I created a mail server with debian 8 and iRedMail that works perfectly. The mail server runs 5 virtual domains and is configured with SPF, DKIM and DMARC
I receive correctly DMARC report for mails sent from the machine and everything is aligned.
I have a second machine that works as a Web Server, this machine sends daily reports to an #gmail.com account when I receive DMARC reports of this machine the SPF is aligned (because the IP is inserted in the DNS record) but the DKIM not presume because it is not configured.
How do I align the DKIM also the WEB machine? In addition to sometimes as the sending address is not the IP but the PTR (Reverse DNS) also in this case the DKIM is not aligned.
The following DNS configuration:
_dmarc.maildomain.com. 300 IN TXT "v=DMARC1\; p=quarantine\; rua=mailto:mail#maildomain.com"
maildomain.com. 300 IN TXT "v=spf1 a mx ip4:ip_mail_server ip4:ip_web_server ~all"
dkim._domainkey.maildomain.com. 300 IN TXT "v=DKIM1\; p=KEY"
I think there are three options:
Use your existing mail server as authenticated smtp relay for the webserver (one point of failure but therefore less maintenance work) with e.g. ssmtp
Implement DKIM signing on your webserver as well (either with the same key or a second one)
Set DKIM option relaxed for DMARC. There is an official list of DMARC generator which may help you. Generally, the addition "adkim=s;" would do it in your TXT record starting with "v=DMARC1;"
Hope that helps, otherwise please add more details.
Related
The received headers in the email are basically the addresses of the email servers that the email was passed to reach their destination. The last received header is originating address for the email coming from a domain.
So If I am receiving a mail from a domain "example.com", the originating received header should be an outgoing SMTP server address of the "example.com" domain.
Is there any way I can verify the address in the email header with the expected address of the domain?
From what I understood by reading blogs, is that the MX record is only for receiving the emails and not for sending emails. Is there something similar to the MX record but only for outbound/outgoing mails?
Please correct me If I am wrong anywhere.
Thanks.
You are correct that only a domain's inbound mail server are stored in MX (mail exchange) DNS records. A domain's outbound servers are stored in SPF (sender permitted from / sender policy framework) DNS records. These state what machines may send email for a given domain.
(This is important for outsourcing your email sending, so that e.g., Gmail's servers are considered valid senders for example.com.)
You can query the domain's txt records, e.g., with dig:
$ dig -t txt stackoverflow.com | grep spf
stackoverflow.com. 203 IN TXT "v=spf1 ip4:198.252.206.0/24 include:_spf1.stackoverflow.com ~all"
Here you see that the machines in the 198.252.206.0/24 CIDR range are allowed to send email for #stackoverflow.com addresses.
Normally, your inbound mail server should do all these checks for you, plus DKIM and DMARC.
I have a domain name, mysite.com registered with a provider at ns1.dnsprovider.com and ns2.dnsprovider.com.
mysite.com is a Wordpress site on WHM/cPanel at IP: 111.222.333.444
I can set my DNS records at DNSProvider to point at 111.222.333.444 for the websites - no problem. I also need to set up email facilities.
This I'm struggling with. I'm simply running the standard Exim package in cPanel.
I figure I need to set up an A record mail.mysite.com for IP 111.222.333.444 but I also need to set up MX records. Would this be to mail.mysite.com with priority 0 and 10?
Also what about DKIM and SPF records? What would I need to enter?
First a quick note: If the mail server is on the same IP address you do not need the extra A record, since there is already an A record the MX record can use.
As for the MX record, it depends on what the mail addresses will be. For the one you mentioned the mail addresses will be user#mail.example.com, if you want them to be user#example.com, then the MX record must be for example.com, like this:
# MX 10 mail.example.com.
Where mail.example.com is the extra A record you wanted to create, you can also point the record to example.com, since it has an A record pointed to the IP of the mail server.
Now for the SPF record it depends on which servers will be send mails on behalf of your domain. If only your server (this includes your web site, since they are on the same IP) the SPF record can be like this:
# TXT "v=spf1 a -all"
This allows the IP of your A record to send mails and "forbids" everybody else.
The DKIM record is in the following format:
default._domainkey TXT "v=DKIM1; p=yourPublicKey"
You should generate yourPublicKey and also a private key, with which you will sign your mails (note that you can simply skip the whole DKIM part)
At our business we are running a server for sending newsletters. Setting up the server and sending bulk e-mails is not the issue. That's all working fine.
I run a test on www.mail-tester.com to see how good the mail will pass spam filters. But unfortunately, we are running stuck on the SPF records.
Our setup:
ISP: Business fiber connection with fixed IP. The ISP has setup our hostname as "mail.ourbusiness.com" (fictional domain name)
Website: Our website www.ourbusiness.com is hosted in a datacenter and has nothing to do with our ISP.
The following errors occur:
You're not fully authenticated
We found an SPF entry on your server but it has still not been propagated
Your message is not signed with DKIM
See list of the complete fault message.
It say's that our business IP is successfully associated with mail.ourbusiness.com (so that's good).
Now my question: What should our SPF record be? I can find enough information about SPF records, but I have totally no clue of what I need to put into it!
Oké, solved this issue regarding the SPF record. mail-tester.com has now validated the mail successfully and gives it a 8.8 out of 10.
I did the following in the DNS of our domain ourbusiness.com.
Added A record form subdomain mail.ourbusiness.com with the content the IP address of our ISP.
Added SPF record for subdomain mail.ourbusiness.com
A record
mail.ourbusiness.com A 123.123.123.123
** SPF record **
mail.ourbusiness.com TXT v=spf1 a include:mail.ourbusiness.com ~all
We send out mail via Microsoft Exchange 2010 running on a Windows Server set up as server.organization.local.
When error messages are generated it shows:
Generating server: server.organization.local
I am confused as to what our SPF records should look like based on this. Should it simply contain the external IP address that this server uses to send out mail, or both this .local address and external IP address?
Currently it is set as:
# 10800 IN SPF "v=spf1 mx a:server.organization.local ip4:10.10.10.10 -all"
The mx is included to be safe but I'm not sure if it needs to be? The MX records on the domain name is set to a third-party filtering service, no mail is sent via it.
You need to specify the public IPs if you want to send emails to the internet.
If you are sending emails to another mail server on the LAN then you might have to add the private IPs as well.
I suggest to use a testing utility to check your SPF records.
I've recently setup my Ubuntu web server with exim4 so my PHP website applications can send email such as "thank you" and "confirmation" notices.
I've got it setup and working such that I can send email to gmail, Yahoo! and my work address. However, my work email gets caught up in our spam filter. I'm new to setting up mail servers so I'm not sure what I might need to look for in making this mail server more trusted, while keeping is secure.
Here are some details:
Server is NATed behind a firewall.
Firewall has port 25 open for outgoing SMTP traffic (from server to anywhere).
Server is virtual hosting a couple different of our websites
The server is running the following exim4 config:
dc_eximconfig_configtype='internet'
dc_other_hostnames='web-serv.example1.com;example2.com'
dc_local_interfacees='127.0.0.1'
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets='' dc_smarthost=''
CFILEMODE='644'
dc_use_split_config='false'
Questions:
Do I need to open port 25 to incoming SMTP mail (anywhere to server)? I wonder if other mail servers need to talk to my mail server to verify itself, in a sort of handshake attempt.
I have not created any MX records primarily because the server has different websites on it the mail server should send mail for all the websites. Do I need to pick/create a domain address and create MX records for it?
One thing of note is that the mail headers look like this:
Return-Path: <www-data#example2.com>
Received: from web-serv.example1.com ([Firewall public IP Address])
Received-SPF: neutral (google.com: [Firewall public IP Address] is neither permitted nor denied by best guess record for domain of www-data#example2.com)
"web-serv" is the host name of the server, such that you get this if you type it into the command line:
$ hostname
web-serv
and "www-data" is the account name for the Apache2 server that Ubuntu gave it as default.
Any other general advice would be appreciated. It's all new to me.
Cheers!
One item of note, since I posted this question time time ago (almost 10 months) is that I found out the biggest issue I had was with setting up the DNS for reverse DNS on our hosting providers side of things.
In other words, our hosting provider (the people who give us our IP address and manage our hardware) had to enter a record to match my server(s) hostname to whatever IP address it used.
There's a specific name for this. I believe it's a "PTR" record but the name escapes me at the moment, but you basically tell them "my server hostname is ..." and they do a quick update to the DNS for reverse DNS purposes.
When I asked this question, we had a different hosting provider who didn't really help explain this to me, and after switching providers, I got to talk to someone who was happy to help me understand that side of the equation.
And as I understand it, this is setup by the people who assign you the IP addresses. But there's probably more to it than that.
Once I got that setup properly, email had no problem getting through the spam filters and Gmail/Yahoo showed SPF as "passed". It was showing neutral before.
Our company email was set to drop any email that would not resolve reverse DNS, which is why I could not even receive the email or find it in the spam filter. Of course, that situation would be dependent on the company and what email policy and software they're using to manage spam. Some might just drop all email that does not reverse DNS and some might dump it in to spam filters instead.
Hope that might help some people with similar issues.
Cheers!