AWS EC2 Reverse DNS (PTR) Failing - email

Have searched everywhere, can't find answer.
I have the domain mydomain.com. The root and www records point to my main server, which runs my website.
I am now using a separate AWS ec2 instance to set up an email server for my domain. This is running on the subdomain mail.
My dns looks like this:
A # webserverip
A www webserverip
A mail ec2ip
To prevent my server from getting flagged for spam, I submitted the amazon reverse dns form here: https://aws.amazon.com/forms/ec2-email-limit-rdns-request
I gave them the ip of my ec2 mail server, and put "mail.mydomain.com" in the "Reverse DNS Record for EIP 1" box.
However, I keep receiving emails back from them saying:
When attempting to map the reverse DNS entry, we notice that this is failing because the PTR record doesn't match the A record for that domain.
We currently require the forward A record to match the PTR record for all reverse DNS entries.
I really don't understand what I am doing wrong. The "mail" subdomain has an A record pointing to my ec2 server ip. Any assistance would be greatly appreciated!
(I am using cloudflare for my dns if this makes any difference)

You can follow these steps to configure the DNS for your EC2 dedicated mail server on AWS:
STEPS
Add two A host records for pop.mydomain.com and
smtp.mydomain.com that point to your elastic IP and assign your
MX record to the smtp.mydomain.com host.
Add a CNAME record (not A host record) for mail.mydomain.com that points to the DNS entry assigned by AWS (e.g., ec2-XXX-XXX-XXX-XXX.REGION.compute.amazonaws.com).
Submit your rDNS request for smtp.mydomain.com mapping to your EIP.
Don't forget to add the SPF TXT record for your mail server. For example, v=spf1 mx a
Once you're done with this setup, you should have a proper mail server configuration in terms of DNS that would pass SMTP tests and avoids being flagged as spam.

Related

How to connect my Mac Mail to my domain which his DNS are handled through DigitalOcean?

I bought a domain.
I pointed his name servers to:
ns1.digitalocean.com
ns2.digitalocean.com
I have added a CNAME record point to #
I want to send and receive emails using my Mac mail program.
I know that I should probably build a full mail server which is an awful thing to do.
Therefore, I have another server (not digitalocean) running on cPanel. In this cPanel I have a very powerful cPanel's mail server.
How can I point my digitalocean CNAME to the remote server where the cPanel is?
I hope it's clear enough.
In order to make your domain points to the digital ocean server, you will have to create A record that points to the IP of that server, same goes to any subdomain.
Regarding your mail server, you need to make mail.mydomain.com points to the IP of your cPanel server using A record not CName and also modifying other records like SPF/DKIM records.
For your local mail client you can get the configuration by logging into the cPanel user account and view the mail settings

AWS EC2 generic suspect

All my e-mails from aws plesk instances are going to gmail spam and been reject by outlook
Making a test in app.glockapps.com I discovered that my NEW instances and elastic IP is in black list of this site https://matrix.spfbl.net/3.209.102.205 it says that my rDNS ec2-3-209-102-205.compute-1.amazonaws.com is generic
I config my DNS on registro.br
You need to configure reverse DNS, which means the IP address should resolve to the domain you are using for sending emails.
You would be required to create PTR record for your domain with the used IP address. This will fix the issue of reverse DNS being generic.
For AWS you need to fill this form https://aws.amazon.com/forms/ec2-email-limit-rdns-request

SMTP client's hostname doesn't match PTR

I'm building an SMTP server and I'm struggling with an issue regarding hosts connecting to my SMTP server.
For instance, one client is connecting to my SMTP server with the given hostname: EUR02-AM5-obe.outbound.protection.outlook.com.
Unfortunately, the server's IP doesn't match that hostname (52.101.131.25).
Based on the SMTP rules, I should refuse this email, but when I do a reverse IP lookup for 52.101.131.25, I get mail-bgr052101131025.outbound.protection.outlook.com, which also comes from Outlook.com!
So, even if the hostname doesn't match the IP, the IP is originating from a valid source in that case (outbound.protection.outlook.com).
And Outlook is not the only one doing so, here's the case with Zoho:
HELO sender21-mail.zoho.eu coming from the IP 185.20.209.254.
But when you do a reverse lookup, you don't find sender21-mail.zoho.eu, but ... sender.zoho.eu
How can I do to ensure that both hostnames come from the same valid source, that's just the IP that is badly configured?
With content distribution networks & load balancing, the EHLO name and IP/reverse DNS often don't match. You could check the IP's validity against SPF records (not every domain has SPF records, but it is quite common). Taking zoho.eu as an example, the SPF record for the domain is
v=spf1 include:spf.zoho.eu -all
Which is essentially a ref out to the record spf.zoho.eu
v=spf1 ip4:185.20.209.0/24 ip4:31.186.226.0/24 ip4:87.252.213.0/24 ip4:84.207.209.0/24 ~all
185.20.209.254 falls within ip4:185.20.209.0/24 and is thus a reasonable source for messages from zoho.eu.
How to validate the source IP against SPF records depends on the SMTP server being used. There are milters for Sendmail and policy servers for Postfix that validate SPF.

temperror when email is sent to hotmail & end up in junk/spam folder

When i send emails to hotmail main inboxes it ends up in spam/junk folder with the following in the header:
Authentication-ResultsĀ : hotmail.com; spf=temperror (sender IP is X.X.X.X)
smtp.mailfrom=marieke#X.X; dkim=temperror header.d=X.com; x-hmca=none
However, both the Dkim and Spf are good since at least one week, and it shows "pass" when an email is sent to gmail. By the past, the domain was hosted on a different server with a different spf and dkim record in the DNS.
Is it possible that microsoft servers don't do a DNS lookup or perhaps a DNS lookup from time to time?
There are several reasons why it happens:
First of all, the microsoft DNS lookup takes some time due to the TTL of DNS records, perhaps several weeks.
Then, my mistake was to set up two A records for my smtp server hostname rather than one. Consequently due to round robin, the Forward Confirmed Reverse DNS Lookup failed from time to time as the wrong IP address was returned from time to time. Consequently if you have a smtp mail server, you should only have one A record (and one AAAA record), meaning one IP address for it.
IPv4:
One server hostname = Only ONE IP address (A record)
One IPv4 address = Only ONE server hostname (Reverse DNS)
IPv6:
One server hostname = Only ONE IP address (AAAA record)
One IPv6 address = Only ONE server hostname (Reverse DNS)

Confusion about MX records

I'm very confused by the fundamentals of DNS records (in this case MX records). Right now I have registered a domain name (let's call it example.com). This domain is configured to my linode's IP via their nameservers.
The default MX record that is in the Domain Manager is 'mail.example.com'. Fair enough.
I followed this tutorial about setting up a exim server.
Exim Tutorial in Linode Library
and I'm kind of confused. My default hostname on the machine is 'antares' and thus the FQDN is 'antares.example.com'. In this tutorial I don't see how this 'mail.example.com' is coming into play? Where do I specify this? Or should I point the mail MX record to antares.example.com?
I'm very new to DNS records and even more new to mail records. Any hints to clarify my misunderstanding would be invaluable.
the DNS server for your domain will by default serve up the www or .domain.com entry to web browsers etc but it actually hosts a bunch of name pointers for other services, one of which is mail exchange.
Services which need your mx record value know how to look it up from your DNS server, so in this case they will find mail.domain.com when you supply the domain.com part.
If you need to set up a mail server you will need to change the mx record in your domain manager to point to your machine ip, this can be different from your default www host name/ip on the same domain as every service can be served by a different host (any ip).