In the past month I’ve migrated my server from TSS to MojoHost and part of that was setting up email services on my new server (as opposed to using TSS’ mail server). Having mail services on my own server made me delve into how to do email properly since I need a good reputation as a sending server to get my emails though to their recipients. I thought I’d share a bit of what I learned. There were definitely things I learned that can helpÃ¢â¬Â¦
The first thing I learned was that you’ll need reverse DNS entries for your IP address (in simple terms your IP address needs to have a name) or receiving mail servers will reject the email you send them. MojoHost had set up reverse DNS for my IPv4 address, but not my IPv6 address and it caused bounces.
The next thing I discovered was that one of the big mail services in Germany (GMX Ã¢â¬â they own mail.com) will refuse your email if your reverse DNS looks auto-generated. MojoHost names their servers things like cs1234.mojohost.com Ã¢â¬â and that looks auto-generated to GMX, so I had to purchase a new generic domain (since both both adult and mainstream stuff is served/sent from my server). So my server is now named dionysus.ampelus.net. In Greek mythology Ampelus was a satyr that Dionysus was in love with. Ampelus mocked the moon god while riding a bull. She caused the bull to stumble, Ampelus was gored by the horn of the bull and died. Dionysus was so sad that he made a grape vine out of Ampelus’ body, and turned his blood into the first wine. Point being Ã¢â¬â have some fun with the name of your server!
But, then I found that another mail service won’t receive emails from servers on newly registered domains. So I still have a problem, but that one will go away at some point.
Next Ã¢â¬â there are three types of things that need to be set up in DNSÃ¢â¬Â¦
SPF Ã¢â¬â tells mail recipients what servers are allowed to send email for your domain and how strict to be if they see email from a server not on the list.
DKIM Ã¢â¬â a cryptographic key that’s embedded in your email that recipients can validate so they know the sending server hasn’t been forged.
DMARC Ã¢â¬â a set of rules that tells recipients how to handle failures and who to report the failures to.
There are lots of tutorials and other tools out there to help you configure SPF/DKIM/DMARC Ã¢â¬â that’s not the point of this point of this post so I won’t go into detail about them. If you want details I recommend MXToolbox.com. But absolutely do go through the effort. Doing so will get more of your emails delivered (and not put in the spam folder).
But I did learn that it’s important to set up SPF/DKIM/DMARC on ALL your domains Ã¢â¬â even the ones that don’t send or receive email. Spammers will randomly pick domains and try to pretend to be that domain when sending their spam. You can make that spam fail if you set up the following DNS TXT records on the domains that have no outbound emailÃ¢â¬Â¦
yourdomain.com “v=spf1 -all”
That says reject email from all senders. (But you don’t stop thereÃ¢â¬Â¦)
*._domainkey.yourdomain.com “v=DKIM; p=”
That says use DKIM, but there is no encryption key, which will cause DKIM to always fail.
That says don’t just put the emails in the spam folder Ã¢â¬â reject them completely if they fail the following tests. Be strict about SPF. Be strict about DKIM. Send samples of emails that fail either the SPF or DKIM test to [email protected]. And send summary reports in XML format to [email protected].
Then, to receive the reports you’ll need this TXT record set up on youremaildomain.comÃ¢â¬Â¦
When all of that is set up you’ll start getting reports. While the XML reports are more-or-less human readable, you really need some sort of tool to use them properly. But the example emails are somewhat amusing. This morning I got a report of spam sent pretending to be from one of my domains. The subject was encoded, but when I finally figured out how to decode it it was “Unis pour demain avec -30 %”. But it’s nice to know that spam never got to its intended target.
Anyway, I hope all that helps someone. Before all this started I had set up SPF, and knew about DKIM, but didn’t know how to get DKIM set up, or anything about DMARC, and didn’t know all those things should be set up on domains with no email.