hours after changing the MX record to prevent email bouncing during DNS propagation. See the Microsoft 365 Connectors Summary article for details.
- Google Workspace: Configure the inbound mail route immediately after changing the MX record. See the Google Workspace Mail Routes Summary article for details.
Change TTL Back to Previous Values
Once the MX and SPF record changes have fully propagated, the Time-to-Live values can be increased to their previous values.
Frequently Asked Questions
Can I keep my old MX record as a backup? While technically possible, it leaves your mail server directly accessible to spammers. They often target backup MX records to bypass security filters. After MX records propagate, restrict SMTP traffic to only accept connections from Mailprotector IP addresses to ensure all email is scanned.
Will I lose email during the MX or SPF record change? No. Email continues to be delivered to your current server while the MX record change propagates. During this period, you may see emails delivered to both old and new MX records as the internet updates. Because you are adding an SPF value, not removing, no email is lost while the SPF record propagates.
How long does MX or SPF record propagation take? DNS propagation typically takes 24-48 hours but can be faster if you lower your TTL beforehand.
Continue Configuration
Continue to Step 5 - Verify the Domain.
Updated