DNS for Mail
Running a mail server requires a proper DNS records.
Before you begin
This guide assumes that you have already set up a properly functioning name server using nsd. If you have not already, you will want to read up on basic DNS concepts and set up your name server.
Adding to the zone file
For mail, you will need to add DNS records. Let's take a look at a sample zone file containing only what is needed to handle mail:
$ORIGIN and Start of Authority (SOA) record:
$ORIGIN example.com. example.com. 3600 SOA ns1.example.com. admin.example.com. ( 2021050302 ; serial YYYYMMDDnn 1800 ; refresh 3600 ; retry 86400 ; expire 3600 ) ; minimum TTL
Here we define the $ORIGIN to be example.com. The $ORIGIN will be appended to every record to produce a fully qualified domain name. Make sure to read up on FQDN if you do not understand what that means.
The Start of Authority record? says that the serial number was last updated on May 3rd, 2021; that the refresh interval is 1800 seconds, the retry interval is 3600 seconds, the record expires after 1 day, and the minimum time to live is 3600 seconds.
3600 IN MX 10 mail 3600 IN A 38.81.163.143 3600 IN AAAA 2602:fccf:1:143:: 3600 IN NS ns1 3600 IN NS ns2 mail 3600 IN A 38.81.163.143 3600 IN AAAA 2602:fccf:1:143:: pop 3600 IN A 38.81.163.143 3600 IN AAAA 2602:fccf:1:143:: imap 3600 IN A 38.81.163.143 3600 IN AAAA 2602:fccf:1:143:: smtp 3600 IN A 38.81.163.143 3600 IN AAAA 2602:fccf:1:143::
When there is no name for the record, it just takes on the value of $ORIGIN: example.com.
Line 1 defines the mail exchange (MX) record for example.com. When another mail server sends your server mail, it will perform two DNS queries. First, it asks what your MX record is for example.com:
$ dig +short -t mx example.com 10 mail.example.com.
Here, the MX record for example.com is mail.example.com with a value of 10. This means that mail.example.com is the actual mail server that will handle mail.
Once an MX record is returned, the mail server will find the A/AAAA record for that mail server:
$ dig +short -t a mail.example.com 38.81.163.143
Normally, a domain will have multiple MX records so that if one mail server goes offline, another can continue serving mail. Most mail servers will choose the MX record with the lowest value to deliver to first.
SPF record
You'll want to add a TXT record in your domain's DNS zone for SPF:
3600 IN TXT "v=spf1 mx -all"
This simple SPF record allows any mail exchange (MX) server for the domain to send mail, but no others.
DMARC records
_dmarc 3600 IN TXT "v=DMARC1;p=none;pct=0;fo=1;rua=mailto:postmaster@example.com;ruf=mailto:postmaster@example.com"
This record will provide you with reports for DKIM/SPF but will not filter any mail. It's useful for diagnosing problems with your configuration.
DKIM records
You will need to follow the instructions for creating a proper DKIM record:
First, you will need to create a public and private DKIM key:
$ openssl genrsa -out private.key 1024 $ openssl rsa -in private.key -pubout -out public.key $ chmod og-rwx private.key $ chmod og-wx public.key $ chmod u-w public.key private.key $ doas mkdir -m 770 /etc/mail/dkim $ doas mv private.key public.key /etc/mail/dkim/ $ doas chown -R _dkimsign:_dkimsign /etc/mail/dkim/
We then create a DKIM record by taking the public key, removing the first and last line, then joining all the lines together:
$ doas cat /etc/mail/dkim/public.key | awk '/-----/{if (NR!=1)print "";next}{printf $0}' -
Running this command on public.key should produce text like the following:
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmseF9Dm8Dx1LtmLMD56d628JBNaQus8aEcdYYzvBVQ4rhetZzv/ZMafjTEf2RLoOQ+pb7pqL4G86lCZSF+Eeu2ODWQQGYqGVV0xUK5QJSnsGF5UKKscrxmTHSPPtoAQJt25fxNd3PtvH2ZonAGkZkntk+u6Wn5xxlI9hMOVxLUwIDAQAB
This key should go into the DKIM DNS records to replace <public key>:
_adsp._domainkey 86400 IN TXT "dkim=discardable;" mail._domainkey 86400 IN TXT "k=rsa; t=s; p=<public key>"
The final result should look like this:
_adsp._domainkey 86400 IN TXT "dkim=discardable;" mail._domainkey 86400 IN TXT "k=rsa; t=s; p=8AMIIBCgKCAQEAyBhtr90v64hQTfw1sUtFPg5bYXF/SxUTNMziGJMql81av47DG+cDEPmQW0XN8+Tb8yIwenh01hZ5Xh1gjWg1v8OIrnErf3482B8XRZykHJQUdjcALnZ9gGZ9CnzAhIC3TsAnTDSHdgk3c0oqJeilriW0EIAkV2+x1jWlPunGJgJT/bSc2rzZsZv2gZmrrR+2f4aK7xTamAyFUl+cSP/kcoHbEmvXEOtqTQZTTDhxM6BKELUO0xBBhlrsq8C3q92OqZtwflK+IbJDyQPndORMR7R4itIj6O+LMFlYziPitM4egw3KADLZSlycJuTLkhCG5b/3VHFy+uUn3kQc+/s17QIDAQAB"
Note: the _adsp
records come from RFC5617 which was marked as historic in 2013. More testing is necessary to determine if these records are really needed.
Whitelists
dnswl is a DNS whitelist that is free of charge, so you should sign up for it.