When multiple customers share a MailChannels Outbound Filtering account, any sender authenticated to the service could potentially submit mail that claims to be from your domain. Standard SPF records protect your domain on the open internet, but they do not distinguish between different customers within a shared MailChannels deployment. Domain Lockdown closes this gap by letting you declare — in DNS — exactly which MailChannels account IDs and sender IDs are permitted to send from your domain. Any other account that attempts to send from your domain is rejected with an error.
How Domain Lockdown works
You publish a DNS TXT record at _mailchannels.yourdomain.com. MailChannels checks this record when processing outbound messages. If the sending account or sender ID is not listed in the record, the message is rejected. If no record exists, MailChannels applies no additional restriction beyond standard authentication.
Lockdown identifiers
Domain Lockdown supports two identifier types for Outbound Filtering:
| Identifier | Description | Example |
|---|
auth | Identifies a MailChannels customer (hosting provider) by their authentication username | myhostingcompany |
senderid | Identifies a specific sender entity — such as an authenticated webmail user or a PHP script — by specifying the provider, identity type, and identity in one string | myhostingcompany|x-authuser|joe@example.com |
The cfid identifier for Cloudflare Workers is deprecated and will be discontinued. If you are using Outbound Filtering via SMTP relay, use auth and senderid only.
DNS TXT record syntax
Create a TXT record at _mailchannels.yourdomain.com using the following format:
v=mc1 auth=<account-id> senderid=<sender-id>
auth and senderid fields in a single record. Each field must carry exactly one value.
Examples
Allow a single hosting provider to send from your domain:
v=mc1 auth=myhostingcompany
v=mc1 auth=myhostingcompany auth=anotherprovider
v=mc1 senderid=myhostingcompany|x-authuser|joe@example.com
v=mc1 auth=myhostingcompany senderid=myhostingcompany|x-authuser|joe@example.com
auth or senderid fields instructs MailChannels to reject all messages from your domain, regardless of the sending account.
Find your auth and sender ID
Every message routed through MailChannels includes two headers that carry the identifiers you need:
X-MailChannels-Auth-Id — carries the auth value (your hosting provider’s account ID)X-MailChannels-Sender-Id — carries the senderid value (the specific sender entity)
To find these values, examine the raw headers of any message that was successfully sent through MailChannels from the domain you want to lock down.
X-MailChannels-Sender-Id: goodhost|x-authuser|joe@example.com
X-MailChannels-Auth-Id: goodhost
Content-Type: text/plain; charset="utf-8"
Date: Mon, 22 Aug 2022 14:15:57 -0500
From: joe@example.com
To: shoshanna@example.net
Subject: Your pineapples have shipped
auth=goodhost and/or senderid=goodhost|x-authuser|joe@example.com in your _mailchannels TXT record.
Test your lockdown record
MailChannels provides a Python testing script that reads your DNS TXT record and simulates whether a given sender would be accepted or rejected. To use it:
- Install the Python DNS library:
pip install dnspython==2.3.0
- Download the script from the GitHub Gist.
- Run the script against your domain or a test record string.
Test with a hypothetical record string:
python domain-lockdown-explainer.py --text "v=mc1 auth=example" --test auth=example
MailChannels Domain Lockdown Record Summary:
Version: mc1
Authorized Authenticators:
- example
Interpretation:
This record authorizes emails from:
- Senders authenticated by the specified authentication mechanisms
Simulation Result:
Message would be accepted
Reason: Accepted: Auth ID matched.
python domain-lockdown-explainer.py --domain yourdomain.com --test auth=myhostingcompany
_mailchannels.yourdomain.com and simulates whether the specified auth or senderid value would be accepted.
After publishing your lockdown record, test it thoroughly before relying on it in production. A misconfigured record can cause legitimate outbound mail to be rejected. Use the testing script to validate your record against every auth and senderid value that should be permitted.
If you manage email for multiple domains, create a _mailchannels TXT record for each domain separately. The record at _mailchannels.example.com applies only to example.com and does not affect example.net or any other domain.
