Recent Changes - Search:
DNS /

DNS for Mail

Running a mail server such as opensmtpd requires proper DNS records. This guide assumes nsd has been configured to act as the authoritative name server for the zone example.com.

Add Records to the Zone File

Mail needs DNS records to function properly. First, every zone needs to specify MX records?. These records indicate which mail servers handle mail for the zone. 

        3600    IN      MX      10 mail
mail    3600    IN      A       198.51.100.2
        3600    IN      AAAA    2001:db8::2
pop     3600    IN      A       198.51.100.2
        3600    IN      AAAA    2001:db8::2
imap    3600    IN      A       198.51.100.2
        3600    IN      AAAA    2001:db8::2
smtp    3600    IN      A       198.51.100.2
        3600    IN      AAAA    2001:db8::2

Remember, when there is no name for a record, the record takes on the value of the previous record. When previous records are also undefined, the record takes on the value of $ORIGIN.

Line 1 defines the mail exchange (MX) record? for example.com. When another mail server sends mail, it will perform two DNS queries. First, it asks what the MX record? for the destination host (in this case, the MX record? for example.com): 

$ dig +short -t mx example.com
10 mail.example.com.

Here, the MX record for example.com is mail.example.com with a value of 10. It is possible to have multiple MX records so that a second mail server can act as a backup if the first mail server is unable to receive mail. Usually, mail servers choose to deliver mail first to the mail server with the lower numerical value for its MX record. In this example, since only one MX record is available, all mail will go to mail.example.com.

Once an MX record is returned, the mail server will query the A? and AAAA? record for that mail server: 

$ dig +short -t a mail.example.com
198.51.100.2

Having multiple MX records is highly recommended. OpenSMTPd can be configured to act as a backup mail server?.

SPF record

For SPF, add a TXT record in the zone file similar to below: 

        3600    IN      TXT     "v=spf1 mx -all"

This simple SPF record allows any mail exchange (MX)? server for the domain to send mail, but no others.

DMARC records

For DMARC, add a TXT record in the zone file similar to below: 

_dmarc  3600   IN      TXT     "v=DMARC1;p=none;pct=0;fo=1;rua=mailto:postmaster@example.com;ruf=mailto:postmaster@example.com"

This record provides reports for DKIM and SPF, but it will not filter any mail. It's useful for diagnosing problems with a new configuration.

DKIM records

OpenSMTPd must be configured to sign mail with DKIM, and corresponding DNS TXT records must be added like the ones below: 

_adsp._domainkey   86400   IN      TXT     "dkim=discardable;"
mail._domainkey    86400   IN      TXT     "k=rsa; t=s; p=8AMIIBCgKCAQEAyBhtr90v64hQTfw1sUtFPg5bYXF/SxUTNMziGJMql81av47DG+cDEPmQW0XN8+Tb8yIwenh01hZ5Xh1gjWg1v8OIrnErf3482B8XRZykHJQUdjcALnZ9gGZ9CnzAhIC3TsAnTDSHdgk3c0oqJeilriW0EIAkV2+x1jWlPunGJgJT/bSc2rzZsZv2gZmrrR+2f4aK7xTamAyFUl+cSP/kcoHbEmvXEOtqTQZTTDhxM6BKELUO0xBBhlrsq8C3q92OqZtwflK+IbJDyQPndORMR7R4itIj6O+LMFlYziPitM4egw3KADLZSlycJuTLkhCG5b/3VHFy+uUn3kQc+/s17QIDAQAB"

Whitelists

Some third-party whitelists exists which can improve a mail server's sending reputation. For example, dnswl is a DNS whitelist that is free of charge.