This page has some notes on how DNS records for mail are managed behind the scenes. We assume you have read our main documentation for mail records.
Ad-hoc records
The DB.cam zone file contains manually-maintained additions to the
cam.ac.uk zone. This includes mail-related records that can't yet be
stored in the IP Register database: TXT records; and CNAME records
with underscores in the owner and/or target name.
The DB.cam file isn't included in the published-to-the-University
version of the IP Register source code because it contains personal
data.
MX records
The list of mail domains supported by the machinery described here is determined by the MX records in the IP Register database.
SPF records
SPF records are added to the cam.ac.uk zone by
the spf script, controlled by
the SPF configuration file.
The configuration file determines the default SPF records, and the extensions and other special cases.
Amazon SES domains are not included in the SPF configuration file, but
are identified by DKIM CNAMEs in the DB.cam zone file. There are
about 10 of these.
The spf script also verifies that SPF records do not break the
strict SPF size limits. If any are too big the DNS build is aborted to
protect against mistakes that can cause mail delivery failures. DNS
lookups failures are reported via cronspam without breaking the build.
SPF caveat
The size limit checker implements a subset of the SPF specification:
just a: (address) and include: mechanisms. There is a risk that it
will break if a third-party mail provider starts using an unsupported
SPF feature.
DKIM records
These are either TXT records in the cam.ac.uk zone itself, or CNAMEs
pointing elsewhere. DKIM records have _domainkey in the name; the
underscore currently prevents CNAMEs from being held in the IP
Register database.
The DB.cam file contains a couple of dozen manually-maintained DKIM
records, for Amazon SES, various Microsoft Exchage Online tenancies,
and some third-party mail service providers. Amazon and Microsoft use
CNAMEs, the others vary.
Mail sent via ppsw is signed with d=cam.ac.uk so we only need on
DKIM TXT record for everything, not one per domain.
For the main UIS Microsoft Exchage Online tenancy, the dkim
script automatically adds DKIM
CNAME records if the target TXT records exist in the DNS. If DNS
lookups fail then this script continues to use the DKIM CNAMEs from
the previous DNS build.
DKIM caveat
The naming scheme for Microsoft Exchage Online DKIM records is based on the mail domain with dots replaced by hyphens. If the mail domain contains hyphens then there is a more complicated encoding which we have not reproduced. Mail domains with hyphens need their DKIM CNAMEs added manually.
DMARC records
At the moment we only have a few DMARC records in DB.cam for
institutions that have requested them.