Mail server DNS records - setup and configuration explained

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
if you want to run a mail server on the public internet you need to add a few records on your dns server so there are some dns records that are absolutely necessary to send and receive emails but also some other ones that are recommended to build a good reputation and why is that so important well because spam emails are really big problem on the internet and most mail servers will just reject your emails if your mail server has a bad reputation so in this video we talk about all the different dns records i will explain how they work and also come up with some examples how i configured that on my own domain the digitallive.com so if you want to know how to run a fully functional email server on the public internet keep watching hi everybody my name is christian and welcome to the digital life the right place for you to start your it career achieve new skills and learn how to become a real i.t professional i always do great videos and free training courses i also do a lot live streaming on youtube and twitch so if that sounds all amazing to you don't forget to subscribe to my channel in this video we want to talk about dns records for your mail server and how to configure them on your dns provider so i'm using godaddy as my dns provider so depending on what dns provider you are using that can look different but the dns records should all work the same way let's jump right into the dns configuration for your mail server and we will start with the most simple dns record and this is an a record so i strongly recommend you to add an a record for your mail server that will resolve to the public ip address and this is very important we will have a look at this later why and this is also absolutely necessary if your web server is on a different ip address than your mail server so when you add an a record to your dns server you usually choose a name like mail or anything like this and this will be added in front of your domain so in my case this is mail.thedigitallife.com and this is also called the fully qualified domain name of your mail server which will resolve to the public ip address so everyone knows how to contact your mail server if you want to set up an a record for your mail server you just go to the home page of your dns provider in my case this is go daddy and after login i select dns manage zones and then i will enter the name of my domain in my case this is thedigitallife.com and if we scroll down we can see a list of all the different dns records that are currently active so of course i have added all the necessary records already because otherwise i wouldn't be able to receive emails but i will show you step by step how you would add those records yourself but if you want to create a new one you just scroll down click on add and then select the type a record then you should add the name i would just recommend you to use mail and then you will need to enter the public ip address of your mail server click on save and you should see the a records on top of that list here the next dns record we need to add is the mx record that stands for mail exchanger and that will tell anyone which mail server is responsible for that specific domain let me do a quick example so when you want to send an email to christian thedigitallife.com your mail server will first need to check what mail server is responsible for the domain the digitallive.com so your mail server will do a dns lookup to the mx record on my dns server and that will tell you where should a connection be established to so the mx record on my dns server will point to the a record of my mail server which is the fully qualified domain name so let me just show you how that works to add a mail exchanger record just click on add and select the type mx then you need to add a host name so this can be an ad and this should point to the fully qualified domain name of your maid server so this is the a record we have just created so in my case this is male dot mail.thedigitallife.com now we need to add a priority so when you have different mail servers you can add a priority so when one mail server is offline for example you can have a backup mail server so in my case i just choose zero because i only have one mail server and 0 is the highest priority just click on save note it could take some time for your dns settings to get updated but no you should be able to receive any emails but what about sending emails well there's one particular dns record that is absolutely necessary for sending emails and this is the rdns record that stands for reverse dns and it's also sometimes called the ptr for point or resource record and this is very important when you want to send emails because most mail servers will perform a simple reverse dns lookup to perform simple anti-spam checks how does that work well the reverse dns lookup is what it sounds like well it is a dns query but just backward so the receiving mail server will check if your ip address is matching to the fully qualified domain name of your maid server if you don't have a matching rdns record that looks suspicious so the receiving melter will probably just reject your email and send you an arrow 554 with pdr or just drop that email silently so we need to make sure you have set up your rdns record correctly note this is not a record you need to set up on your dns provider because it is a reverse lookup on your ip address so that typically needs to be added on your provider where you have hosted the public ip address of your server so in my case i'm hosting that at vps at a german hosting provider so don't worry about the german here so what you need to take care of is that our dns record here and this is the ipv4 address of my mail server and the host name should be set to mail.thedigitallife.com remember this is the a record that will resolve to the public ip address so you have one dns query that will resolve from the name to the ip address and the rdns record vice versa so the rdns server will resolve from that ip address to this fully qualified domain name and these two things need to match okay so we now have covered all the necessary dns records for sending and receiving mail so everything should work fine right well we are not finished yet because there are a few dns records you can add to improve the reputation of your mail server and as i said at the beginning this is very important because sometimes other mail servers will reject emails from servers with a bad reputation and they will even not send you an error message so if you're missing those additional dns records you cannot be sure that your mail is really received by the recipient so you need to take care of that and we will cover three different dns records that are recommended to build a good reputation let's start with the first one and this is the spf record also called a sender policy framework why do we need that well the problem is that you can send an email with any domain in the envelope from type even if the domain doesn't belong to you so this is a very common method and this is called spoofing so that is used by attackers spam mails and so on so they will try to send emails in behalf of your domain and this can be a threat the sender policy framework is basically a txt record on your dns server that tells everybody which ip addresses or which hosts are allowed to send an email from your domain so this is a very common method and many many email servers will check that spf record and when they cannot validate that a message is allowed to be sent from your ip address they can just reject that so we need to make sure that you add an spf record on your dns provider as well let's take a look at my spf records so this is this one here and this is a txt record for the host add and this will start with the v equal spf one so that tells us a protocol and this is mandatory you need to set this exactly to this name here then you type ip4 column and then the public ip address of your mail server so this will tell everyone so this ip address and only this ip address is allowed to send emails in behalf of your domain so if you want to add an spf record to your domain you basically just click on add select the type txt and then add this spf record as a txt value so in my case this is this one here so click on save and you should be fine note you can add a few changes or adjustments to this spf record so that will tell the receiving mail server how to react when the spf check fails so if you want to see all the different options i've prepared you a cheat sheet for all these different mails server dns records you can just have a look at the video description below and have a look at the link to my cheat sheet and then you will see all the different options for all different dns records so you don't need to remember everything in this video so spf is a good method to protect against spoofing but it has some limitations so therefore we have another dns record that is called deckim and that stands for the main key identified mail and this is an advanced protection method and this allows receiving mail server to check if that email was indeed sent by the owner of this domain so when you add deckim to your mail server your mail server will add a digital signature to every email you send out and this digital signature contains a hash value that is encrypted with a private key and the public key is stored as a dns record on your dns provider so when the receiving mail server receives the email with your decam signature that will tell the mail server where to look up the public key of this signature and that can be used to verify if the decamp signature is valid and this method effectively protects your domain and spoofing and this is very important to add a dickham record to your mail server you need to do a few things so as i said this is encrypted via a private key and validated via a public key so you need to add a corresponding private and public key pair on your mail server your mail server will know the private key and only your mail server so don't share the private key with anyone and the public key is added as a dns record on your dns provider adding dqm keys in a mail call server is pretty easy if you don't know what a mail call server is well i've lately made a video about setting up a mail server with mail called dockerized version on a linux server in just about 10 minutes so if you want to know that check out the video but you could also use a free dickhim generator on the public internet i've put your link in the description below so you could check out thedikimcore.org that will generate a dickham private and public key for you you can copy on your mail server and the public key you can add on your public dns provider if you are running a mail call server you just go to the web interface go to configuration arc dqm keys and you can now add the dkpg you can see i've just added one key for the domain the digitallive.com so this is a public key and i can absolutely share with you because everyone can just look that up and the public key is only for validating the dqm signature but the private key is actually stored on the mail code server if you want to generate a key pair on mail code you just go here and click on add dqm key enter the name of your domain don't miss to enter a correct selector so by default this is dkim so don't forget that this is very important what you enter here as a selector you need to enter on your public dns server as well then i would recommend you to select a key length of 2048 bits and just click on add so this will generate a key pair like this here and you can just copy this value here and on your dns provider you click on add click on txt and now you need to enter the host name beginning with the dkim selector you have just used to create the private and public key pair so in my case this is a default dickhem dodge underscore domain key and then we can just paste the value we have just copied as a txt value so this starts with a dkm1 so this is a version and this should be always dkm1 then we have the encryption method so this is rsa and this is the default then we have some other optional parameters you could also change if you want to do that remember if you want to know what all these different arguments mean you can have a look at the cheat sheet on my written blog article and then the p identifies the public key so everyone can just look up and use to verify your dkim signature click on save so i hope this was not too difficult well it really depends on what mail server you are using if you're not running maleco and you don't have a graphical user interface well it probably could have been more difficult to add this dickham key to your mail server and this is really depending on what software you are using so i can just show you the easy method with mako because i don't want to cover all these different mail servers that are out there so if you're not sure how to do that you should just refer to the documentation of your mail server and check out the documentation how to add a diken key and last but not least we have the next record that is called the dmarc record and that stands for well i need to look up domain based message authentication reporting and conformance wow so this extends your spf and dkim record so this will make sure that all your emails are protected with spf and dickhim and it will also tell the receiving mail server what to do with this email when those checks fail to add a dmarc record just click on add select the type txt and the host name should be underscore demark and now you need to fill in the value so always start with v equal d mark one and that always needs to be this value then enter p equal and then you can choose from three different values we have none quarantine and reject and that will tell the receiving mail server what it should do with an email that fails those spf or dkm checks so in case of quarantine the receiving email server should quarantine the email that is failing those checks but you could also choose none for do nothing or reject so that will just reject the email there are also some other optional arguments you could use to send daily reports or specific percentage of suspicious mails the dmarc policy should apply to so you can find all the different options in my mail server dns record cheat sheet okay so now you should be able to send receive emails and your domain should be protected against spoofing and other bad things but we are not finished yet because there are also some other dns records they could be useful when you want to use email clients like outlook or thunderbird and they should be able to auto discover the settings of your mail server so you don't need to specify an imap server with a port number and so on so this is also done via some dns records and they are defined in an rfc standard 6186 i remember and you will find a link to that standard in my written blog article but this is not really so important because i will show you all the different dns records that are very important to enable those auto discovery features on male clients so if you want to add those auto discovery dns records you need to add those srv records and there are a bunch of different records that tell the email client where to look up the specific settings for your mail server for example the imap setting so there you will define the fully qualified domain name of your imap server the port number and so on so those dns records are defined in the rfc standard but i also have added this one here so this is used by some outlook clients because outlook is always a special thing i think if you want to add those sov records just click on add select the type srv and then you will need to start with the service so the service could be underscore as mtps imap or imaps let's start with imap as for example then you will need to specify the protocol so this should always be underscore tcp because this is always a tcp connection the name should be add and the target should be the fully qualified domain name of your imap s server the priority is zero so there you could also add a priority for fallback servers and so on the weight is one and the port number for imap s in this case is 993. click on save and then you just need to continue with all the different records that are defined in the rfc standards remember you find all of these things in my cheat sheet if you want to test if all your settings are correct i can just recommend you the tool mx toolbox so this is a diagnostic tool where you can check up a domain name so for example let's just check the digital live.com and let's perform an mx lookup so this will automatically do some diagnostic settings and check if everything is working fine so this is mail.thedigitallife.com this is a public ip address the ttl value the dmarc record is published the dmarc policy is enabled and a dns record is also found you can also check other settings like the blacklist check so that will reveal if your mail server or the ip address of your mail server is on one of these blacklists you could also do an spf record lookup let's check that and if we perform that we can see there's our spf record spf1 with the ip address dash all and this is set up correct so mx toolbox is a very useful tool and i think it's absolutely necessary to check if your dns records are correct on your mail server it also could reveal some warnings or some things you could improve so like ttl values or something like that and i don't want to cover too much in this video because i think we have covered a lot so i hope this helps you to configure your mail server and your dns records for your mail server and you could understand some of the advanced techniques how to protect your domain again spam and spoofing so don't forget to hit the like button if you enjoyed that video and if you have any question you can also leave me a comment or just join my discord community a link in the video description below check it out before i go i need to thank mason who is the producer of this show and all my patreon supporters so without you the community this wouldn't be possible at all so thanks everybody for watching enjoy the rest of your day take care of yourself and i see [Music] you
Info
Channel: The Digital Life
Views: 24,541
Rating: 4.9188848 out of 5
Keywords: linux, python, cloud, networking
Id: o66UFsodUYo
Channel Id: undefined
Length: 18min 21sec (1101 seconds)
Published: Sun Sep 20 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.