domain-email-setup

name: domain-email-setup description: Set up email authentication (MX, SPF, DKIM, DMARC) for a domain. Use when configuring Google Workspace, Resend, SendGrid, Mailgun, SES, Postmark, or ProtonMail. Requires domain-suite-mcp.

Configure email DNS records for $ARGUMENTS using the domain-suite-mcp server.

Steps

1. Call list_providers to find the DNS provider. Call list_dns_records for the domain to see what email records already exist.

2. Identify the mail provider if not already specified. Supported templates:

   • google (Google Workspace / Gmail)
   • resend
   • sendgrid
   • mailgun
   • ses (Amazon SES)
   • postmark
   • protonmail (MX only)
   • custom (user provides their own values)

3. Set up records in this order (order matters for testing):

   Step 1 — MX records (call setup_mx):

   • Uses template for the mail provider
   • Idempotent: skips exchanges already present
   • For custom, ask for exchange hostnames and priorities

   Step 2 — SPF record (call setup_spf):

   • Uses template for the mail provider
   • Idempotent: updates existing SPF record in place (prevents duplicate SPF per RFC 7208)
   • For custom, ask for the full SPF policy string (must start with v=spf1)

   Step 3 — DKIM record (call setup_dkim):

   • Ask the user for: selector name (e.g. google, mail, s1) and the public key (base64)
   • PEM headers are stripped automatically
   • Supports keyType: rsa (default) or ed25519
   • Idempotent: updates existing record, returns previous value
   • Skip if the user doesn't have their DKIM key yet (they may need to get it from their mail provider dashboard)

   Step 4 — DMARC record (call setup_dmarc):

   • Recommend starting with policy: none for monitoring (won't reject mail)
   • Ask if the user wants a report email address for aggregate reports
   • Idempotent: updates existing record in place
   • After confirming deliverability, the user can escalate to quarantine then reject

4. Summarize all records created/updated. Remind the user:

   • DNS propagation takes time
   • DKIM requires publishing the key in their mail provider dashboard first
   • After propagation, use their mail provider's tools to verify DMARC pass

Notes

• All four tools (setup_mx, setup_spf, setup_dkim, setup_dmarc) are idempotent — safe to run multiple times
• They return a previous field when overwriting an existing record so the user can see what changed
• For Resend: selector is typically resend, key is provided in Resend dashboard under Domains
• For Google Workspace: selector is google, key is in Admin Console → Apps → Gmail → Authenticate email