308 lines
17 KiB
HTML
308 lines
17 KiB
HTML
<html>
|
||
<head>
|
||
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
<title>Setup DNS records for your iRedMail server (A, PTR, MX, SPF, DKIM)</title>
|
||
<link rel="stylesheet" type="text/css" href="./css/markdown.css" />
|
||
</head>
|
||
<body>
|
||
|
||
<div id="navigation">
|
||
<a href="/index.html" target="_blank">
|
||
<img alt="iRedMail web site"
|
||
src="./images/logo-iredmail.png"
|
||
style="vertical-align: middle; height: 30px;"
|
||
/>
|
||
<span>iRedMail</span>
|
||
</a>
|
||
// <a href="./index.html">Document Index</a></div><h1 id="setup-dns-records-for-your-iredmail-server-a-ptr-mx-spf-dkim">Setup DNS records for your iRedMail server (A, PTR, MX, SPF, DKIM)</h1>
|
||
<div class="toc">
|
||
<ul>
|
||
<li><a href="#setup-dns-records-for-your-iredmail-server-a-ptr-mx-spf-dkim">Setup DNS records for your iRedMail server (A, PTR, MX, SPF, DKIM)</a><ul>
|
||
<li><a href="#a-record-for-server-hostname">A record for server hostname</a><ul>
|
||
<li><a href="#what-is-an-a-record">What is an A record</a></li>
|
||
<li><a href="#how-to-setup-an-a-record">How to setup an A Record</a></li>
|
||
</ul>
|
||
</li>
|
||
<li><a href="#reverse-ptr-record-for-server-ip-address">Reverse PTR record for server IP address</a><ul>
|
||
<li><a href="#what-is-a-reverse-ptr-record">What is a reverse PTR record</a></li>
|
||
<li><a href="#why-do-you-need-a-reverse-ptr-record">Why do you need a reverse PTR record</a></li>
|
||
<li><a href="#how-to-setup-a-reverse-ptr-record">How to setup a Reverse PTR record</a></li>
|
||
</ul>
|
||
</li>
|
||
<li><a href="#mx-record-for-mail-domain-name">MX record for mail domain name</a><ul>
|
||
<li><a href="#what-is-a-mx-record">What is a MX record</a></li>
|
||
<li><a href="#how-to-setup-the-mx-record">How to setup the MX record</a></li>
|
||
</ul>
|
||
</li>
|
||
<li><a href="#spf-record-for-your-mail-domain-name">SPF record for your mail domain name</a><ul>
|
||
<li><a href="#what-is-a-spf-record">What is a SPF record</a></li>
|
||
<li><a href="#how-to-setup-the-spf-record">How to setup the SPF record</a></li>
|
||
</ul>
|
||
</li>
|
||
<li><a href="#dkim-record-for-your-mail-domain-name">DKIM record for your mail domain name</a><ul>
|
||
<li><a href="#what-is-a-dkim-record">What is a DKIM record</a></li>
|
||
<li><a href="#how-to-setup-the-dkim-record">How to setup the DKIM record</a></li>
|
||
</ul>
|
||
</li>
|
||
<li><a href="#register-your-mail-domain-in-google-postmaster-tools">Register your mail domain in Google Postmaster Tools</a></li>
|
||
<li><a href="#references">References</a></li>
|
||
</ul>
|
||
</li>
|
||
</ul>
|
||
</div>
|
||
<p><strong>IMPORTANT NOTE</strong>: <code>A</code>, <code>MX</code> records are required, <code>Reverse PTR</code>, <code>SPF</code> and
|
||
<code>DKIM</code> are optional but strongly recommended. All in all, set them all up please.</p>
|
||
<h2 id="a-record-for-server-hostname">A record for server hostname</h2>
|
||
<h3 id="what-is-an-a-record">What is an A record</h3>
|
||
<p><code>A</code> records map a FQDN (fully qualified domain name) to an IP address. This is
|
||
usually the most often used record type in any DNS system. This is the DNS
|
||
record you should add if you want to point a domain name to a web server.</p>
|
||
<h3 id="how-to-setup-an-a-record">How to setup an A Record</h3>
|
||
<ul>
|
||
<li>
|
||
<p><code>Name</code>: This will be the host for your domain which is actually a computer
|
||
within your domain. Your domain name is automatically appended to your name.
|
||
If you are trying to make a record for the system <code>www.mydomain.com</code>. Then all
|
||
you enter in the textbox for the name value is <code>www</code>.</p>
|
||
<p><strong>Note</strong>: If you leave the name field blank it will default to be the record
|
||
for your base domain <code>mydomain.com</code>. The record for your base domain is
|
||
called the root record or apex record.</p>
|
||
</li>
|
||
<li>
|
||
<p><code>IP</code>: The IP address of your FQDN. An IP address can be thought of as
|
||
the telephone number to your computer. It is how one computer knows how to
|
||
reach another computer. Similar to the country codes, area codes, and phone
|
||
number it is used to call someone.</p>
|
||
</li>
|
||
<li>
|
||
<p><code>TTL</code>: The TTL (Time to Live) is the amount of time your record will stay
|
||
in cache on systems requesting your record (resolving nameservers, browsers,
|
||
etc.). The TTL is set in seconds, so 60 is one minute, 1800 is 30 minutes, etc..</p>
|
||
</li>
|
||
</ul>
|
||
<p>Systems that have a static IP should usually have a TTL of 1800 or higher.
|
||
Systems that have a dynamic IP should usually have a TTL of 1800 of less.</p>
|
||
<p>The lower the TTL the more often a client will need to query the name servers
|
||
for your host's (record's) IP address this will result in higher query traffic
|
||
for your domain name. Where as a very high TTL can cause downtime when you
|
||
need to switch your IPs quickly.</p>
|
||
<p>Sample record:</p>
|
||
<pre><code>NAME TTL TYPE DATA
|
||
|
||
www.mydomain.com. 1800 A 192.168.1.2
|
||
mail.mydomain.com. 1800 A 192.168.1.5
|
||
</code></pre>
|
||
|
||
<p>The end result of this record is that <code>www.mydomain.com</code> points to
|
||
<code>192.168.1.2</code>, and <code>mail.mydomain.com</code> points to <code>192.168.1.5</code>.</p>
|
||
<h2 id="reverse-ptr-record-for-server-ip-address">Reverse PTR record for server IP address</h2>
|
||
<h3 id="what-is-a-reverse-ptr-record">What is a reverse PTR record</h3>
|
||
<p>PTR record or more appropriately a reverse PTR record is a process of resolving
|
||
an IP address to its associated hostname. This is the exact opposite of the
|
||
process of resolving a hostname to an IP address (<code>A</code> record). Example, when you ping a
|
||
name <code>mail.mydomain.com</code> it will get resolved to the ip address using the DNS
|
||
to something like <code>192.168.1.5</code>. Reverse PTR record does the opposite; it looks
|
||
up the hostname for the given IP address. In the example above the PTR record
|
||
for IP address <code>192.168.1.5</code> will get resolved to <code>mail.mydomain.com</code>.</p>
|
||
<h3 id="why-do-you-need-a-reverse-ptr-record">Why do you need a reverse PTR record</h3>
|
||
<p>The most common use for looking up a PTR record is done by spam filters.
|
||
Concept behind this idea is that fly by night spammers who send e-mails out
|
||
using fake domains generally will not have the appropriate reverse PTR setup
|
||
at the ISP DNS zone. This criterion is used by spam filters to detect spam. If
|
||
your domain does not have an appropriate reverse PTR record setup then chances
|
||
are email spam filtering softwares <strong>MIGHT</strong> block e-mails from your mail server.</p>
|
||
<h3 id="how-to-setup-a-reverse-ptr-record">How to setup a Reverse PTR record</h3>
|
||
<p>You would most likely need to contact your ISP and make a request to create a
|
||
reverse PTR record for your mail server IP address. For example, if your mail
|
||
server hostname is <code>mail.mydomain.com</code> then ask your ISP to setup a reverse
|
||
PTR record <code>192.168.1.5</code> (your internet public IP address) in their revesre DNS
|
||
zone. Reverse DNS zones are handled by your ISP even though you may have your
|
||
own forward lookup DNS zone that you manage.</p>
|
||
<h2 id="mx-record-for-mail-domain-name">MX record for mail domain name</h2>
|
||
<h3 id="what-is-a-mx-record">What is a MX record</h3>
|
||
<p>Mail Exchanger Record or more commonly known as MX record is an entry in the
|
||
DNS server of your domain that tells other mail servers where your mail server
|
||
is located. When someone sends an e-mail to a user that exists on your mail
|
||
server from the internet, MX provides the location or IP address where to send
|
||
that e-mail. MX record is the location of your mail server that you have
|
||
provided to the outside world via the DNS.</p>
|
||
<p>Most mail servers generally have more than one MX record, meaning you could
|
||
have more than one mail server setup to receive e-mails. Each MX record has a
|
||
priority number assigned to it in the DNS. The MX record with <strong>lowest number
|
||
has the highest priority</strong> and that is considered your primary MX record or
|
||
your main mail server. The next lowest mx number has the next highest primary
|
||
and so on. You generally have more than one mail server, one being the primary
|
||
and the others as backups, only one MX for mail server is OK too.</p>
|
||
<h3 id="how-to-setup-the-mx-record">How to setup the MX record</h3>
|
||
<p>If your ISP or domain name registrar is providing the DNS service, you can
|
||
request them to set one up for you. If you manage your own DNS servers then
|
||
you need to create the MX records in your DNS zone yourself.</p>
|
||
<p>Sample MX record:</p>
|
||
<pre><code>NAME PRIORITY TYPE DATA
|
||
|
||
mydomain.com. 10 mx mail.mydomain.com
|
||
</code></pre>
|
||
|
||
<p>The end result of this record is, emails sent to <code>[user]@mydomain.com</code> will
|
||
be delivered to server <code>mail.mydomain.com</code>.</p>
|
||
<h2 id="spf-record-for-your-mail-domain-name">SPF record for your mail domain name</h2>
|
||
<h3 id="what-is-a-spf-record">What is a SPF record</h3>
|
||
<p>SPF is a spam and phishing scam fighting method which uses DNS SPF-records to
|
||
define which hosts are permitted to send e-mails for a domain. For details on
|
||
SPF, please see <a href="http://www.openspf.org/">http://www.openspf.org/</a></p>
|
||
<p>This works by defining a DNS SPF-record for the e-mail domain name specifying
|
||
which hosts (e-mail servers) are permitted to send e-mail from the domain name.</p>
|
||
<p>Other e-mail servers can lookup this record when receiving an e-mail from this
|
||
domain name to verify that sending e-mail server is connecting from a permitted
|
||
IP address.</p>
|
||
<h3 id="how-to-setup-the-spf-record">How to setup the SPF record</h3>
|
||
<p>A new SPF-record type was recently added to the DNS protocol to support this
|
||
(<a href="http://www.rfc-editor.org/rfc/rfc4408.txt">RFC4408</a>).</p>
|
||
<p>However not all DNS and e-mail servers support this new record type yet, so
|
||
SPF can also be configured in DNS using the TXT-record type.</p>
|
||
<p>Examples:</p>
|
||
<ul>
|
||
<li>SPF record refer to MX record. It means emails sent from all servers defined
|
||
in MX record of <code>mydomain.com</code> are permitted by sender organization.</li>
|
||
</ul>
|
||
<pre><code>mydomain.com. 3600 IN TXT "v=spf1 mx mx:mydomain.com -all"
|
||
</code></pre>
|
||
|
||
<ul>
|
||
<li>or SPF record refer to IP address directly. it means emails sent from
|
||
specified IP address are permitted by sender organization.</li>
|
||
</ul>
|
||
<pre><code>mydomain.com. 3600 IN TXT "v=spf1 ip4:192.168.1.100 -all"
|
||
</code></pre>
|
||
|
||
<p><code>-all</code> means prohibit all others.</p>
|
||
<p>There're more valid mechanisms available, please check
|
||
<a href="http://www.openspf.org/SPF_Record_Syntax">OpenSPF web site</a> for more details.</p>
|
||
<h2 id="dkim-record-for-your-mail-domain-name">DKIM record for your mail domain name</h2>
|
||
<h3 id="what-is-a-dkim-record">What is a DKIM record</h3>
|
||
<p>DKIM allows an organization to take responsibility for a message in a way that
|
||
can be verified by a recipient. The organization can be a direct handler of
|
||
the message, such as the author's, the originating sending site's, or an
|
||
intermediary's along the transit path. However, it can also be an indirect
|
||
handler, such as an independent service that is providing assistance to a
|
||
direct handler. DKIM defines a domain-level digital signature authentication
|
||
framework for email through the use of public-key cryptography and using the
|
||
domain name service as its key server technology
|
||
(<a href="http://www.dkim.org/specs/rfc5585.html#RFC4871">RFC4871</a>). It permits
|
||
verification of the signer of a message, as well as the integrity of its
|
||
contents. DKIM will also provide a mechanism that permits potential email
|
||
signers to publish information about their email signing practices; this will
|
||
permit email receivers to make additional assessments of unsigned messages.
|
||
DKIM's authentication of email identity can assist in the global control of
|
||
"spam" and "phishing".</p>
|
||
<p>A person or organization has an "identity" -- that is, a constellation of
|
||
characteristics that distinguish them from any other identity. Associated
|
||
with this abstraction can be a label used as a reference, or "identifier".
|
||
This is the distinction between a thing and the name of the thing. DKIM uses
|
||
a domain name as an identifier, to refer to the identity of a responsible
|
||
person or organization. In DKIM, this identifier is called the Signing Domain
|
||
IDentifier (SDID) and is contained in the DKIM-Signature header fields <code>d=</code>
|
||
tag. Note that the same identity can have multiple identifiers.</p>
|
||
<h3 id="how-to-setup-the-dkim-record">How to setup the DKIM record</h3>
|
||
<ul>
|
||
<li>Run command in terminal to show your DKIM keys:</li>
|
||
</ul>
|
||
<pre><code class="bash"># amavisd showkeys
|
||
dkim._domainkey.mydomain.com. 3600 TXT (
|
||
"v=DKIM1; p="
|
||
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYArsr2BKbdhv9efugByf7LhaK"
|
||
"txFUt0ec5+1dWmcDv0WH0qZLFK711sibNN5LutvnaiuH+w3Kr8Ylbw8gq2j0UBok"
|
||
"FcMycUvOBd7nsYn/TUrOua3Nns+qKSJBy88IWSh2zHaGbjRYujyWSTjlPELJ0H+5"
|
||
"EV711qseo/omquskkwIDAQAB")
|
||
</code></pre>
|
||
|
||
<p><strong>Note</strong>: On some Linux/BSD distribution, you should use command <code>amavisd-new</code>
|
||
instead of <code>amavisd</code>. if it complains <code>/etc/amavisd.conf not found</code>, you should
|
||
tell amavisd the correct path of its config file. For example:</p>
|
||
<pre><code class="shell"># amavisd -c /etc/amavisd/amavisd.conf showkeys
|
||
</code></pre>
|
||
|
||
<ul>
|
||
<li>Copy output of command above into one line like below, remove all quotes, but
|
||
keep <code>;</code>. <strong>we just need strings inside the <code>()</code> block</strong>, it's the value of
|
||
DKIM DNS record.</li>
|
||
</ul>
|
||
<pre><code>v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYArsr2BKbdhv9efugBy...
|
||
</code></pre>
|
||
|
||
<p><strong>Note</strong>: BIND (<a href="http://www.isc.org/downloads/bind/">The most widely used Name Server Software</a>)
|
||
can handle this kind of multi-line format, so you can paste it in your domain
|
||
zone file directly.</p>
|
||
<ul>
|
||
<li>
|
||
<p>Add <code>TXT</code> type DNS record for domain name <code>dkim._domainkey.mydomain.com</code>,
|
||
set value to the line you copied above: <code>v=DKIM1; p=...</code>.</p>
|
||
<blockquote>
|
||
<p>WARNING: A usual mistake is adding this DKIM record to domain name
|
||
<code>mydomain.com</code>, this is wrong. Please make sure you added to domain name
|
||
<code>dkim._domainkey.mydomain.com</code>.</p>
|
||
</blockquote>
|
||
</li>
|
||
<li>
|
||
<p>After you added this in DNS, verify it with <code>dig</code> or <code>nslookup</code>:</p>
|
||
</li>
|
||
</ul>
|
||
<pre><code>$ dig -t txt dkim._domainkey.mydomain.com
|
||
|
||
$ nslookup -type=txt dkim._domainkey.foodmall.com
|
||
</code></pre>
|
||
|
||
<p>Sample output:</p>
|
||
<pre><code>dkim._domainkey.mydomain.com. 600 IN TXT "v=DKIM1\;p=..."
|
||
|
||
</code></pre>
|
||
|
||
<p>And verify it with Amavisd:</p>
|
||
<pre><code class="shell"># amavisd testkeys
|
||
TESTING: dkim._domainkey.mydomain.com => pass
|
||
</code></pre>
|
||
|
||
<p>If it shows <code>pass</code>, it works.</p>
|
||
<p><strong>Note</strong>: If you use DNS service provided by ISP, new DNS record might take
|
||
some hours to be available.</p>
|
||
<p>If you want to re-generate DKIM key, or need to generate one for new mail
|
||
domain, please check our another tutorial:
|
||
<a href="./sign.dkim.signature.for.new.domain.html">Sign DKIM signature on outgoing emails for new mail domain</a>.</p>
|
||
<h2 id="register-your-mail-domain-in-google-postmaster-tools">Register your mail domain in Google Postmaster Tools</h2>
|
||
<p>This step is <strong>optional</strong>, but <strong>higly recommended</strong>.</p>
|
||
<p>Google Postmaster Tools web site: <a href="https://postmaster.google.com">https://postmaster.google.com</a>, and
|
||
<a href="https://support.google.com/mail/answer/6258950">Postmaster Tools FAQs</a>.</p>
|
||
<p>It's very simple: just register your mail domain there, and they'll give you a
|
||
text record for your DNS so that they can validate the ownership of the domain.</p>
|
||
<p>Why use Google Postmaster Tools? Quote from
|
||
<a href="https://support.google.com/mail/answer/6227174">Google Postmaster Tools help page</a>:</p>
|
||
<blockquote>
|
||
<p>If you send a large volume of emails to Gmail users, you can use Postmaster Tools to see:</p>
|
||
<ul>
|
||
<li>If users are marking your emails as spam</li>
|
||
<li>Whether you’re following Gmail's best practices</li>
|
||
<li>Why your emails might not be delivered</li>
|
||
<li>If your emails are being sent securely</li>
|
||
</ul>
|
||
</blockquote>
|
||
<p>It <em><strong>MIGHT</strong></em> also help to get you out of the <code>Junk</code> mailbox.</p>
|
||
<p>If you have trouble in sending email to Gmail (or Google Apps), Google offers
|
||
some information on best practices to ensure that their mail is delivered to
|
||
Gmail users: <a href="https://support.google.com/mail/answer/81126?hl=en">Bulk Senders Guidelines</a>.</p>
|
||
<p>You may also submit this form to contact Google:
|
||
<a href="https://support.google.com/mail/contact/bulk_send_new?rd=1">Bulk Sender Contact Form</a></p>
|
||
<h2 id="references">References</h2>
|
||
<ul>
|
||
<li><a href="http://en.wikipedia.org/wiki/MX_record">http://en.wikipedia.org/wiki/MX_record</a></li>
|
||
<li><a href="http://www.openspf.org/">http://www.openspf.org/</a></li>
|
||
<li><a href="http://www.dkim.org/">http://www.dkim.org/</a></li>
|
||
</ul><p style="text-align: center; color: grey;">All documents are available in <a href="https://bitbucket.org/zhb/iredmail-docs/src">BitBucket repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. If you found something wrong, please do <a href="http://www.iredmail.org/contact.html">contact us</a> to fix it.<script>
|
||
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
|
||
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
|
||
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
|
||
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
|
||
|
||
ga('create', 'UA-3293801-21', 'auto');
|
||
ga('send', 'pageview');
|
||
</script>
|
||
</body></html> |