If you have clicked Run DNS Verification in your MailShield dashboard and received a "Some checks failed" warning, do not panic. DNS configuration can be tricky, but the errors are usually easy to fix.
Here are the most common reasons your MX verification might be failing and how to resolve them.
1. Global propagation delays (The most common cause)
If you just updated your records five minutes ago, the internet simply might not know about it yet. DNS changes can take up to 48 hours to fully propagate worldwide.
- The Fix: Take a break and check back later. MailShield will automatically re-verify the domain every 30 seconds while you have the verification page open. If 24 hours have passed and it is still failing, check the steps below.
2. Conflicting "Stale" MX Records
Your domain should only route inbound mail to MailShield. If you added the new MailShield MX record but forgot to delete the old ones (pointing to Microsoft 365, Google, or your web host), spammers can exploit the old records to bypass our security filters. MailShield will flag this as a "Stale MX records" warning.
- The Fix: Log back into your DNS provider (e.g., GoDaddy, Cloudflare, cPanel). Look at your list of MX records. Delete everything except the single record pointing to the MailShield gateway.
3. Incorrect MX Priority
Mail servers use "Priority" numbers to know which server to try first. MailShield specifically looks for the correct priority during verification.
- The Fix: Ensure the MailShield MX record has its Priority set exactly to
10.
4. Typos in the Hostname
A single missing letter or an accidental trailing port number will break the DNS routing.
- The Fix: Double-check the Value / Points To field in your DNS provider. It must exactly match the inbound host provided in your MailShield dashboard. Ensure there are no spaces at the end, and no port numbers (like
:25) attached to the hostname.
5. SPF Record Warnings
Sometimes your MX records pass perfectly, but you receive a yellow warning regarding your SPF (Sender Policy Framework) record. While an SPF warning will not stop your inbound mail from arriving, you should fix it to protect your domain's outgoing reputation.
- The Fix: Ensure you have added the required
include:_spf.cadmuscyber.comstatement to your existing SPF TXT record, placing it right before the~allor-allmechanism at the end of the text string.
If you have checked all of the above and your domain is still failing verification after 48 hours, click the Contact Support button on the verification page so our engineers can investigate your specific DNS configuration.