Why is email not being delivered? (DNS perspective)

Problem Statement

Mail flow fails due to DNS-layer policy or routing misconfiguration.

Bounce messages reference SPF, DKIM, DMARC, or MX lookup issues.

Validate MX and host records, inspect SPF syntax, then verify DKIM and DMARC records.

dig example.com MX ; dig example.com TXT ; dig _dmarc.example.com TXT ; dig selector1._domainkey.example.com TXT

Expected is valid and parseable policy records; bad output shows NXDOMAIN selectors or SPF errors.

Fix record syntax, reduce SPF complexity, rotate DKIM safely, and phase DMARC enforcement.

Relevant checks: Delegation integrity, resolver consistency, DNSSEC health, and suspicious record-pattern checks.
Severity mapping: Informational, medium/high, or critical based on exploitability and user impact.
Score impact: Reliability and security scoring dimensions are reduced according to blast radius.
Related findings users will see: NS drift, validation failure, orphaned CNAMEs, wildcard exposure, and policy misconfiguration alerts.

Verify behavior from at least two public resolvers and one resolver inside your own network before making changes.
Make one change at a time, capture before/after query output, and wait for TTL windows to clear so you can confirm impact.
Document the root cause and the final fix in your runbook to shorten future incidents.