Setup DNS records for you email server

In order for you email to work and people can send and receive mails without problems you need to set DNS server records properly. Also, additional DNS records like SPF and DKIM can help your email server reputation, and better spam detection.

Lets go through simple DNS setup for email server.

I will show you my DNS setup. There are a lot of ways you can host DNS – you can do it yourself, you can do it as a dedicated service, at your domain registrar, VPS provider (if you are using VPS VM at hosting provider).

Lets start with basics.

There are few things you need to have a website or email server available on the internet.

In order to have a service on the internet, you need domain name. Like for instance – my domain is named informaticar.net.

Buy a domain

You go to the domain registrar, like namecheap.com (not afiliated in any way, I just have good experience with them) and search for a name you like and see if it available. A lot of domains are already registered, so you will have to be creative.

Let’s say we bought informaticar.net domain name

Get an fixed public IP address

Once you bought domain – lets say we bought informaticar.net for a sake of this guide we need a couple of more components.

You need fixed public IP address – there are many ways you can host your services on the internet, but having fixed public IP is the most serious and reliable way to host your services.Fixed pubic IPv4 addresses are hard to come by and usually you home internet service and mobile data plan does not have fixed public IP.

How do I get public IP? You get internet connection (usually fiber optics) with fixed public IP (which can be expensive, depending or where do you live, or might be unavailable), or you select hosting company and host you internet services there (rent web/mail hosting, rent VPS, or arrange collocation for your machine at hosting provider). Renting VPS is my prefered way through which I get fixed IP at the same time.

Lets say we got a VPS machine with public IP address of 0.111.222.333 (this is not real or valid public IP address, but it will help us to distinguish concepts further on)

Get machine to put your web services on and connect your domain to

You bought domain because you want to host website, mail server or some other web/cloud service. You need to install these services somewhere. You are reading this because probably you want to know more and do something yourself. So, I won’t be talking about classic web/email hosting here. As I already mentioned, I like to host my web services through VPS.

What is VPS – virtual private server. You select hardware config (cpu, ram and disk space) OS you like to use (Windows, Linux) and provider sets for you clean virtual machine in the datacenter with which you can do what you want, install what you want (as long as it is legal).

With VPS you usually get your own fixed public IP address, be it IPv4 or IPv6 address.

VPS provider I like most is Contabo Again, I’m not affiliated with them, I use them for about 10 years, and (knock on the wood) they have been great so far.

DNS

Ok, so we established that we bought domain, got a VPS machine with fixed public IP address, and we want to install website and email server on that VPSmachine. But how will the world know that our website/email server is hosted on that specific VPS machine somewhere in data center?

We need DNS. With DNS we will connect our domain name with the public IP address of our VPS machine, so that anyone in the world can get our web service just by typing our domain name.

Ok, but where do I get DNS and how do I configure it? You can host DNS yourself, but this article will not teach you that.

You can host DNS through your domain registrar usually, or VPS provider. I know for a fact that both Namecheap and Contabo have DNS service.

For a simplicity of this tutorial we will use Premium DNS from Namecheap. So, webiste where I bought domain will also host my DNS. It can be also done via Contabo control panel of the VPS, but here, we are going to do it through Namecheap.

There are a lot of different ways to do any of these steps, but we will select this way. Ok ,lets start with DNS.

Setup DNS for email service

Namecheap will configure nameserver and basic stuff for your domain. You just need to add records you need.

For a email server, we need A record, MX record and PTR record.

DNS values as standardized, so everything I write here can be done on any other DNS server in the world.

For a email server to work we need to create something like mail.informaticar.net

I usually add mail. for my mail servers.

A record

Ok, so first we need to create A record. A record will have host name mail and value of a public IP 0.111.222.333

A record
mail   0.111.222.333

Ok, I changed IP address from the screenshot to hide my real one from the production system (although it is easy to find)

So, this is how that record would look like.

Now, if anyone in the world types in mail.informaticar.net they will be redirected right to your VPS server on IP 0.111.222.333 and if you have service alive and passing through firewall you would get response.

MX Record

MX record is specific to email communication. We will simply create mx record with value mail.informaticar.net.

You will also need to specify “weight” so that would be 10.

What is weight meaning. Lower weight – higher priority. I serious production systems you have more than one mail server.

Lets say you have two email servers. One is mail.informaticar.net with weight of 10 and second one is mail1.informaticar.net with weight of 30. Anyone on the internet who wishes to send you email will look first for the server with lower weight – so, they would try to access mail.informaticar.net first, and then, if it is not reachable, server would look for higher value and try to send to those email servers.

Ok, so we will select MX record and type following

mail.informaticar.net   10

Last one in these is PTR record

PTR record

Pointer record translates from IP address to domain name. It is reverse DNS record. It is extremely important record, because if PTR record doesn’t match your mail server name and IP, you can have problems and be listed as spammer.

For this record, if you internet connection with fixed public IP you will have to ask you ISP to enter this record for you.

Since we have VPS machine, Contabo is good enough to have that organized through the Control Panel of the VPS

So, you would simply go to revers DNS management, and enter following

IP address                      Name (PTR record)
0.111.222.333                 mail.informaticar.net

Check DNS configuration

On sites like mxtoolbox.com you can check your DNS configuration

MX Lookup

Ok, so the internet know that we exist.

You can also do here DNS Lookup, test email server once it is done.

We will do also email server test right now to see if we got our PTR record right. Ok, SMTP Reverse DNS Mismatch is OK.

So basic tests are ok, but at the first test we got DMARC Error.

Ok, lets set SPF, DKIM records to make our email server more reputable.

SPF Record

SPF is (sender policy framework) record that specifies which hosts or IP addresses can send email on behalf of a domain. Naturally, only your servers should be specified in this record.

Ok, lets create one. We will do simple one. We will create new TXT record and enter following

v=spf1 mx ~all

v=spf1 – spf version 1

mx – all servers listed in MX records for domain are authorized to send email.

~all specifies that emails from your domain should only come from hosts specified in your spf.

Lets check spf status for our domain on mxtoolbox. Ok, no SPF record, lets create one

So, for the type we entered TXT record, host @, and value v=spf1 mx ~all

HOST                VALUE
@                v=spf1 mx ~all

Some DNS providers may require double quotation marks for the spf value, so it would look like this “v=spf1 mx ~all”

Ok, so I entered my spf

And let’s check mxtoolbox again

We are in green and valid

This guide is also part of my email server on Ubuntu series, so we will also be configuring Postfix on Ubuntu to work with spf.

Configure SPF policy agent

We well tell our Postfix to look for spf records of incoming emails.It may help detecting incoming forged emails.

First, installation

sudo apt install postfix-policyd-spf-python

Then, ofcourse a little file editing

First, we will edit master.cf

sudo nano /etc/postfix/master.cf

To the end of the file add following

policyd-spf  unix  -       n       n       -       0       spawn
    user=policyd-spf argv=/usr/bin/policyd-spf

Now, we will edit main.cf

sudo nano /etc/postfix/main.cf

Add following to the file

policyd-spf_time_limit = 3600
smtpd_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_unauth_destination,
   check_policy_service unix:private/policyd-spf

Save and close the file.

Restart Postfix

sudo systemctl restart postfix

DKIM Setup

Again, this part goes with my email setup guide and is ment to be done on Ubuntu.

DKIM uses a private key to add a signature to emails from your domain. Receiving email server can verify them by looking into public key published on your DNS.

We will install OpenDKIM

sudo apt install opendkim opendkim-tools

We will now add postfix user to dkim group

sudo gpasswd -a postfix opendkim

We will edit opendkim.conf

sudo nano /etc/opendkim.conf

Uncomment following lines and add relaxed/simple to Canonicalization

Canonicalization   relaxed/simple
Mode               sv
SubDomains         no

Under “Subdomain no” add following in the opendkim.conf

AutoRestart         yes
AutoRestartRate     10/1M
Background          yes
DNSTimeout          5
SignatureAlgorithm  rsa-sha256

And, add following to the end of the file. UserID opendkim is already added in Ubuntu 20.04.

#OpenDKIM user
# Remember to add user postfix to group opendkim
UserID             opendkim

# Map domains in From addresses to keys used to sign messages
KeyTable           refile:/etc/opendkim/key.table
SigningTable       refile:/etc/opendkim/signing.table

# Hosts to ignore when verifying signatures
ExternalIgnoreList  /etc/opendkim/trusted.hosts

# A set of internal hosts whose mail should be signed
InternalHosts       /etc/opendkim/trusted.hosts

Save and close file.

Create Signing Table, Key Table, Trusted Hosts file.

First, we will create directories for OpenDKIM

sudo mkdir /etc/opendkim

sudo mkdir /etc/opendkim/keys

Change ownership

sudo chown -R opendkim:opendkim /etc/opendkim

sudo chmod go-rw /etc/opendkim/keys

We will also create signing table

sudo nano /etc/opendkim/signing.table

Add following line to your file. Change informaticar.net for your domain.

*@informaticar.net    default._domainkey.informaticar.net

Save and close file.

Now, let’s create key table

sudo nano /etc/opendkim/key.table

Add following to the file. Again, change informaticar.net for your domain name.

default._domainkey.informaticar.net     informaticar.net:default:/etc/opendkim/keys/informaticar.net/default.private

Save and close file.

Now, we need to create trusted hosts file.

sudo nano /etc/opendkim/trusted.hosts

Add following to the file. Change informaticar.net into your domain.

127.0.0.1
localhost

*.informaticar.net

Save file and exit.

Generate Private/Public keypair

Ok, we need private key for signing of the outgoing emails, and public part will be published in our DNS so that recipients can verify us.

Create a folder dor a domain (change informaticar.net for your domain)

sudo mkdir /etc/opendkim/keys/informaticar.net

We will now generate keys using opendkim tool. Change informaticar.net for your domain!!

sudo opendkim-genkey -b 2048 -d informaticar.net -D /etc/opendkim/keys/informaticar.net -s default -v

-d specifies domain

-D specifies directory

Private Key will be written to default.private and public to the default.txt

Now, we just need to maken opendkim owner of the private key

sudo chown opendkim:opendkim /etc/opendkim/keys/informaticar.net/default.private

Publish Public Key in DNS

To display public key type in following. Change informaticar.net to your domain!

sudo cat /etc/opendkim/keys/informaticar.net/default.txt

Create DKIM DNS record

Now, in DNS record we need new TXT record and under name we need to enter default._domainkey in the name field.Then from the terminal copy everything withing the round brackets. Make sure there are no double quotes or white spaces in the value field. If you don’t copy values properly, your DKIM test will fail.

So value like this

Needs to be changed to this

Erase blank/whitespace and double quotes.

So ,this is how your DNS should look like

Ok, let’s test with Mxtoolbox. Everything in green, that is how we like it. :)

Ok , we will do another test by executing following command on the machine our mial server is located on. Change informaticar.net for your domain!!

sudo opendkim-testkey -d informaticar.net -s default -vvv

If you got “key OK” then everything is all right. Key not secure doesn’t have to scare you, we got this message because we don’t have DNSSEC in place.

Connect Postfix to OpenDKIM

We need to create following directory and change permissions on them.

sudo mkdir /var/spool/postfix/opendkim
sudo chown opendkim:postfix /var/spool/postfix/opendkim

Then we need to edit OpenDKIM config file

sudo nano /etc/opendkim.conf

Find following line (Ubuntu 20.04)

Socket    local:/run/opendkim/opendkim.sock

And replace it with

Socket    local:/var/spool/postfix/opendkim/opendkim.sock

Save and exit file.

Next file we will edit is

sudo nano /etc/default/opendkim

Try to find following line

SOCKET="local:/var/run/opendkim/opendkim.sock"

or this one

SOCKET=local:$RUNDIR/opendkim.sock

Change it to

SOCKET="local:/var/spool/postfix/opendkim/opendkim.sock"

Save and close file.

Let’s just edit one more Postfix file

sudo nano /etc/postfix/main.cf

Add following to the bottom of the file

# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters

Save and close file

Restart OpenDKIM and Postfix

sudo systemctl restart opendkim
sudo systemctl restart postfix 

Ok, I will now send email from my email server informaticar.net to my gmail account to check SPF and DKIM in real life.

After you received email in gmail, open message you received, and in the top right corner of the message select menu and click on Show Original

SPF and DKIM have PASS status

This is good, we done everything correctly.

You can also test your email server through mxtoolbox.com and https://www.mail-tester.com/

This test is great test for your email if you plan to send newsletters, promotions… Make sure to include complete email message you plan to send.

Lets finish this part of the text with lovely screen from mail-tester.com.

DMARC setup

Ok, after we are done with the SPF and DKIM setup, we want to setup DMARC. DMARC (Domain based authentication, reporting and conformance) signals that mails from a domain are protected with SPF and DKIM. DMARC can help you discover legitimate email sources.

DMARC should help you improve domain reputation and help with fraud detection (forged From field).

DMARC is important for every business, especially if you rely on email marketing.

Also, warning, be careful with DMARC, and test it with gradual settings change, start with the most relaxed settings, and then tune it to your needs.

Explaining DMARC record

DMARC record is TXT record in DNS. You don’t need to do anything on your installation, you just need to add DMARC to your DNS.

There are sites like https://www.kitterman.com/dmarc/assistant.html? which can help you create your DMARC TXT record.

If we look at the screen of the website I posted above, this is what it looks like

There are three policy types:

none – tells receiving email server to do nothing if email fails DMARC check.

quarantine – email will be put in quarantine if it doesn’t pass DMARC check.

reject – email will be rejected if the DMARC check fails.

None is a good start, later on you can change to quarantine and then to reject when you really know how your system works.

Don’t jump to reject or quarantine right away, wait for some data first.

Aggregate Data Reporting Address and Forensic Data Reporting Address:

Explained even in the footer of the webiste – email addresses you wish to receive reports on. Forensic data can be data intensive.

Aggregate Data are daily XML reports and Forensic data are real time reports. Most of the time you would like to receive aggregate data only.

Failure reporting options:

0 – generates report if ALL underlying mechanisms fail to pass DMARC check.

1 – generate reports if ANY mechanisms fail.

d – generates report if DKIM signature failed

s – generate report if SPF fails.

DKIM/SPF identifier alignment:

Relaxed is good for a start, later on you can change to strict if you see the need.

Apply policy to this percentage:

Simply, percentage of emails DMARC applies to. For a start, 100% is good.

You should wait a good amount of time to receive enough DMARC reports to tackle this percentage.

First, use none policy with 100%, then after some time, you can switch to quarantine policy when you are familiar with reports.

p=none; pct=100%;

But when you switch to quarantine you should go gradually and increase percentage.

p=quarantine; pct=25%;

p=quarantine; pct=50%;

p=quarantine; pct=75%;

p=quarantine; pct=100%;

Of course you can change percentage to values you find proper, but you get the idea.

Same should be repeated after you finally decide to use reject policy.

p=reject; pct=25%;

Reporting interval

Select time interval which you see fit.

Creating DMARC Record

Not all of these DMARC records are mandatory, so, you don’t have to specify for example reporting interval, or forensic email address, if you don’t plan to use it.

So, this is what the website above generated for me:

This is an example, but this is a DMARC I will use:

TXT host name

_dmarc

TXT value

v=DMARC1; p=none; pct=100; fo=1; rua=mailto:dmarc@informaticar.net

So, policy is none, apllies in 100% and will generate comprehensive reports with fo=1, also, my aggregate email is defined (swap informaticar.net for your domain).

So, you see that I left out some of the commands from the website. My DMARC record will work, because it still has all the necessary ingredients in it.

Let’s test our DMARC setup with MXToolbox DMARC Lookup

Ok, we are good, there is one exclamation mark, claiming that “DMARC Policy Not Enabled”. As I already said, we are using none until we gather information, and the in time we can slowly set to quarantine or reject policy.

To enable these out of the box would be possibly dangerous for our email mailflow. Do that only if you are 100% what you are doing and you have knowledge.

We will also repeat gmail test (just send email from your domain to gmail account). We have SPF, DKIM and DMARC pass.

Interpreting DMARC reports

As I already mentioned and we also defined in our DMARC DNS record – we will receive aggregate reports on our email account.

DMARC raw data are not very easy to understand. Postmark (thank you) can process these reports for you even for free and make them easier to understand.

You will just need to enter your data into Postmark and then you can slightly change your DMARC DNS record.

You can specify multiple email addresses to receive reports, or you can leave only one provided by Postmark, it is up to you.

Be sure to change “yourname” and informaticar.net for your unique data.

v=DMARC1; p=none; pct=100; fo=1; rua=mailto:yourname@dmarc.postmarkapp.com,mailto:dmarc@informaticar.net;

In case you wonder what forensic reports do. Forensic reports will have entire copies of emails that failed DMARC check – email headers, subject lines, body… Some email servers don’t send forensic reports because of privacy and data sensitivity.

Conclusion

Ok, that would be it for this one, I tried to give you as much as I can in terms on the information and knowledge about setting up DNS for email server. With all these records and with this setup, you will be able to have an email server that is functioning.

I manage my own email servers now for almost 15 years, and in terms of DNS this is what works for me.

Disclaimer