At our business we are running a server for sending newsletters. Setting up the server and sending bulk e-mails is not the issue. That's all working fine.
I run a test on www.mail-tester.com to see how good the mail will pass spam filters. But unfortunately, we are running stuck on the SPF records.
Our setup:
ISP: Business fiber connection with fixed IP. The ISP has setup our hostname as "mail.ourbusiness.com" (fictional domain name)
Website: Our website www.ourbusiness.com is hosted in a datacenter and has nothing to do with our ISP.
The following errors occur:
You're not fully authenticated
We found an SPF entry on your server but it has still not been propagated
Your message is not signed with DKIM
See list of the complete fault message.
It say's that our business IP is successfully associated with mail.ourbusiness.com (so that's good).
Now my question: What should our SPF record be? I can find enough information about SPF records, but I have totally no clue of what I need to put into it!
Oké, solved this issue regarding the SPF record. mail-tester.com has now validated the mail successfully and gives it a 8.8 out of 10.
I did the following in the DNS of our domain ourbusiness.com.
Added A record form subdomain mail.ourbusiness.com with the content the IP address of our ISP.
Added SPF record for subdomain mail.ourbusiness.com
A record
mail.ourbusiness.com A 123.123.123.123
** SPF record **
mail.ourbusiness.com TXT v=spf1 a include:mail.ourbusiness.com ~all
Related
I have a domain name, mysite.com registered with a provider at ns1.dnsprovider.com and ns2.dnsprovider.com.
mysite.com is a Wordpress site on WHM/cPanel at IP: 111.222.333.444
I can set my DNS records at DNSProvider to point at 111.222.333.444 for the websites - no problem. I also need to set up email facilities.
This I'm struggling with. I'm simply running the standard Exim package in cPanel.
I figure I need to set up an A record mail.mysite.com for IP 111.222.333.444 but I also need to set up MX records. Would this be to mail.mysite.com with priority 0 and 10?
Also what about DKIM and SPF records? What would I need to enter?
First a quick note: If the mail server is on the same IP address you do not need the extra A record, since there is already an A record the MX record can use.
As for the MX record, it depends on what the mail addresses will be. For the one you mentioned the mail addresses will be user#mail.example.com, if you want them to be user#example.com, then the MX record must be for example.com, like this:
# MX 10 mail.example.com.
Where mail.example.com is the extra A record you wanted to create, you can also point the record to example.com, since it has an A record pointed to the IP of the mail server.
Now for the SPF record it depends on which servers will be send mails on behalf of your domain. If only your server (this includes your web site, since they are on the same IP) the SPF record can be like this:
# TXT "v=spf1 a -all"
This allows the IP of your A record to send mails and "forbids" everybody else.
The DKIM record is in the following format:
default._domainkey TXT "v=DKIM1; p=yourPublicKey"
You should generate yourPublicKey and also a private key, with which you will sign your mails (note that you can simply skip the whole DKIM part)
Have searched everywhere, can't find answer.
I have the domain mydomain.com. The root and www records point to my main server, which runs my website.
I am now using a separate AWS ec2 instance to set up an email server for my domain. This is running on the subdomain mail.
My dns looks like this:
A # webserverip
A www webserverip
A mail ec2ip
To prevent my server from getting flagged for spam, I submitted the amazon reverse dns form here: https://aws.amazon.com/forms/ec2-email-limit-rdns-request
I gave them the ip of my ec2 mail server, and put "mail.mydomain.com" in the "Reverse DNS Record for EIP 1" box.
However, I keep receiving emails back from them saying:
When attempting to map the reverse DNS entry, we notice that this is failing because the PTR record doesn't match the A record for that domain.
We currently require the forward A record to match the PTR record for all reverse DNS entries.
I really don't understand what I am doing wrong. The "mail" subdomain has an A record pointing to my ec2 server ip. Any assistance would be greatly appreciated!
(I am using cloudflare for my dns if this makes any difference)
You can follow these steps to configure the DNS for your EC2 dedicated mail server on AWS:
STEPS
Add two A host records for pop.mydomain.com and
smtp.mydomain.com that point to your elastic IP and assign your
MX record to the smtp.mydomain.com host.
Add a CNAME record (not A host record) for mail.mydomain.com that points to the DNS entry assigned by AWS (e.g., ec2-XXX-XXX-XXX-XXX.REGION.compute.amazonaws.com).
Submit your rDNS request for smtp.mydomain.com mapping to your EIP.
Don't forget to add the SPF TXT record for your mail server. For example, v=spf1 mx a
Once you're done with this setup, you should have a proper mail server configuration in terms of DNS that would pass SMTP tests and avoids being flagged as spam.
I created a mail server with debian 8 and iRedMail that works perfectly. The mail server runs 5 virtual domains and is configured with SPF, DKIM and DMARC
I receive correctly DMARC report for mails sent from the machine and everything is aligned.
I have a second machine that works as a Web Server, this machine sends daily reports to an #gmail.com account when I receive DMARC reports of this machine the SPF is aligned (because the IP is inserted in the DNS record) but the DKIM not presume because it is not configured.
How do I align the DKIM also the WEB machine? In addition to sometimes as the sending address is not the IP but the PTR (Reverse DNS) also in this case the DKIM is not aligned.
The following DNS configuration:
_dmarc.maildomain.com. 300 IN TXT "v=DMARC1\; p=quarantine\; rua=mailto:mail#maildomain.com"
maildomain.com. 300 IN TXT "v=spf1 a mx ip4:ip_mail_server ip4:ip_web_server ~all"
dkim._domainkey.maildomain.com. 300 IN TXT "v=DKIM1\; p=KEY"
I think there are three options:
Use your existing mail server as authenticated smtp relay for the webserver (one point of failure but therefore less maintenance work) with e.g. ssmtp
Implement DKIM signing on your webserver as well (either with the same key or a second one)
Set DKIM option relaxed for DMARC. There is an official list of DMARC generator which may help you. Generally, the addition "adkim=s;" would do it in your TXT record starting with "v=DMARC1;"
Hope that helps, otherwise please add more details.
I would like to set up SPF for my domain example.com on my own server but I don't really understand how to do this, so here are my questions:
1) What does my SPF record(s) have to look like if I would like to allow my server IP x.x.x.x sending mail using mail#example.com (or better *#example.com)?
2) Where do I have to add the SPF record? To my DNS records? How do I store it there???
3) I would also like to send Mails from my laptop using myname#example.com, and I'm using my server IP x.x.x.x as SMTP server, I guess that's not a problem with the SPF record then?
Hope it doesn't sound too stupid, but I find this SPF thing a bit confusing ;)
Use a SPF generation wizard, like this one: http://spfwizard.com/
1) What does my SPF record(s) have to look like if I would like to
allow my server IP x.x.x.x sending mail using mail#example.com (or
better *#example.com)?
In BIND record format, it could be something like:
example.com. IN TXT "v=spf1 mx ip4:x.x.x.x ~all"
Basically, it allows to send emails from:
all the MX records for example.com
the ip x.x.x.x
the other cases are qualified as softfail.
2) Where do I have to add the SPF record? To my DNS records? How do I
store it there???
You must be allowed to edit the DNS records for the domain example.com. Most likely it's a service provided by your registrar. You say you have 2 fields: you should add example.com (your domain) in the host field, and the "v=spf1.." string (withoud quotes) in the rule field.
3) I would also like to send Mails from my laptop using
myname#example.com, and I'm using my server IP x.x.x.x as SMTP server,
I guess that's not a problem with the SPF record then?
Well said, you got the point.
I've recently setup my Ubuntu web server with exim4 so my PHP website applications can send email such as "thank you" and "confirmation" notices.
I've got it setup and working such that I can send email to gmail, Yahoo! and my work address. However, my work email gets caught up in our spam filter. I'm new to setting up mail servers so I'm not sure what I might need to look for in making this mail server more trusted, while keeping is secure.
Here are some details:
Server is NATed behind a firewall.
Firewall has port 25 open for outgoing SMTP traffic (from server to anywhere).
Server is virtual hosting a couple different of our websites
The server is running the following exim4 config:
dc_eximconfig_configtype='internet'
dc_other_hostnames='web-serv.example1.com;example2.com'
dc_local_interfacees='127.0.0.1'
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets='' dc_smarthost=''
CFILEMODE='644'
dc_use_split_config='false'
Questions:
Do I need to open port 25 to incoming SMTP mail (anywhere to server)? I wonder if other mail servers need to talk to my mail server to verify itself, in a sort of handshake attempt.
I have not created any MX records primarily because the server has different websites on it the mail server should send mail for all the websites. Do I need to pick/create a domain address and create MX records for it?
One thing of note is that the mail headers look like this:
Return-Path: <www-data#example2.com>
Received: from web-serv.example1.com ([Firewall public IP Address])
Received-SPF: neutral (google.com: [Firewall public IP Address] is neither permitted nor denied by best guess record for domain of www-data#example2.com)
"web-serv" is the host name of the server, such that you get this if you type it into the command line:
$ hostname
web-serv
and "www-data" is the account name for the Apache2 server that Ubuntu gave it as default.
Any other general advice would be appreciated. It's all new to me.
Cheers!
One item of note, since I posted this question time time ago (almost 10 months) is that I found out the biggest issue I had was with setting up the DNS for reverse DNS on our hosting providers side of things.
In other words, our hosting provider (the people who give us our IP address and manage our hardware) had to enter a record to match my server(s) hostname to whatever IP address it used.
There's a specific name for this. I believe it's a "PTR" record but the name escapes me at the moment, but you basically tell them "my server hostname is ..." and they do a quick update to the DNS for reverse DNS purposes.
When I asked this question, we had a different hosting provider who didn't really help explain this to me, and after switching providers, I got to talk to someone who was happy to help me understand that side of the equation.
And as I understand it, this is setup by the people who assign you the IP addresses. But there's probably more to it than that.
Once I got that setup properly, email had no problem getting through the spam filters and Gmail/Yahoo showed SPF as "passed". It was showing neutral before.
Our company email was set to drop any email that would not resolve reverse DNS, which is why I could not even receive the email or find it in the spam filter. Of course, that situation would be dependent on the company and what email policy and software they're using to manage spam. Some might just drop all email that does not reverse DNS and some might dump it in to spam filters instead.
Hope that might help some people with similar issues.
Cheers!