Skip to main content

Domain Lockdown

Domain Lockdown is a DNS-based security feature that tells MailChannels which accounts or senders are allowed to send email from your domain. It helps protect your domain from spoofing by blocking mail sent through MailChannels when the authenticated account or sender identity is not listed in your DNS record.

For each domain you send from, create a TXT record at the _mailchannels subdomain:

_mailchannels.example.com TXT v=mc1 auth=examplecorp

This record allows the MailChannels account examplecorp to send mail from example.com.

Record Format

A Domain Lockdown record is a space-separated list of fields:

_mailchannels.example.com TXT v=mc1 auth=examplecorp senderid=examplecorp|x-authsender|billing@example.com sidw=examplecorp|x-authsender|billing*@example.com
  • v=mc1 identifies the Domain Lockdown record version. Always include this field.
  • auth= allows a MailChannels account ID to send from the domain.
  • senderid= allows one exact sender ID to send from the domain.
  • sidw= allows one sender ID pattern with a limited wildcard *.

You may include more than one auth, senderid, or sidw field in the same record. A message is allowed if any field matches.

warning

Domain Lockdown by Cloudflare Worker ID (cfid) is no longer supported as of August 31, 2024.

Choosing a Lockdown Method

Use auth when every sender under a MailChannels account should be allowed to send from the domain.

_mailchannels.example.com TXT v=mc1 auth=examplecorp

This record allows all senders under account examplecorp to send from example.com. This is the simplest setup and works well when you control all sending for the domain. For example, it is a good fit for a company sending only its own mail.

info

To restrict sending to a specific sub-account, specify the sub-account ID in the auth field instead.

Use senderid when only specific sender identities should be allowed.

_mailchannels.example.com TXT v=mc1 senderid=examplecorp|x-authsender|billing@example.com senderid=examplecorp|x-authsender|alerts@example.com

This record allows only the listed sender IDs to send from example.com. Messages from the same MailChannels account with a different sender ID are not allowed by this record.

Use sidw when you need to allow a controlled group of sender IDs without listing every address individually.

_mailchannels.example.com TXT v=mc1 sidw=examplecorp|x-authsender|*.head@example.com

This can be useful for hosting providers, agencies, or platforms where multiple customers send through the same MailChannels account. In those environments, auth may be too broad because it authorizes every sender using that account.

info

If you are not sure which sender IDs your messages use, see Finding Your Account ID and Sender ID.

Sender ID Wildcard

The sidw field supports a single * wildcard in the sender part of the sender ID. The wildcard matches any number of characters.

For example, this record:

_mailchannels.example.com TXT v=mc1 sidw=examplecorp|x-authsender|billing*@example.com

allows sender IDs such as:

examplecorp|x-authsender|billing.no-reply@example.com
examplecorp|x-authsender|billing.alerts@example.com
examplecorp|x-authsender|billing@example.com

sidw patterns must follow these rules:

  • Format: must consist of three pipe-separated parts: <account>|<sender-type>|<sender>.
  • Pipe character: the | character is always treated as a separator — do not include a literal | in the sender part. Use * to match across that portion of the sender ID instead.
  • Constraint: edge cases such as <account>|mailer-daemon|<clientip>|NOTNDR are not supported.
  • Wildcard: a single wildcard is permitted only in the sender part. A standalone wildcard (e.g. examplecorp|x-authsender|*) is prohibited.
info

Invalid sidw patterns are skipped. Use Testing Your Setup to confirm that your record matches the sender IDs you expect.

Escaping in sidw Patterns

In the sender part of a sidw pattern, * is a wildcard. To match a literal asterisk, write \*. To match a literal backslash, write \\.

For example, this record matches sender IDs such as examplecorp|x-authsender|*depart\billing@example.com and examplecorp|x-authsender|*depart\alerts@example.com:

_mailchannels.example.com TXT v=mc1 sidw=examplecorp|x-authsender|\*depart\\*@example.com

Escaping any other character, such as \a, makes the sidw pattern invalid.

Some DNS providers process backslashes before publishing the TXT record. After creating the record, verify the value DNS returns:

resolvectl query --type=TXT _mailchannels.example.com

The published TXT value is what MailChannels evaluates. Adjust your input based on your DNS provider's escaping requirements until the published value is correct.

Finding Your Account ID and Sender ID

Your MailChannels account ID is shown in the upper-right corner of the MailChannels Console next to Account ID.

To find a sub-account ID, use the GET /tx/v1/sub-account API endpoint.

To find the sender ID for a message, check the headers of a message sent through MailChannels. MailChannels adds these headers:

X-MailChannels-SenderId: examplecorp|x-authsender|billing@example.com
X-MailChannels-Auth-Id: examplecorp
Content-Type: text/plain; charset="utf-8"
Date: Mon, 22 Aug 2022 14:15:57 -0500
From: billing@example.com
To: customer@example.net
Subject: Your invoice is ready
  • Use the X-MailChannels-Auth-Id value in an auth= field. Note that messages sent by a sub-account will show the sub-account ID here, not the parent.
  • Use the X-MailChannels-SenderId value in a senderid= field, or as a reference when writing a sidw= pattern.

Testing Your Setup

After publishing the DNS record, confirm that it is visible:

resolvectl query --type=TXT _mailchannels.example.com

You can also use the POST /tx/v1/check-domain API endpoint to check Domain Lockdown status for a domain. Include sender_id when you want to test a senderid or sidw rule.

DNS changes may take time to propagate. If a new or changed record does not pass immediately, check the returned TXT value and retry after the record's DNS TTL has expired.

Best Practices

  • Start with the narrowest rule that matches your sending model.
  • Use auth for domains where one MailChannels account controls all authorized sending.
  • Use senderid or sidw for shared hosting, reseller, agency, or platform environments where multiple customers send through the same account.
  • Keep records simple. Prefer a few clear fields over broad wildcard patterns.
  • Review Domain Lockdown records when you add new sending systems, customer domains, or sender ID formats.
  • Remove old auth, senderid, and sidw fields when they are no longer needed.