mailcow-dockerized-docs/docs/prerequisite-dns.md

Below you can find a list of **recommended DNS records**. While some are mandatory for a mail server (A, MX), others are recommended to build a good reputation score (TXT/SPF) or used for auto-configuration of mail clients (SRV).

## References

- A good article covering all relevant topics:
  ["3 DNS Records Every Email Marketer Must Know"](https://www.rackaid.com/blog/email-dns-records)
- Another great one, but Zimbra as an example platform:
  ["Best Practices on Email Protection: SPF, DKIM and DMARC"](https://wiki.zimbra.com/wiki/Best_Practices_on_Email_Protection:_SPF,_DKIM_and_DMARC)
- An in-depth discussion of SPF, DKIM and DMARC:
  ["How to eliminate spam and protect your name with DMARC"](https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/)
- A thorough guide on understanding DMARC:
["Demystifying DMARC: A guide to preventing email spoofing"](https://seanthegeek.net/459/demystifying-dmarc/)


## Reverse DNS of your IP address

Make sure that the PTR record of your IP address matches the FQDN of your mailcow host: `${MAILCOW_HOSTNAME}` [^1]. This record is usually set at the provider you leased the IP address (server) from.

## The minimal DNS configuration

This example shows you a set of records for one domain managed by mailcow. Each domain that is added to mailcow needs at least this set of records to function correctly.

```
# Name              Type       Value
mail                IN A       1.2.3.4
autodiscover        IN CNAME   mail.example.org. (your ${MAILCOW_HOSTNAME})
autoconfig          IN CNAME   mail.example.org. (your ${MAILCOW_HOSTNAME})
@                   IN MX 10   mail.example.org. (your ${MAILCOW_HOSTNAME})
```

## DKIM, SPF and DMARC

In the example DNS zone file snippet below, a simple **SPF** TXT record is used to only allow THIS server (the MX) to send mail for your domain. Every other server is disallowed but able to ("`~all`"). Please refer to [SPF Project](http://www.open-spf.org/) for further reading.

```
# Name              Type       Value
@                   IN TXT     "v=spf1 mx a -all"
```

It is highly recommended to create a **DKIM** TXT record in your mailcow UI and set the corresponding TXT record in your DNS records. Please refer to [OpenDKIM](http://www.opendkim.org) for further reading.

```
# Name              Type       Value
dkim._domainkey     IN TXT     "v=DKIM1; k=rsa; t=s; s=email; p=..."
```

The last step in protecting yourself and others is the implementation of a **DMARC** TXT record, for example by using the [DMARC Assistant](http://www.kitterman.com/dmarc/assistant.html) ([check](https://dmarcian.com/dmarc-inspector/google.com)).

```
# Name              Type       Value
_dmarc              IN TXT     "v=DMARC1; p=reject; rua=mailto:mailauth-reports@example.org"
```

## The advanced DNS configuration

**SRV** records specify the server(s) for a specific protocol on your domain. If you want to explicitly announce a service as not provided, give "." as the target address (instead of "mail.example.org."). Please refer to [RFC 2782](https://tools.ietf.org/html/rfc2782).

```
# Name              Type       Priority Weight Port    Value
_autodiscover._tcp  IN SRV     0        1      443      mail.example.org. (your ${MAILCOW_HOSTNAME})
_caldavs._tcp       IN SRV     0        1      443      mail.example.org. (your ${MAILCOW_HOSTNAME})
_caldavs._tcp       IN TXT                              "path=/SOGo/dav/"
_carddavs._tcp      IN SRV     0        1      443      Mail.example.org. (your ${MAILCOW_HOSTNAME})
_carddavs._tcp      IN TXT                              "path=/SOGo/dav/"
_imap._tcp          IN SRV     0        1      143      mail.example.org. (your ${MAILCOW_HOSTNAME})
_imaps._tcp         IN SRV     0        1      993      mail.example.org. (your ${MAILCOW_HOSTNAME})
_pop3._tcp          IN SRV     0        1      110      mail.example.org. (your ${MAILCOW_HOSTNAME})
_pop3s._tcp         IN SRV     0        1      995      mail.example.org. (your ${MAILCOW_HOSTNAME})
_sieve._tcp         IN SRV     0        1      4190     mail.example.org. (your ${MAILCOW_HOSTNAME})
_smtps._tcp         IN SRV     0        1      465      mail.example.org. (your ${MAILCOW_HOSTNAME})
_submission._tcp    IN SRV     0        1      587      mail.example.org. (your ${MAILCOW_HOSTNAME})
```

## Testing

Here are some tools you can use to verify your DNS configuration:

- [MX Toolbox](https://mxtoolbox.com/SuperTool.aspx) (DNS, SMTP, RBL)
- [port25.com](https://www.port25.com/dkim-wizard/) (DKIM, SPF)
- [Mail-tester](https://www.mail-tester.com/) (DKIM, DMARC, SPF)
- [DMARC Analyzer](https://www.dmarcanalyzer.com/spf/checker/) (DMARC, SPF)
- [MultiRBL.valli.org](http://multirbl.valli.org/) (DNSBL, RBL, FCrDNS)

## Misc

### Optional DMARC Statistics

If you are interested in statistics, you can additionally register with some of the many below DMARC statistic services - or self-host your own.

!!! Tip
It is worth considering that if you request DMARC statistic reports to your mailcow server and your mailcow server is not configured correctly to receive these reports, you may not get accurate and complete results. Please consider using an alternative email domain for receiving DMARC reports.

It is worth mentioning, that the following suggestions are not a comprehensive list of all services and tools avaialble, but only a small few of the many choices.

- [Postmaster Tool](https://gmail.com/postmaster)
- [parsedmarc](https://github.com/domainaware/parsedmarc) (self-hosted)
- [Fraudmarc](https://fraudmarc.com/)
- [Postmark](https://dmarc.postmarkapp.com)
- [Dmarcian](https://dmarcian.com/)

!!! Tip

These services may provide you with a TXT record you need to insert into your DNS records as the provider specifies. Please ensure to read the providers documentation from the service you choose as this process may vary.

### Email test for SPF, DKIM and DMARC:

To run a rudimentary email authentication check, send a mail to `check-auth at verifier.port25.com` and wait for a reply. You will find a report similar to the following:

```
==========================================================
Summary of Results
==========================================================
SPF check:          pass
"iprev" check:      pass
DKIM check:         pass
DKIM check:         pass
SpamAssassin check: ham

==========================================================
Details:
==========================================================
....
```

The full report will contain more technical details.


### Fully Qualified Domain Name (FQDN)

[^1]: A **Fully Qualified Domain Name** (**FQDN**) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname (myhost), the domain name (mydomain) and the top level domain in short **tld** (com). In the example of `mx.mailcow.email` the hostname would be `mx`, the domain name `mailcow` and the tld `email`.
Added DNS chapter 2017-05-06 01:52:17 +02:00			`Below you can find a list of recommended DNS records. While some are mandatory for a mail server (A, MX), others are recommended to build a good reputation score (TXT/SPF) or used for auto-configuration of mail clients (SRV).`

			`## References`
Formatting 2017-05-06 02:38:21 +02:00
			`- A good article covering all relevant topics:`
Spelling 2017-05-09 17:54:50 +02:00			`["3 DNS Records Every Email Marketer Must Know"](https://www.rackaid.com/blog/email-dns-records)`
Formatting 2017-05-06 02:38:21 +02:00			`- Another great one, but Zimbra as an example platform:`
Spelling 2017-05-09 17:54:50 +02:00			`["Best Practices on Email Protection: SPF, DKIM and DMARC"](https://wiki.zimbra.com/wiki/Best_Practices_on_Email_Protection:_SPF,_DKIM_and_DMARC)`
Formatting 2017-05-06 02:38:21 +02:00			`- An in-depth discussion of SPF, DKIM and DMARC:`
Added DNS chapter 2017-05-06 01:52:17 +02:00			`["How to eliminate spam and protect your name with DMARC"](https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/)`
Added missing quotes and colan to new reference 2020-10-14 15:57:48 +02:00			`- A thorough guide on understanding DMARC:`
			`["Demystifying DMARC: A guide to preventing email spoofing"](https://seanthegeek.net/459/demystifying-dmarc/)`
Removed line breaks from dmarc & added a reference 2020-10-14 03:12:14 +02:00
Added DNS chapter 2017-05-06 01:52:17 +02:00
Some fixes and improvements Fixed broken links and listings, some minor typos, and some added information. 2020-10-20 21:32:00 +02:00			`## Reverse DNS of your IP address`
Added DNS chapter 2017-05-06 01:52:17 +02:00
Some fixes and improvements Fixed broken links and listings, some minor typos, and some added information. 2020-10-20 21:32:00 +02:00			Make sure that the PTR record of your IP address matches the FQDN of your mailcow host: `${MAILCOW_HOSTNAME}` [^1]. This record is usually set at the provider you leased the IP address (server) from.
Added DNS chapter 2017-05-06 01:52:17 +02:00
			`## The minimal DNS configuration`

"this set or records" to "this set of records" 2018-07-11 07:01:03 +02:00			`This example shows you a set of records for one domain managed by mailcow. Each domain that is added to mailcow needs at least this set of records to function correctly.`
Added DNS chapter 2017-05-06 01:52:17 +02:00
			```
Formatting 2017-05-06 02:38:21 +02:00			`# Name Type Value`
Added DNS chapter 2017-05-06 01:52:17 +02:00			`mail IN A 1.2.3.4`
Update prerequisite-dns.md 2021-02-15 21:01:34 +01:00			`autodiscover IN CNAME mail.example.org. (your ${MAILCOW_HOSTNAME})`
			`autoconfig IN CNAME mail.example.org. (your ${MAILCOW_HOSTNAME})`
			`@ IN MX 10 mail.example.org. (your ${MAILCOW_HOSTNAME})`
Added DNS chapter 2017-05-06 01:52:17 +02:00			```

			`## DKIM, SPF and DMARC`

Updated openspf link 2020-03-16 12:11:05 +01:00			In the example DNS zone file snippet below, a simple SPF TXT record is used to only allow THIS server (the MX) to send mail for your domain. Every other server is disallowed but able to ("`~all`"). Please refer to [SPF Project](http://www.open-spf.org/) for further reading.
Added DNS chapter 2017-05-06 01:52:17 +02:00
			```
Added headers, and new resources Added headers to the advanced dns configuration table as well as dkim spft and dmarc sections, for better readability and clarity, as well as to match the top portion which has headers. Also added MultiRBL.valli.org as a resource for testing DNSBL, RBL, and FCrDNS. And lastly added Postmark as an alternative suggestion for gmail's postmaster under misc. 2020-10-14 02:29:56 +02:00			`# Name Type Value`
Update prerequisite-dns.md 2021-02-15 21:01:34 +01:00			`@ IN TXT "v=spf1 mx a -all"`
Added DNS chapter 2017-05-06 01:52:17 +02:00			```

Spelling, added footnote 2017-05-06 14:40:16 +02:00			`It is highly recommended to create a DKIM TXT record in your mailcow UI and set the corresponding TXT record in your DNS records. Please refer to [OpenDKIM](http://www.opendkim.org) for further reading.`
Added DNS chapter 2017-05-06 01:52:17 +02:00
			```
Added headers, and new resources Added headers to the advanced dns configuration table as well as dkim spft and dmarc sections, for better readability and clarity, as well as to match the top portion which has headers. Also added MultiRBL.valli.org as a resource for testing DNSBL, RBL, and FCrDNS. And lastly added Postmark as an alternative suggestion for gmail's postmaster under misc. 2020-10-14 02:29:56 +02:00			`# Name Type Value`
Adding spaces I have added spaces to the doc, so it looks more tabular. In my opinion this is visually better. 2020-09-22 14:39:45 +02:00			`dkim._domainkey IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=..."`
Added DNS chapter 2017-05-06 01:52:17 +02:00			```

			`The last step in protecting yourself and others is the implementation of a DMARC TXT record, for example by using the [DMARC Assistant](http://www.kitterman.com/dmarc/assistant.html) ([check](https://dmarcian.com/dmarc-inspector/google.com)).`

			```
Added headers, and new resources Added headers to the advanced dns configuration table as well as dkim spft and dmarc sections, for better readability and clarity, as well as to match the top portion which has headers. Also added MultiRBL.valli.org as a resource for testing DNSBL, RBL, and FCrDNS. And lastly added Postmark as an alternative suggestion for gmail's postmaster under misc. 2020-10-14 02:29:56 +02:00			`# Name Type Value`
Added DNS chapter 2017-05-06 01:52:17 +02:00			`_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:mailauth-reports@example.org"`
			```

			`## The advanced DNS configuration`

Correct SRV records Closes #57. Closes #55. 2017-12-02 16:04:50 +01:00			`SRV records specify the server(s) for a specific protocol on your domain. If you want to explicitly announce a service as not provided, give "." as the target address (instead of "mail.example.org."). Please refer to [RFC 2782](https://tools.ietf.org/html/rfc2782).`
Added DNS chapter 2017-05-06 01:52:17 +02:00
			```
Added headers, and new resources Added headers to the advanced dns configuration table as well as dkim spft and dmarc sections, for better readability and clarity, as well as to match the top portion which has headers. Also added MultiRBL.valli.org as a resource for testing DNSBL, RBL, and FCrDNS. And lastly added Postmark as an alternative suggestion for gmail's postmaster under misc. 2020-10-14 02:29:56 +02:00			`# Name Type Priority Weight Port Value`
Update prerequisite-dns.md 2021-02-15 21:01:34 +01:00			`_autodiscover._tcp IN SRV 0 1 443 mail.example.org. (your ${MAILCOW_HOSTNAME})`
			`_caldavs._tcp IN SRV 0 1 443 mail.example.org. (your ${MAILCOW_HOSTNAME})`
Order DNS records alphabetically and fix capital m original record with capital M: _carddavs._tcp IN SRV 0 1 443 Mail.example.org. 2020-12-23 17:37:53 +01:00			`_caldavs._tcp IN TXT "path=/SOGo/dav/"`
Update prerequisite-dns.md 2021-02-15 21:01:34 +01:00			`_carddavs._tcp IN SRV 0 1 443 Mail.example.org. (your ${MAILCOW_HOSTNAME})`
Order DNS records alphabetically and fix capital m original record with capital M: _carddavs._tcp IN SRV 0 1 443 Mail.example.org. 2020-12-23 17:37:53 +01:00			`_carddavs._tcp IN TXT "path=/SOGo/dav/"`
Update prerequisite-dns.md 2021-02-15 21:01:34 +01:00			`_imap._tcp IN SRV 0 1 143 mail.example.org. (your ${MAILCOW_HOSTNAME})`
			`_imaps._tcp IN SRV 0 1 993 mail.example.org. (your ${MAILCOW_HOSTNAME})`
			`_pop3._tcp IN SRV 0 1 110 mail.example.org. (your ${MAILCOW_HOSTNAME})`
			`_pop3s._tcp IN SRV 0 1 995 mail.example.org. (your ${MAILCOW_HOSTNAME})`
			`_sieve._tcp IN SRV 0 1 4190 mail.example.org. (your ${MAILCOW_HOSTNAME})`
			`_smtps._tcp IN SRV 0 1 465 mail.example.org. (your ${MAILCOW_HOSTNAME})`
			`_submission._tcp IN SRV 0 1 587 mail.example.org. (your ${MAILCOW_HOSTNAME})`
Added DNS chapter 2017-05-06 01:52:17 +02:00			```

			`## Testing`
Formatting 2017-05-06 02:38:21 +02:00
Added DNS chapter 2017-05-06 01:52:17 +02:00			`Here are some tools you can use to verify your DNS configuration:`
Formatting 2017-05-06 02:38:21 +02:00
Added DNS chapter 2017-05-06 01:52:17 +02:00			`- [MX Toolbox](https://mxtoolbox.com/SuperTool.aspx) (DNS, SMTP, RBL)`
			`- [port25.com](https://www.port25.com/dkim-wizard/) (DKIM, SPF)`
replace a dead tool by another one 2018-06-07 10:01:36 +02:00			`- [Mail-tester](https://www.mail-tester.com/) (DKIM, DMARC, SPF)`
Add DMARC Analayzer with corrected path 2019-01-10 18:21:35 +01:00			`- [DMARC Analyzer](https://www.dmarcanalyzer.com/spf/checker/) (DMARC, SPF)`
Added headers, and new resources Added headers to the advanced dns configuration table as well as dkim spft and dmarc sections, for better readability and clarity, as well as to match the top portion which has headers. Also added MultiRBL.valli.org as a resource for testing DNSBL, RBL, and FCrDNS. And lastly added Postmark as an alternative suggestion for gmail's postmaster under misc. 2020-10-14 02:29:56 +02:00			`- [MultiRBL.valli.org](http://multirbl.valli.org/) (DNSBL, RBL, FCrDNS)`
Added DNS chapter 2017-05-06 01:52:17 +02:00
			`## Misc`

Edited DMARC with more resources, and added table - Edited DMARC section with more resources than my original PR. - Moved some stuff around and added in the DMARC section. - Added a table to the DMARC section to match the above. 2020-10-14 03:04:40 +02:00			`### Optional DMARC Statistics`
Update prerequisite-dns.md 2021-05-04 12:36:07 +02:00
			`If you are interested in statistics, you can additionally register with some of the many below DMARC statistic services - or self-host your own.`
Edited DMARC with more resources, and added table - Edited DMARC section with more resources than my original PR. - Moved some stuff around and added in the DMARC section. - Added a table to the DMARC section to match the above. 2020-10-14 03:04:40 +02:00
Update prerequisite-dns.md quick tidy up 2021-05-03 17:00:20 +02:00			`!!! Tip`
Update prerequisite-dns.md 2021-05-04 12:36:07 +02:00			`It is worth considering that if you request DMARC statistic reports to your mailcow server and your mailcow server is not configured correctly to receive these reports, you may not get accurate and complete results. Please consider using an alternative email domain for receiving DMARC reports.`
Edited DMARC with more resources, and added table - Edited DMARC section with more resources than my original PR. - Moved some stuff around and added in the DMARC section. - Added a table to the DMARC section to match the above. 2020-10-14 03:04:40 +02:00
Changes to DMARC and Added FQDN header - Removed the Google Postmaster TXT record example - Increased clarity to follow the DMARC statistics guide to deploying, as they may not all utilize TXT files and the process can vary per service or tool. - Increased clarity that other services and tools are available for DMARC statistics than just the listed few - Add a header to FQDN for separation from the DMARC section under Misc. 2020-10-24 20:16:31 +02:00			`It is worth mentioning, that the following suggestions are not a comprehensive list of all services and tools avaialble, but only a small few of the many choices.`

Edited DMARC with more resources, and added table - Edited DMARC section with more resources than my original PR. - Moved some stuff around and added in the DMARC section. - Added a table to the DMARC section to match the above. 2020-10-14 03:04:40 +02:00			`- [Postmaster Tool](https://gmail.com/postmaster)`
			`- [parsedmarc](https://github.com/domainaware/parsedmarc) (self-hosted)`
			`- [Fraudmarc](https://fraudmarc.com/)`
			`- [Postmark](https://dmarc.postmarkapp.com)`
			`- [Dmarcian](https://dmarcian.com/)`

Update prerequisite-dns.md quick tidy up 2021-05-03 17:00:20 +02:00			`!!! Tip`
Edited DMARC with more resources, and added table - Edited DMARC section with more resources than my original PR. - Moved some stuff around and added in the DMARC section. - Added a table to the DMARC section to match the above. 2020-10-14 03:04:40 +02:00
Update prerequisite-dns.md 2021-05-04 12:36:07 +02:00			`These services may provide you with a TXT record you need to insert into your DNS records as the provider specifies. Please ensure to read the providers documentation from the service you choose as this process may vary.`

			`### Email test for SPF, DKIM and DMARC:`
Update prerequisite-dns.md 2020-10-29 10:38:21 +01:00
Update prerequisite-dns.md 2021-05-04 12:36:07 +02:00			To run a rudimentary email authentication check, send a mail to `check-auth at verifier.port25.com` and wait for a reply. You will find a report similar to the following:
Update prerequisite-dns.md 2020-10-29 10:38:21 +01:00
			```
			`==========================================================`
			`Summary of Results`
			`==========================================================`
			`SPF check: pass`
			`"iprev" check: pass`
			`DKIM check: pass`
			`DKIM check: pass`
			`SpamAssassin check: ham`

			`==========================================================`
			`Details:`
			`==========================================================`
			`....`
			```
Update prerequisite-dns.md 2021-05-04 12:36:07 +02:00
			`The full report will contain more technical details.`
Update prerequisite-dns.md 2020-10-29 10:38:21 +01:00

Changes to DMARC and Added FQDN header - Removed the Google Postmaster TXT record example - Increased clarity to follow the DMARC statistics guide to deploying, as they may not all utilize TXT files and the process can vary per service or tool. - Increased clarity that other services and tools are available for DMARC statistics than just the listed few - Add a header to FQDN for separation from the DMARC section under Misc. 2020-10-24 20:16:31 +02:00			`### Fully Qualified Domain Name (FQDN)`
Update prerequisite-dns.md 2021-05-04 12:36:07 +02:00
changed capitalization 2020-10-24 22:01:15 +02:00			[^1]: A Fully Qualified Domain Name (FQDN) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname (myhost), the domain name (mydomain) and the top level domain in short tld (com). In the example of `mx.mailcow.email` the hostname would be `mx`, the domain name `mailcow` and the tld `email`.