MailRoute SPF, DKIM & DMARC Setup Guide

Overview

MailRoute is a cloud-based email security service that filters inbound email for spam, viruses, and phishing before delivering clean messages to your mail server. MailRoute Email Security is popular with organizations that want dedicated filtering without the complexity of full-suite gateway products. Its SPF record uses include:spf.mailroute.net, costing 1 DNS lookup. MailRoute is typically deployed alongside an email platform like Google Workspace or Microsoft 365, plus any outbound senders — so lookup budget management matters.

DKIM Setup: Three Selectors with Auto-Rotation

DKIM in MailRoute uses three selectors (mr01, mr02, mr03) with 2048-bit RSA keys that are automatically rotated by the MailRoute platform. Setup is straightforward — you publish three CNAME records in your DNS:

• mr01._domainkey CNAME mr01.dkim.mailroute.net
• mr02._domainkey CNAME mr02.dkim.mailroute.net
• mr03._domainkey CNAME mr03.dkim.mailroute.net

Since the CNAMEs delegate to MailRoute's infrastructure, key rotations happen automatically — you never need to update the DNS records after the initial setup. The three-selector design gives MailRoute room to rotate keys gracefully: one selector active, one being introduced, and one being retired. This ensures that messages in transit during a rotation always have a valid public key available for verification.

Inbound vs. Outbound Deployment Models

For organizations that use MailRoute as an outbound relay, DKIM signing is applied to outgoing messages automatically. For inbound-only customers, MailRoute verifies incoming DKIM signatures but does not sign outbound mail — your email platform handles outbound signing.

DMARC Alignment

DMARC alignment with MailRoute depends on your deployment model. For inbound filtering (the most common setup), MailRoute does not affect your DMARC alignment — your email platform handles outbound signing, and MailRoute's role is limited to filtering incoming mail before delivery. For outbound relay configurations, MailRoute signs messages with your domain's DKIM keys, maintaining alignment. In either model, include:spf.mailroute.net in your SPF record authorizes MailRoute's IPs for SPF evaluation.

Troubleshooting

MX Records Not Pointing to MailRoute

MailRoute's inbound filtering only works if your MX records point to MailRoute's servers. If MX records still point to your email platform directly, mail bypasses MailRoute entirely — you get no filtering. After setting up MailRoute, verify that your MX records resolve to the MailRoute servers assigned to your account. The specific MX hostnames are provided during MailRoute account setup and are unique to your configuration.

SPF Include but No MX Change

Adding include:spf.mailroute.net to your SPF record without changing MX records to MailRoute is harmless but pointless for inbound filtering. The SPF include authorizes MailRoute's IPs to send mail for your domain, which is only relevant for outbound relay. If you are using MailRoute for inbound filtering only, the SPF include is still recommended — it authorizes MailRoute to relay messages (such as release-from-quarantine) and prevents SPF failures on those messages.

DKIM CNAME Records Not Resolving

If DKIM CNAME records do not resolve, check the hostname format. The records should be published as mr01._domainkey (without your domain appended, if your DNS provider auto-appends). Verify each CNAME individually — a single typo in one of the three records means that selector will fail DKIM verification whenever MailRoute rotates to it. Since you cannot predict which selector MailRoute will use at any given time, all three must be correct.

Relay Misconfiguration and DMARC Failures

For outbound relay setups, MailRoute must be configured as the relay host for your email platform. If the relay is misconfigured — for example, if your email platform sends some messages directly and others through MailRoute — you get inconsistent authentication results. Some messages pass SPF (sent from MailRoute's IPs, which are in your SPF record), while others fail (sent from the platform's IPs, which may or may not be in your SPF record). The fix: ensure all outbound mail consistently routes through MailRoute, or ensure both MailRoute's and the platform's IPs are authorized in SPF.

Quarantine Release Messages Failing SPF

When MailRoute releases a quarantined message to the recipient, the message originates from MailRoute's infrastructure. If include:spf.mailroute.net is not in your SPF record, these release messages may fail SPF checks at the recipient's server. This is another reason to include MailRoute in your SPF record even for inbound-only deployments — quarantine releases are outbound messages sent from MailRoute on behalf of your domain.

Additional Setup Notes

How MailRoute Fits in the Mail Flow

As an inbound email filter, MailRoute sits between the internet and your mail server. Your MX records point to MailRoute, and MailRoute delivers filtered mail to your actual server. This means MailRoute's IP addresses appear in your email headers as a relay hop. The include:spf.mailroute.net in your SPF record authorizes MailRoute to handle mail for your domain.

Key Rotation Without DNS Changes

MailRoute's three DKIM selectors allow seamless key rotation without delivery interruption. Because the selectors use CNAME delegation, MailRoute can rotate the underlying 2048-bit RSA keys without requiring any DNS changes on your end. You publish the three CNAME records once and MailRoute handles the rest. This is a significant operational advantage over providers that use TXT-based DKIM records requiring manual updates during rotation.

Lookup Budget with MailRoute Stacks

For organizations using MailRoute alongside multiple outbound senders, the cumulative lookup cost can approach the 10-lookup limit. A typical setup might include MailRoute (1 lookup), Google Workspace (1 lookup), a marketing platform (1 lookup), and a transactional sender (1 lookup) — still well within budget at 4 lookups. But enterprise environments that add Salesforce, a support desk, and a second marketing platform can reach 7 lookups. Factor in nested lookups within each provider's include chain and the effective budget shrinks.

Migrating To or From MailRoute

When deploying MailRoute, add include:spf.mailroute.net to your SPF record and publish the three DKIM CNAME records before changing MX records. This ensures that any messages relayed through MailRoute (including quarantine releases) are properly authenticated from the first message. When migrating away from MailRoute, change MX records back to your email platform first, confirm mail flow, then remove the SPF include and DKIM CNAME records. Leaving the CNAME records in DNS after decommissioning MailRoute is harmless but creates confusion during future DNS audits.

MailRoute with Other Security Gateways

In some deployments, MailRoute handles inbound filtering while a different gateway (Mimecast, Proofpoint, Barracuda) handles outbound filtering or compliance. This split-gateway architecture requires both providers' SPF includes, consuming at least 2 lookups for filtering alone. Managed SPF can flatten nested includes into direct IP references, freeing up lookup budget for additional providers.