Hi guys I am trying to setup a email server for postfix but I dont know anything about setting up DNS for the email server. I am able to send an email but google rejects it because its not authenticated?
Probably the most simple steps:
- Create an A record for a "mail" subdomain pointing at your mail server.
- Create a single MX record (any priority will do, 10 is often default) pointing to your "mail" subdomain.
- Create a TXT record containing a SPF record. This will help avoid having Google flag your mails as spam. https://www.digitalocean.com/community/tutorials/how-to-use-an-spf-record-to-prevent-spoofing-improve-e-mail-reliability
1 Like
In addition to 1. and 2. mentioned by @Ant59 you should also make sure that your IP address(es) that you use to deliver your e-mail has/have a reverse DNS entry, that is a FQDN (fully qualified domain name). Usually DNS is used "forward", i.e. to resolve a domain to one or more IPs. In the reverse case you look which domain is associated to a given IP. This doesn't have to be the same one but many e-mail servers consider an e-mail possible spam or even reject it altogether, if the forward and reverse DNS entries don't match.
Also, when your server connects to another server, it says hello to the other side with its hostname in the EHLO or HELO command at the very beginning of the conversation. This should also be a FQDN hostname and can be set by the smtp_helo_name setting in Postfix (default is $myhostname), so make sure that those variables are also set appropriately.
A proper SPF record does not make your e-mail less likely to be considered spam (some systems give a slightly better score if there is a SPF record, but since spammers can get a SPF record as well, there is no point in calling a positive SPF result useful for detecting spam).
It just makes sure, that unauthorized servers can't deliver e-mail in your name. Which also makes sure you can't get e-mails "from yourself" (that you didn't actually send yourself) which is a common thing among spammers to deliver spam to your server, since your own e-mail server will most likely not reject e-mail sent by yourself.
To add to the original question, you should also consider using DKIM which is used to sign each e-mail, so the recipient can check via the DKIM DNS entry, that it was in fact sent (and authorized) by you. A common implementation that I am using in conjunction with Postfix is opendkim.
When you have both SPF and DKIM set up, you should also consider creating a DMARC policy in your DNS that tells the receiving e-mail server to check both and how to act when the checks fail (e.g. reject the mail, flag it as possible spam).
1 Like
SPF - list of ips you allow to relay using your domain.
DKIM - signature which signs the sent message and a corresponding public key in DNS. This proves you are the one who sent the message.
ptr /RDNS is the reverse resolution of the IP. not normally that important unless the recipient server is implementing higher security messures, it will match the ehlo with the ip.
are you hosting yourself or are you using a VPS service?
@blackfire did you even read the previous posts?
You just wrote everything that was already mentioned before.
nope sorry
This problem was already resolved, time to let this thread die.
R.I.P thread.