18 KiB
Setup DNS records for your iRedMail server (A, PTR, MX, SPF, DKIM, DMARC)
[TOC]
IMPORTANT NOTE: A, MX records are required, Reverse PTR, SPF,
DKIM and DMARC are optional but HIGHLY recommended.
A record for server hostname {: id="a" }
What is an A record
A records map a FQDN (fully qualified domain name) to an IP address. This is
usually the most often used record type in any DNS system. This is the DNS
record you should add if you want to point a domain name to a web server.
How to setup an A Record
-
Name: This will be the host for your domain which is actually a computer within your domain. Your domain name is automatically appended to your name. If you are trying to make a record for the systemwww.mydomain.com. Then all you enter in the textbox for the name value iswww.Note: If you leave the name field blank it will default to be the record for your base domain
mydomain.com. The record for your base domain is called the root record or apex record. -
IP: The IP address of your FQDN. An IP address can be thought of as the telephone number to your computer. It is how one computer knows how to reach another computer. Similar to the country codes, area codes, and phone number it is used to call someone. -
TTL: The TTL (Time to Live) is the amount of time your record will stay in cache on systems requesting your record (resolving nameservers, browsers, etc.). The TTL is set in seconds, so 60 is one minute, 1800 is 30 minutes, etc..
Systems that have a static IP should usually have a TTL of 1800 or higher. Systems that have a dynamic IP should usually have a TTL of 1800 of less.
The lower the TTL the more often a client will need to query the name servers for your host's (record's) IP address this will result in higher query traffic for your domain name. Where as a very high TTL can cause downtime when you need to switch your IPs quickly.
Sample record:
NAME TTL TYPE DATA
www.mydomain.com. 1800 A 192.168.1.2
mail.mydomain.com. 1800 A 192.168.1.5
The end result of this record is that www.mydomain.com points to
192.168.1.2, and mail.mydomain.com points to 192.168.1.5.
Reverse PTR record for server IP address {: id="ptr" }
What is a reverse PTR record
PTR record or more appropriately a reverse PTR record is a process of resolving
an IP address to its associated hostname. This is the exact opposite of the
process of resolving a hostname to an IP address (A record). Example, when you ping a
name mail.mydomain.com it will get resolved to the ip address using the DNS
to something like 192.168.1.5. Reverse PTR record does the opposite; it looks
up the hostname for the given IP address. In the example above the PTR record
for IP address 192.168.1.5 will get resolved to mail.mydomain.com.
Why do you need a reverse PTR record
The most common use for looking up a PTR record is done by spam filters. Concept behind this idea is that fly by night spammers who send e-mails out using fake domains generally will not have the appropriate reverse PTR setup at the ISP DNS zone. This criterion is used by spam filters to detect spam. If your domain does not have an appropriate reverse PTR record setup then chances are email spam filtering softwares MIGHT block e-mails from your mail server.
How to setup a Reverse PTR record
You would most likely need to contact your ISP and make a request to create a
reverse PTR record for your mail server IP address. For example, if your mail
server hostname is mail.mydomain.com then ask your ISP to setup a reverse
PTR record 192.168.1.5 (your internet public IP address) in their reverse DNS
zone. Reverse DNS zones are handled by your ISP even though you may have your
own forward lookup DNS zone that you manage.
MX record for mail domain name {: id="mx" }
What is a MX record
Mail Exchanger Record or more commonly known as MX record is an entry in the DNS server of your domain that tells other mail servers where your mail server is located. When someone sends an e-mail to a user that exists on your mail server from the internet, MX provides the location or IP address where to send that e-mail. MX record is the location of your mail server that you have provided to the outside world via the DNS.
Most mail servers generally have more than one MX record, meaning you could have more than one mail server setup to receive e-mails. Each MX record has a priority number assigned to it in the DNS. The MX record with lowest number has the highest priority and that is considered your primary MX record or your main mail server. The next lowest mx number has the next highest primary and so on. You generally have more than one mail server, one being the primary and the others as backups, only one MX for mail server is OK too.
How to setup the MX record
If your ISP or domain name registrar is providing the DNS service, you can request them to set one up for you. If you manage your own DNS servers then you need to create the MX records in your DNS zone yourself.
Sample MX record:
NAME PRIORITY TYPE DATA
mydomain.com. 10 mx mail.mydomain.com.
The end result of this record is, emails sent to [user]@mydomain.com will
be delivered to server mail.mydomain.com.
autodiscover for your domain
What is an autoconfig/autodiscover record
autoconfig/autodiscover.company.com records allow mail clients to fetch automatically the mail client configuration of a mailbox. If the mailbox to configure is user@company.com then it will automatically check autodiscover.company.com for the correct configuration.
More information is available here: Setup DNS records for autoconfig and autodiscover.
How to setup the autoconfig/autodiscover record
If your ISP or domain name registrar is providing the DNS service, you can request them to set one up for you. If you manage your own DNS servers then you need to create the autoconfig/autodiscover records in your DNS zone yourself.
Sample autoconfig/autodiscover record:
NAME PRIORITY TYPE DATA
autodiscover.mydomain.com. 10 mx mail.mydomain.com.
autoconfig.mydomain.com. 10 mx mail.mydomain.com.
SPF record for the mail domain name {: id="spf" }
What is a SPF record
SPF is a spam and phishing scam fighting method which uses DNS SPF-records to define which hosts are permitted to send e-mails for a domain. For details on SPF, please check wikipedia.
This works by defining a DNS SPF-record for the e-mail domain name specifying which hosts (e-mail servers) are permitted to send e-mail from the domain name.
Other e-mail servers can lookup this record when receiving an e-mail from this domain name to verify that sending e-mail server is connecting from a permitted IP address.
How to setup the SPF record
SPF is a TXT type DNS record, you can list IP address(es) or MX domains in it. For example:
mydomain.com. 3600 IN TXT "v=spf1 mx -all"
This SPF record means emails sent from all servers defined in MX record of
mydomain.com are permitted to send as someone@mydomain.com.
-all means prohibit emails sent from all other servers. If it's too strict
for you, you can use ~all instead which means soft fail (uncertain).
You can specify IP address(es) directly too:
mydomain.com. 3600 IN TXT "v=spf1 ip4:111.111.111.111 ip4:111.111.111.222 -all"
Of course you can have them both or more in same record:
mydomain.com. 3600 IN TXT "v=spf1 mx ip4:111.111.111.222 -all"
There're more valid mechanisms available, please check wikipedia for more details.
DKIM record for the mail domain name {: id="dkim" }
What is a DKIM record
DKIM allows an organization to take responsibility for a message in a way that can be verified by a recipient. The organization can be a direct handler of the message, such as the author's, the originating sending site's, or an intermediary's along the transit path. However, it can also be an indirect handler, such as an independent service that is providing assistance to a direct handler. DKIM defines a domain-level digital signature authentication framework for email through the use of public-key cryptography and using the domain name service as its key server technology (RFC4871). It permits verification of the signer of a message, as well as the integrity of its contents. DKIM will also provide a mechanism that permits potential email signers to publish information about their email signing practices; this will permit email receivers to make additional assessments of unsigned messages. DKIM's authentication of email identity can assist in the global control of "spam" and "phishing".
A person or organization has an "identity" -- that is, a constellation of
characteristics that distinguish them from any other identity. Associated
with this abstraction can be a label used as a reference, or "identifier".
This is the distinction between a thing and the name of the thing. DKIM uses
a domain name as an identifier, to refer to the identity of a responsible
person or organization. In DKIM, this identifier is called the Signing Domain
IDentifier (SDID) and is contained in the DKIM-Signature header fields d=
tag. Note that the same identity can have multiple identifiers.
How to setup the DKIM record
-
Run command in terminal to show your DKIM keys:
!!! attention
* On some Linux/BSD distribution, you should use command `amavisd-new` instead of `amavisd`. * On CentOS, if it complains `/etc/amavisd.conf not found`, please run the command with path to its config file. For example: ```amavisd -c /etc/amavisd/amavisd.conf showkeys```
# amavisd showkeys
dkim._domainkey.mydomain.com. 3600 TXT (
"v=DKIM1; p="
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYArsr2BKbdhv9efugByf7LhaK"
"txFUt0ec5+1dWmcDv0WH0qZLFK711sibNN5LutvnaiuH+w3Kr8Ylbw8gq2j0UBok"
"FcMycUvOBd7nsYn/TUrOua3Nns+qKSJBy88IWSh2zHaGbjRYujyWSTjlPELJ0H+5"
"EV711qseo/omquskkwIDAQAB")
- Copy output of command above into one line like below, remove all quotes, but
keep
;. we just need strings inside the()block, it's the value of DKIM DNS record.
v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYArsr2BKbdhv9efugBy...
Note: BIND (The most widely used Name Server Software) can handle this kind of multi-line format, so you can paste it in your domain zone file directly.
-
Add
TXTtype DNS record for domain namedkim._domainkey.mydomain.com, set value to the line you copied above:v=DKIM1; p=....WARNING: A usual mistake is adding this DKIM record to domain name
mydomain.com, this is wrong. Please make sure you added to domain namedkim._domainkey.mydomain.com. -
After you added this in DNS, verify it with
digornslookup:
$ dig -t txt dkim._domainkey.mydomain.com
$ nslookup -type=txt dkim._domainkey.foodmall.com
Sample output:
dkim._domainkey.mydomain.com. 600 IN TXT "v=DKIM1\;p=..."
And verify it with Amavisd:
# amavisd testkeys
TESTING: dkim._domainkey.mydomain.com => pass
If it shows pass, it works.
Note: If you use DNS service provided by ISP, new DNS record might take some hours to be available.
If you want to re-generate DKIM key, or need to generate one for new mail domain, please check our another tutorial: Sign DKIM signature on outgoing emails for new mail domain.
DMARC record for the mail domain name {: id="dmarc" }
What is DMARC, and how does it combat phishing?
Quote from FAQ page on dmarc.org website (it's strongly recommended to read the full FAQ page):
DMARC is a way to make it easier for email senders and receivers to determine whether or not a given message is legitimately from the sender, and what to do if it isn’t. This makes it easier to identify spam and phishing messages, and keep them out of peoples’ inboxes.
DMARC is a proposed standard that allows email senders and receivers to cooperate in sharing information about the email they send to each other. This information helps senders improve the mail authentication infrastructure so that all their mail can be authenticated. It also gives the legitimate owner of an Internet domain a way to request that illegitimate messages – spoofed spam, phishing – be put directly in the spam folder or rejected outright.
Some useful documents from https://dmarc.org:
How to setup the DMARC record
!!! attention
DMARC heavily relies on SPF and DKIM records, please make sure you have
correct and up to date SPF and DKIM records published.
DMARC record is a TXT type DNS record.
A simplified record looks like this:
v=DMARC1; p=none; rua=mailto:dmarc@mydomain.com
A detailed sample record looks like this:
v=DMARC1; p=reject; sp=none; adkim=s; aspf=s; rua=mailto:dmarc@mydomain.com; ruf=mailto:dmarc@mydomain.com
-
v=DMARC1identifies the DMARC protocol version, currently onlyDMARC1is available, andv=DMARC1must appear first in a DMARC record. -
adkimspecifies alignment mode for DKIM. 2 options are available:r: relax mode (adkim=r)s: strict mode (adkim=s)
-
aspfspecifies alignment mode for SPF. 2 options are available:r: relax mode (aspf=r)s: strict mode (aspf=s)
-
pspecifies the policy for organizational domain. It tells the recipient server what to do if received email fails DMARC mechanism check. 3 options are available:none(p=none): The domain owner requests no specific action be taken regarding delivery of messages.quarantine(p=quarantine): The domain owner wishes to have email that fails the DMARC mechanism check be treated by Mail Receivers as suspicious. Depending on the capabilities of the Mail Receiver, this can mean "place into spam folder", "flag as suspicious", or "quarantine toe email somewhere", maybe more.reject(p=reject): The domain owner wishes for Mail Receivers to reject email that fails the DMARC mechanism check during the SMTP transaction.
!!! attention
- If you're sure all your emails are sent by the server(s) listed in SPF record, or have correct DKIM signature signed, `p=reject` is strongly recommended. - According to [RFC 7489](https://tools.ietf.org/html/rfc7489#section-6.3), __the "v" and "p" tags MUST be present and MUST appear in that order.__ so please always place "p" tag immediately follow the "v" tag. e.g. `v=DMARC1; p=reject; aspf=s; ...` is ok, but not `v=DMARC1; aspf=s; p=reject; ...`. -
spspecifies policy for all subdomains. This is optional. Available options are same asp. -
ruaspecifies a transport mechanism to deliver aggregate feedback. Currently onlymailto:is supported. This is optional. -
rufspecifies a transport mechanism which message-specific failure information is to be reported. Currently onlymailto:is supported. This is optional.
SRV record for Jabber/XMPP service
If you install Prosody (with iRedMail Easy platform) as Jabber/XMPP server, 2 SRV records are required.
If your mail domain name is mydomain.com and server hostname is
mail.mydomain.com, you should add 2 SRV type DNS records:
_xmpp-client._tcp.mydomain.com_xmpp-server._tcp.mydomain.com
Sample records:
_xmpp-client._tcp.mydomain.com 18000 IN SRV 0 5 5222 mail.mydomain.com
_xmpp-server._tcp.example.com. 18000 IN SRV 0 5 5269 mail.mydomain.com
The target domain mail.mydomain.com MUST be an existing A record, it
cannot be an IP address or a CNAME record.
Register your mail domain in Google Postmaster Tools
This step is optional, but highly recommended.
Google Postmaster Tools web site: https://postmaster.google.com, and Postmaster Tools FAQs.
It's very simple: just register your mail domain there, and they'll give you a text record for your DNS so that they can validate the ownership of the domain.
Why use Google Postmaster Tools? Quote from Google Postmaster Tools help page:
If you send a large volume of emails to Gmail users, you can use Postmaster Tools to see:
- If users are marking your emails as spam
- Whether you’re following Gmail's best practices
- Why your emails might not be delivered
- If your emails are being sent securely
It MIGHT also help to get you out of the Junk mailbox.
If you have trouble in sending email to Gmail (or Google Apps), Google offers some information on best practices to ensure that their mail is delivered to Gmail users: Bulk Senders Guidelines.
You may also submit this form to contact Google: Bulk Sender Contact Form
Check Outlook.com Postmaster site
Outlook Postmaster site provides some useful information for mail server administrators, if the email you sent to Outlook.com is marked as spam, please take a look: