a8b8b9d7b2
Added headers to the advanced dns configuration table as well as dkim spft and dmarc sections, for better readability and clarity, as well as to match the top portion which has headers. Also added MultiRBL.valli.org as a resource for testing DNSBL, RBL, and FCrDNS. And lastly added Postmark as an alternative suggestion for gmail's postmaster under misc.
4,9 KiB
Below you can find a list of recommended DNS records. While some are mandatory for a mail server (A, MX), others are recommended to build a good reputation score (TXT/SPF) or used for auto-configuration of mail clients (SRV).
References
- A good article covering all relevant topics: "3 DNS Records Every Email Marketer Must Know"
- Another great one, but Zimbra as an example platform: "Best Practices on Email Protection: SPF, DKIM and DMARC"
- An in-depth discussion of SPF, DKIM and DMARC: "How to eliminate spam and protect your name with DMARC"
Reverse DNS of your IP
Make sure that the PTR record of your IP matches the FQDN of your mailcow host: ${MAILCOW_HOSTNAME} 1. This record is usually set at the provider you leased the IP (server) from.
The minimal DNS configuration
This example shows you a set of records for one domain managed by mailcow. Each domain that is added to mailcow needs at least this set of records to function correctly.
# Name Type Value
mail IN A 1.2.3.4
autodiscover IN CNAME mail
autoconfig IN CNAME mail
@ IN MX 10 mail
DKIM, SPF and DMARC
In the example DNS zone file snippet below, a simple SPF TXT record is used to only allow THIS server (the MX) to send mail for your domain. Every other server is disallowed but able to ("~all"). Please refer to SPF Project for further reading.
# Name Type Value
@ IN TXT "v=spf1 mx a -all"
It is highly recommended to create a DKIM TXT record in your mailcow UI and set the corresponding TXT record in your DNS records. Please refer to OpenDKIM for further reading.
# Name Type Value
dkim._domainkey IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=..."
The last step in protecting yourself and others is the implementation of a DMARC TXT record, for example by using the DMARC Assistant (check).
# Name Type Value
_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:mailauth-reports@example.org"
The advanced DNS configuration
SRV records specify the server(s) for a specific protocol on your domain. If you want to explicitly announce a service as not provided, give "." as the target address (instead of "mail.example.org."). Please refer to RFC 2782.
# Name Type Priority Weight Port Value
_imap._tcp IN SRV 0 1 143 mail.example.org.
_imaps._tcp IN SRV 0 1 993 mail.example.org.
_pop3._tcp IN SRV 0 1 110 mail.example.org.
_pop3s._tcp IN SRV 0 1 995 mail.example.org.
_submission._tcp IN SRV 0 1 587 mail.example.org.
_smtps._tcp IN SRV 0 1 465 mail.example.org.
_sieve._tcp IN SRV 0 1 4190 mail.example.org.
_autodiscover._tcp IN SRV 0 1 443 mail.example.org.
_carddavs._tcp IN SRV 0 1 443 Mail.example.org.
_carddavs._tcp IN TXT "path=/SOGo/dav/"
_caldavs._tcp IN SRV 0 1 443 mail.example.org.
_caldavs._tcp IN TXT "path=/SOGo/dav/"
Testing
Here are some tools you can use to verify your DNS configuration:
- MX Toolbox (DNS, SMTP, RBL)
- port25.com (DKIM, SPF)
- Mail-tester (DKIM, DMARC, SPF)
- DMARC Analyzer (DMARC, SPF)
- MultiRBL.valli.org (DNSBL, RBL, FCrDNS)
Misc
If you are interested in statistics, you can additionally register with the Postmaster Tool by Google and supply a google-site-verification TXT record, which will give you details about spam-classified mails by your domain. Another alternative service is Postmark These are clearly optional.
@ IN TXT "google-site-verification=..."
-
A Fully Qualified Domain Name (FQDN) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname (myhost), the domain name (mydomain) and the top level domain in short tld (com). In the example of
mx.mailcow.emailthe hostname would bemx, the domain name 'mailcow' and the tldemail. ↩︎