From 44f978af77acfd3c7176aa0532c0c62cc3a9179f Mon Sep 17 00:00:00 2001 From: timo Date: Sat, 6 May 2017 01:52:17 +0200 Subject: [PATCH] Added DNS chapter --- docs/dns.md | 75 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) diff --git a/docs/dns.md b/docs/dns.md index e69de29bb..2b13f3e63 100644 --- a/docs/dns.md +++ b/docs/dns.md @@ -0,0 +1,75 @@ +Below you can find a list of **recommended DNS records**. While some are mandatory for a mail server (A, MX), others are recommended to build a good reputation score (TXT/SPF) or used for auto-configuration of mail clients (SRV). + +## References +* A good article covering all relevant topics: + ["3 DNS Records Every Email Marketer Must Know"](https://www.rackaid.com/blog/email-dns-records) +* Another great one, but Zimbra as an example platform: + ["Best Practices on Email Protection: SPF, DKIM and DMARC"](https://wiki.zimbra.com/wiki/Best_Practices_on_Email_Protection:_SPF,_DKIM_and_DMARC) +* An in-depth discussion of SPF, DKIM and DMARC: + ["How to eliminate spam and protect your name with DMARC"](https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/) + +## Reverse DNS of your IP + +Make sure that the PTR record of your IP matches the FQDN hostname of your mailcow host: `mail.domain.tld`. This record is usually set at the provider you leased the IP (server) from. + +## The minimal DNS configuration + +This example shows you a set of records for one domain. Each domain that is added to mailcow needs at least this set or records. + +``` +mail IN A 1.2.3.4 +autodiscover IN A 1.2.3.4 +autoconfig IN A 1.2.3.4 + +@ IN MX 10 mail +``` + +## DKIM, SPF and DMARC + +In the example DNS zone file snippet below, a simple **SPF** TXT record is used to only allow THIS server (the MX) to send mail for your domain. Every other server is disallowed but able to ("`~all`"). Please refer to [SPF Project](http://www.openspf.org). + +``` +@ IN TXT "v=spf1 mx ~all" +``` + +It is highly recommended to create a **DKIM** TXT record in your mailcow UI and set the corresponding TXT record in your DNS records. Please refer to [OpenDKIM](http://www.opendkim.org). + +``` +default._domainkey IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=..." +``` + +The last step in protecting yourself and others is the implementation of a **DMARC** TXT record, for example by using the [DMARC Assistant](http://www.kitterman.com/dmarc/assistant.html) ([check](https://dmarcian.com/dmarc-inspector/google.com)). + +``` +_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:mailauth-reports@example.org" +``` + +## The advanced DNS configuration + +**SRV** records specify the server(s) for a specific protocol on your domain. If you want to explicitly announce a service as not provided, give "." as the target address (instead of "mail.example.tld."). Please refer to [RFC 2782](https://tools.ietf.org/html/rfc2782). + +``` +_imap._tcp IN SRV 0 1 143 mail.example.org. +_imaps._tcp IN SRV 0 1 993 mail.example.org. +_pop3._tcp IN SRV 0 1 110 mail.example.org. +_pop3s._tcp IN SRV 0 1 995 mail.example.org. +_submission._tcp IN SRV 0 1 587 mail.example.org. +_autoconfig._tcp IN SRV 0 1 443 autoconfig.example.org. +_autodiscover._tcp IN SRV 0 1 443 autodiscover.example.org. +``` + + +## Testing +Here are some tools you can use to verify your DNS configuration: +- [MX Toolbox](https://mxtoolbox.com/SuperTool.aspx) (DNS, SMTP, RBL) +- [port25.com](https://www.port25.com/dkim-wizard/) (DKIM, SPF) +- [HAD Pilot](https://www.had-pilot.com/testdetails.html) (DKIM, DMARC, SPF) +- [DMARC Analyzer](https://www.dmarcanalyzer.com/spf-record-check/) (DMARC, SPF) + +## Misc + +If you are interested in statistics, you can additionally register with the [Postmaster Tool](https://gmail.com/postmaster) by Google and supply a **google-site-verification** TXT record, which will give you details about spam-classified mails by your domain. This is clearly optional. + +``` +@ IN TXT "google-site-verification=..." +```