Mail Delivery and Spam Prevention with DNS
In this article, we will teach you everything you need to securely set up your mail server through your DNS provider.
Contrary to popular belief, mail server set up requires much more than just an MX record. That is, if you want your domain to and mail server to be trusted by other mail servers.
These additional records make sure that only your web server can authoritatively send and receive mail for your domain. That means, no one else can pretend to be you!
Follow along and by the end, you will have effectively protected your domain and mail servers from appearing like spam and establish trust with other mail servers.
Step 1: Point your domain to your mail server
Your mail server is identified by it’s IP address. So we need to create an A record that maps our domain to your mail server’s IP.
You can name the record ‘mail’ or whatever you want. In this example, we will call our record ‘mail’ for our domain ‘yourdomain.com’. It will look something like this:
Step 2: Tell other mail servers where your mail server is
Mail servers use MX records to figure out where a domain’s mail server is located. This MX record will point to the A record we created in step 1.
You won’t need to name your MX record. Just enter the hostname of the record we created earlier:
For this example, we would point our MX record to mail.yourdomain.com, which in turn points to the IP address of our mail server.
Step 3: Point your mail server back to your domain
So far we’ve created two different records that point our domain to the IP of our mail server. Now we need to create a record that points our mail server back to our domain. This record is called a PTR record.
PTR records are used in reverse DNS lookups which are conducted by mail servers to make sure that the other mail server they are dealing with is who they say they are. Basically, this record tells other mail servers that the IP of our mail server is authoritative for sending and receiving mail for our domain.
First, you will need to contact your ISP and request a zone for your mail server’s IP address.
Your ISP will also need to delegate reverse DNS to your DNS provider. Much like your registrar delegates any requests for your DNS information to your DNS provider.
Create a new domain/zone with the information provided by the ISP. It will look something like this:
Within that zone, create a PTR record.
The name value of the PTR record will be the last octet of your mail server’s IP address. See example below:
You will point it to the hostname of the mail record we created in step 1, ie: mail.yourdomain.com. and append it with a dot.
Side note: Most mail servers don’t care where the PTR points to. They just want to see that the ISP has delegated the reverse DNS to your provider and that you have a PTR record for your delegated zone with the name of your IP address.
When a mail server receives a request from your domain’s mail servers, it will take the IP provided (of your mail server) and do a reverse DNS lookup to see if that IP’s zone points back to your domain.
Step 4: Prevent mail spoofing
Now we are going to create a special kind of record is only used by other mail servers that receive mail from your domain. This record will tell those servers to only trust mail coming from IP addresses and hostnames that you specify.
We will need to create an SPF record that contains our domain and the IP address of our mail server.
Learn how to create an SPF record in DNS Made Easy.
Step 5: Sign your mail
Now we need to add another security measure that will sign all outgoing mail with a cryptographic key. We’ll accomplish this with a DKIM (Domain Key) record.
Every time you send an email, it will contain an encrypted key that the receiving mail server will decrypt using a Public Key located in the DKIM record. This handshake allows the receiving mail server to verify that the email is actually being sent by that domain.
DKIM, like SPF and many other record types, are created using TXT records. TXT records are plain text records with a name and a value up to 255 characters.
For our DKIM record, we will need to name it ‘_domainkey’ and for the value. Some mail service providers will provide a name for you with a subdomain prepended to _domainkey, such as ‘something_domainkey’.
You will then enter your key in the record value. If you are using a mail service provider, such as MailChimp or SendGrid, they will provide you with a key.
Step 6: Prevent other senders from using your domain
Almost done! The last thing we need to do is create DMARC record that will log any fraudulent attempts to use our domain to send an email. We will store this in a TXT record with the name ‘_dmarc’.
First, you need to configure your DMARC record. This wizard will guide you through the steps to create your own DMARC value. Then copy and paste the result into a TXT record with the name ‘_dmarc’.
Wrap Up
Once you’ve completed all of the steps above, your domain will be secure and trusted by other mail servers. You should have no problem getting your mail delivered and rest easy knowing that no one can spoof your domain and send mail on your behalf.
Originally published at DNS Made Easy Blog.
