Access Portal DNS Health Check Warning

Modified on Mon, 27 Sep 2021 at 02:32 AM

If you are presented with DNS warnings when you login to the portal; there may be a problem that needs you attention.  

If you click on the DNS Health Check link, you will be presented with the specific records that we are having trouble validating.   The information below should assist you in creating or correcting the specific records that we have not been able to validate.  


SPF (Sender Policy Framework) allows the owner of a domain to specify which mail servers they use to send mail from

that domain.

An organization sending mail publishes an SPF (TXT) record in the Domain Name System (DNS). The record contains a list of IP addresses that are authorised to send mail on behalf of their domain name.

Receivers of mail verify the SPF record by looking up the “Envelope From” (aka Mail From, Mfrom or return-path) domain name in the DNS. If the IP address sending mail on behalf of this domain is not listed in the SPF record, the message fails SPF authentication.

Configuring an SPF record is not only required when using the EntrustedMail  service, but a real good idea and will help the deliverability of your e-mail message.  If there is not an SPF record configured for your domain, then receivers that require some form of authentication verification may not accept your message or may automatically flag the message as SPAM.  When you create an SPF record, you must include all legitimate mail systems that send email on behalf of your domain, otherwise the ones not listed could be treated as possible forgery sources. 

In the following example, Healthy Care Services is has an SPF record in the following format;

v=spf1 -all

In order to authorize EntrustedMail  to deliver messages for, the SPF record for will need to be modified to include EntrustedMail's SPF record.   

By editing the current SPF record by adding you are authorizing EntrustedMail to deliver mail for your domain.  The following is what the edited SPF record for would like after they authorize EntrustedMail to deliver mail from their domain.

v=spf1 -all

A few caveats to avoid;

  • Be sure to place the include statement ( before the ending operand which is usually -all
  • A valid SPF record can contain 10 or less DNS lookups.  
  • Be sure  that there is no more than one white space between statements in your SPF record.  For instance, if you have two spaces (rather than one) between the and -all, the SPF record may fail validation.

    If you are unsure of how many lookups your SPF record current includes, Kitterman Technical Services has a great tool for verifying the structure of you SPF record. You can reach this tool by pointing your browser to

DKIM is a development of "DomainKeys" from Yahoo and "Identified Internet Mail" from Cisco, hence the name DKIM.

DKIM is a method of verifying the email sender is who they say they are. It's purpose is to prevent email spoofing.

DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication.

If you have implemented DKIM for your domain, you will need to create the following CNAME record so that the messages signed and delivered by EntrustedMail pass DKIM checks for your domain.

Record typeLabel/Host fieldTime To Live (TTL)Destination/Target field
CNAMEselect-em1._domainkey3600 or leave the 


If you have not implemented  DKIM for your domain, then creating the CNAME record is not a requirement but is highly recommended and will likely increase the deliverability of your email. 

If you are not certain if DKIM has or has not been implemented, then please add the CNAME record since creating the CNAME record without a DKIM implementation will not impact the deliverability of your e-mail.  

If you would like help with implementing DKIM for you domain, please open a ticket and will be happy to assist you.

ZIX (Limited to our customer that are using Zix Encryption.  If you are not using Zix Encryption though EntrustedMail you will not see this record listed under the DNS Health Check.)

The ZixVPM MX record is a required record that is needed to determine where to send inbound encrypted messages for decryption. Because encrypted messages from other Zix encryption users, are signed using a unique key, that message will need to be sent to a gateway that hosts a private key that is used to decrypt the message.

The host that a ZixVPM MX record uses as a value or destination points to a host that is able to decrypt messages signed with the unique key.

If you need assistance with the syntax of your ZixVPM record, please open a support request and we will be happy to assist you. 

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article