For a while I’ve been intending to set up a second ‘send only’ mail service for this site to handle my automated notifications and status messages. I had been using a different TLD thus far, but wanted to have a [email protected] style email going out. I was keen to not use my primary email accounts for these notices. Leveraging a second mail delivery service turned out to be pretty easy.

The following is how to do this with your primary domain, and without resorting to subdomains. The intention is to be sending email in such a way that it has a high likelihood of reaching its destination, which means not just spoofing the address, and leveraging SPF and DKIM, to reduce the likelihood mail is treated as spam.

Getting Started

First you’ll want the following:

1. An existing email service with a custom domain set up, with DNS records that you can access and modify. SPF and DKIM should also be set up and mail delivery and receipt tested. This is your primary email service, and where mail is delivered to.
2. Access to another mail service. I used the rather excellent and affordable MXRoute, but this could be a mail marketing offering etc. Note you will not be able to receive email at this service (using this guide alone). The service setup for outbound email should not be dependant on mail receipt being possible.
3. The DKIM records for each service should have unique selectors. More info bellow.

On your new (second) mail service, follow any setup you need in order to establish the outbound address. In the case of MXRoute, this included logging into my services admin portal (DirectAdmin, not the billing portal) and creating a new domain (Account Manager -> Domains) for my TLD. Then I had to create the outbound mailbox by ensuring my new domain was active in the portal and then going to E-Mail Manager -> Email Accounts. This will differ for each service.

Where you want to get is the stage where you would normally be required to configure DNS.

Skip MX Records

Your MX Records are used to route incoming mail to your mail server. As this secondary mail service is outbound only, it will not be configured. Leave your MX records in DNS pointing to your existing mail server.

SPF Records

Your DNS should have only a single SPF record per a domain. You should also already have one set up in DNS, having already set up your original mail service. For Google Workspace the existing SPF record would look something like the following:

v=spf1 include:_spf.google.com -all

Your provider, such as MX Route in my case, would ask you to create a record that looks similar such as the following:

v=spf1 include:mxroute.com -all

Because you can only have one SPF record for a domain, but need SPF to apply for both mail services, what you do is take the ‘include:domain’ from your second service and insert that in the existing record. For example my existing SPF record:

v=spf1 include:_spf.google.com -all

Becomes:

v=spf1 include:_spf.google.com include:mxroute.com -all

When a service looks to value your addresses SPF, it will sequentially validate against each domain you have supplied. If the email has been delivered from one of the services in this DNS record, then the checks will evaluate as a pass.

Save this and allow sufficient time for the DNS changes to be applied.

DKIM

Unlike SPF, you can have a seperate DKIM TXT record in your DNS for each service. Just ensure that each service has a unique selector.

The selector is the text in the DKIM TXT records ‘name’ that is before the “._domainkey”. For google the DKIM records TXT entry name will be “google._domainkey”, where “google” is the selector. For MXRoute they use a name of “x._domainkey”, so “x” is the selector.

As long as the selector is unique, you can add a DKIM record per a service following your providers instructions. Note that the DKIM record will be unique to your account, so you’ll need to get the configuration by logging into the service (or maybe from an onboarding email)

Once you have updated the DKIM records you can validate those using a DKIM Key Check. This will take your domain name (e.g. “Courtenay.net”) and a DKIM selector (“google” or “x” in my case), and inform you if the DKIM record is valid for each selector.

Final Testing

With the above in place you should be able to send mail from your secondary service using your domain, and be reassured that spam filters are not going to block your sending (at least as long as your second mail service is in good standing).

You can verify the perceived health of your mail delivery using mail-tester.com. This service will ask you to send an email to a unique address, and on receiving the mail will check the health of your DNS records and whether the mail service you are using is blacklisted. Very helpful if you want to ensure your mail will get to where you intend.