How to point your MX records to MailShield SEG

Updating your Mail Exchanger (MX) records is the final and most critical step in activating MailShield SEG. This process redirects your organization's inbound email flow through our security gateway, allowing us to filter out spam, viruses, and phishing attempts before they reach your primary mail server (e.g., Google Workspace, Microsoft 365, or an on-premise Exchange server).

1. Prerequisites

Before updating your DNS settings, ensure the following conditions are met:

Domain Verification: Your domain must be added and verified within the MailShield Portal.
Relay Target Configured: You must have specified the "Relay Target" (the hostname or IP of your actual destination mail server) in your domain settings.
Access to DNS: You must have administrative access to your domain's DNS provider (e.g., Cloudflare, Route 53, GoDaddy, or Bluehost).

2. Recommended: Reduce Your TTL

"Time to Live" (TTL) determines how long DNS servers around the world cache your records. Before making changes, we recommend lowering the TTL on your existing MX records to 300 seconds (5 minutes).

Doing this 24 hours in advance ensures that when you finally switch to MailShield, the change propagates globally almost instantly. If you keep a high TTL (like 3600 or 86400), some senders may continue sending mail to your old server for hours after the update.

3. Configure MailShield MX Records

To route your mail through MailShield, you need to replace your existing MX records with the following. Note that most DNS providers require a trailing dot at the end of the hostname.

Priority	Hostname
`10`	`seg-in.cadmuscyber.com`

Important Steps:

Login to your DNS provider’s management console.
Locate the MX Records section for your domain.
Add the new record provided above.
Delete your old MX records. Keeping your old records alongside MailShield records will create a "backdoor" that allows spammers to bypass our security gateway entirely.

4. Addressing "Recipient Address Verification" (RAV)

MailShield SEG utilizes Recipient Address Verification to protect your infrastructure from Directory Harvest Attacks and backscatter spam. When the first few emails hit our gateway after your MX change, you may notice a slight delay or a 450 4.1.1 temporary rejection in your logs.

This is normal behavior. Our gateway is performing a background probe to your destination server to confirm the recipient exists. Sending servers (like Outlook or Gmail) will automatically retry the delivery within minutes, and once the address is cached as valid, future deliveries will be instantaneous.

5. Verifying the Update

Once you have saved your DNS changes, you can verify the status in two ways:

MailShield Portal: Navigate to the Domains page. Our system periodically checks your DNS. Once the correct record is detected, the MX record verification status will be set to active in the portal.
Manual Check: Use a command-line tool like dig or nslookup:
```
dig mx yourdomain.com +short
```
The output should only show the seg-in.cadmuscyber.com hostname.

6. Common Provider Guides

While the logic is the same across all providers, the interface differs:

Cloudflare: Go to the DNS tab, select "MX" as the type, use @ for the name, and enter the values above. Ensure the "Proxy" status is set to DNS Only (MX records cannot be proxied).
Microsoft 365 / GoDaddy: If Microsoft 365 currently manages your DNS, you must manually edit the MX records in the Microsoft 365 Admin Center under Settings > Domains.
Google Workspace: If you are moving from Google, ensure you delete all five Google MX records (aspmx.l.google.com, etc.) once the MailShield record is added.

Technical Support

If you encounter issues during propagation or receive bounce-back messages, please do not delete the MailShield records. Instead, check your Relay Target settings in the portal or contact our technical team.