mailcow-dockerized-docs/docs/dns.md an 6f71c3ff18e6e3d8890c80f91b96b53f9e215558

2017-05-06 02:38:21 +02:00

3,8 KiB

Originalformat Blame Verlauf

Below you can find a list of recommended DNS records. While some are mandatory for a mail server (A, MX), others are recommended to build a good reputation score (TXT/SPF) or used for auto-configuration of mail clients (SRV).

References

A good article covering all relevant topics: "3 DNS Records Every Email Marketer Must Know"
Another great one, but Zimbra as an example platform: "Best Practices on Email Protection: SPF, DKIM and DMARC"
An in-depth discussion of SPF, DKIM and DMARC: "How to eliminate spam and protect your name with DMARC"

Reverse DNS of your IP

Make sure that the PTR record of your IP matches the FQDN hostname of your mailcow host: mail.domain.tld. This record is usually set at the provider you leased the IP (server) from.

The minimal DNS configuration

This example shows you a set of records for one domain managed by mailcow. Each domain that is added to mailcow needs at least this set or records to function correctly.

# Name              Type       Value
mail                IN A       1.2.3.4
autodiscover        IN A       1.2.3.4
autoconfig          IN A       1.2.3.4

@                   IN MX 10   mail

DKIM, SPF and DMARC

In the example DNS zone file snippet below, a simple SPF TXT record is used to only allow THIS server (the MX) to send mail for your domain. Every other server is disallowed but able to ("~all"). Please refer to SPF Project.

@                   IN TXT     "v=spf1 mx ~all"

It is highly recommended to create a DKIM TXT record in your mailcow UI and set the corresponding TXT record in your DNS records. Please refer to OpenDKIM.

default._domainkey  IN TXT     "v=DKIM1; k=rsa; t=s; s=email; p=..."

The last step in protecting yourself and others is the implementation of a DMARC TXT record, for example by using the DMARC Assistant (check).

_dmarc              IN TXT     "v=DMARC1; p=reject; rua=mailto:mailauth-reports@example.org"

The advanced DNS configuration

SRV records specify the server(s) for a specific protocol on your domain. If you want to explicitly announce a service as not provided, give "." as the target address (instead of "mail.example.tld."). Please refer to RFC 2782.

_imap._tcp          IN SRV     0 1 143 mail.example.org.
_imaps._tcp         IN SRV     0 1 993 mail.example.org.
_pop3._tcp          IN SRV     0 1 110 mail.example.org.
_pop3s._tcp         IN SRV     0 1 995 mail.example.org.
_submission._tcp    IN SRV     0 1 587 mail.example.org.
_autoconfig._tcp    IN SRV     0 1 443 autoconfig.example.org.
_autodiscover._tcp  IN SRV     0 1 443 autodiscover.example.org.

Testing

Here are some tools you can use to verify your DNS configuration:

MX Toolbox (DNS, SMTP, RBL)
port25.com (DKIM, SPF)
HAD Pilot (DKIM, DMARC, SPF)
DMARC Analyzer (DMARC, SPF)

Misc

If you are interested in statistics, you can additionally register with the Postmaster Tool by Google and supply a google-site-verification TXT record, which will give you details about spam-classified mails by your domain. This is clearly optional.

@                   IN TXT     "google-site-verification=..."

3,8 KiB Originalformat Blame Verlauf