mail_server_checklist - cable.ayra.ch Help System

# E-Mail service checklist This is a checklist for E-Mail services. If you have trouble running your own or plan to run one, make sure you do the proper adjustments. Read this entire page and make sure you can arrange everything you need before starting. This documentation assumes that the server that sends E-Mails for your domain is also the server that receives E-mails. ## Domain Name You need a real domain name. This doesn't needs to be the domain you use in your E-Mail addresses, as long as you can set a few records (MX, A, AAAA, TXT), you are good to go. In this guide we use `ayra.ch` because it has a working setup. You should substitute it with your own domain. I had only moderate success with dynamic dns names. ## Static IP You need a static IP. Almost no provider will accept your E-Mail if it is not from a static address. Some will outright refuse the mail, some will mark it as spam. Static IPs are usually provided if you rent a server, or if you ask your local ISP for one. Your provider might charge you monthly for it. Let's assume we got `46.140.111.85` If possible, get a static IPv4 and IPv6 address. If you have to chose one, take an IPv4 address. This might change in the future but right now you have better success with the old version. ### Spam list check There are IP spam check services available on the internet. Before you continue, check your static IP against those lists. You don't know who owned it in the past or if it even is marked as being a static IP by your provider. Some pretend to give you a static IP when all they do is just binding a dynamic IP to your modem. Some domestic ISP providers have all their IP ranges in lists that disallow sending of E-mails, at least one in Switzerland does this. If you find yourself in that list, contact your ISP and sort it out. Some ISPs will outright refuse to allow their customers to run mail systems. In that case the easiest solution is to redirect the SMTP traffic through a data center or hosting the mail system there. Spam lists can cause issues that are hard to detect otherwise as these lists are not used by all servers. You can also have your mails marked as spam or outright refused if neighbouring IP addresses are bad actors or run certain services like a TOR exit node. In that case you can ask your ISP for a different address. ## Reverse DNS Name Tell your provider (the one that gave you the static IP) to set up a reverse DNS entry for your domain name. In our example, we tell them to use `host05.ayra.ch`. We configure that DNS name to point back to the IP. This will look like this: ![A and PTR record relationship](data/mail_dns_record.png) When chosing a hostname keep the number of digits low, avoid `static` and `dynamic` in the name. You can use any domain you have control over, regardless of the actual domain you want to use when sending mails. I recommend you use the domain you're most likely to keep the longest if you want to use the same mail server for multiple domains. ## Server Hostname Set your hostname properly. Ideally it's the same name as your PTR domain (`host05.ayra.ch`). It doesn't has to be however, and you can use a differet domain as long as it resolves to your IP address. Rule of thumb is that every name/IP the receiving server might encounter should eventually point to your static IP, or the name of its `PTR` record. You can check your domain + ip + server configuration here: [Mail service checker](https://cable.ayra.ch/mail/) ## EHLO hostname The first line in an SMTP connection that your server sends when delivering mails is `EHLO hostname`. Be sure you configure your E-Mail server to use a domain name that resolves to your static IP, preferrably the full name you defined for the reverse DNS entry. If you don't do this, your E-Mail server will try to detect its own name which can fail. In that case, some servers will reject your greeting or mark the message as spam. This is a common problem if your mail server operates from behind a NAT router as it will not see its own public IP address on the network interface. ## Port 25 Opening your own port 25 is recommended because it's generally assumed that a domain that sends E-Mails also receives them. This is important for delivery notifications for example. The receiving system might try to actually connect to your server to verify the SMTP greeting. Most mail servers allow you to configure the greeting, set it to `host05.ayra.ch Service ready`. There is no special requirement for the greeting, but some mail servers reject your message or treat it as spam if they can't find a domain name in the greeting that resolves back to your IP address. ## The postmaster address Some servers you send mails to will attempt to connect to your mail server and check if a `postmaster@yourdomain` address exists. This address is mandatory as per RFC 822 and must be case insensitive. "yourdomain" in this case is determined by the "MAIL FROM" SMTP command your server sends. You don't actually need to create a dedicated mailbox for this, but you can just alias it to your own mailbox or configure a forwarder. ## MX record The domain in the E-Mail address used in the SMTP `Mail From` command needs to have a working MX record. The MX record must point to the server that accepts mail for the domain you're trying to use in your MAIL FROM command. **Note**: MX records always point to DNS names, never to IP addresses. If you want that servers connect to a certain IP address to deliver mails to you, set up an A record that points to said IP and then use that name in the MX record. ## SPF The SPF record tells who is allowed to send mails for that domain and who isn't. If you send a mail from an `@ayra.ch` address, the receiving server will look up the SPF record of `ayra.ch`. If that record is not present at all, you are likely to get categorized as spam or have to endure greylisting. **Note**: The SPF record will not trick servers into accepting mails from dynamic IP addresses or from addresses without a proper reverse DNS entry. Configure your domain with an SPF record. This is a record of type `TXT`. Example: `v=spf1 a mx a:host05.ayra.ch -all`. This record is read by the server as follows: - `v=spf1`: identifies this record as SPF - `a`: The IP of the domain that has the TXT record (IP of `ayra.ch` in this case) is allowed to send E-Mails - `mx`: The servers in the MX records are allowed to send E-Mails - `a:host05.ayra.ch`: The IP of `host05.ayra.ch` is allowed to send E-Mails - `-all`: everybody else is not allowed to send E-Mails The plain `a` entry is useful if you host a website on that domain that needs to send E-Mails, for example with a contact form. The `mx` entry is useful if the servers that receive E-Mails can also send them. On small installations, this is usually the case. Entries that cause IP duplicates are not a problem. You risk getting flagged as spam if your record doesn't ends in `-all` or `~all`. The `-` means "reject", and the `~` means "mark as spam" and is intended for testing purposes only. To directly allow an entire IP subnet to send messages in your name, use CIDR notation: `ip4:46.140.111.80/28`. **Remember**: SPF records work on IP addresses. Once all names are resolved, the server has a list of addresses and checks if your current sending address is in there. If your server has multiple internet gateways, make sure either all addresses are allowed, or that you only send from one of them. ### SPF Test [You can test your SPF record here](https://cable.ayra.ch/SPF/). Simply enter an E-Mail address or domain you would like to send mails from and then check if your static IP appears anywhere in the output. Try entering the names of large corporations for example. # STOP The chapters below are "nice to have" but will not, or only marginally affect your chance of success. They're more about properly configuring your mail server. ## TLS Servers listed in the MX record should be configured with TLS certificates. This is completely free. The certificate should list the host name from the MX record. Adding a TLS certificate will have no effect on your spam rating but is highly recommended. Configure your server as follows: - Port 25 should accept unencrypted connections but offer the STARTTLS command to switch to an encrypted connection. - Port 465 should have implicit TLS enabled to encrypt from the beginning without the sender requesting it. *Not relevant to the spam rating but you should disable unencrypted authentication attempts when you offer TLS.* ## Greylisting Some servers will greylist your messages. This means they will reject all your messages with a temporary `4xx` error code the first time you send them. A properly implemented SMTP sender will attempt to resend the message after a while. If your server supports this kind of configuration, be sure you set the retry limit properly so your server retries at least once. If you can set the timeout for retries, don't set it lower than 1 minute but not higher than 5 minutes either. **Note**: The exact rules how you are greylisted vary by provider but some servers will only greylist you if you lack an SPF record, so be sure to set it up (see above). ## Encryption Configure your server to use encrypted connections if possible. This will not increase your chance of E-Mail delivery but prevents a malicious entity to read or change E-mails. You don't need a TLS certificate for sending, only for receiving messages (see "TLS" above). Some E-Mail providers will show somewhere if the E-Mail was encrypted or not. Google Mail for example will display a red lock if the sender did not use an encrypted connection. ## DKIM signing This will in no way improve your chances of sending mails successfully, but it prevents people from changing E-mails in transmission or on the destination server. DKIM signing is free to use and consists of a DNS entry and a key. **This will not encrypt E-Mails, only sign them** ### Private key However you generate the key, **don't lose access to it**. If you lose the key, you need to do the DKIM setup again with a new key. For key generation, you can use [this key generator](https://cable.ayra.ch/cryptomessage/keygen.php). It works entirely in your browser. You can also use any other application that can create PEM formatted keys, for example OpenSSL. 1. Generate a private and public RSA key. Go for 2048 bits. Shorter keys are insecure and longer keys might not fit your DNS record. You can try 4096 first if you want though. 2. Save the private key somewhere safe, your E-Mail server needs it. The key generator has an "Export Key" button for that. Before you enter a password, make sure your E-Mail server supports encrypted keys. 3. Configure your E-Mail server for DKIM signing. #### Configuration parameters Your server will likely want to know the signing algorithm. Use `SHA256`, the algorithm `SHA1` has been deprecated. If it asks for `Simple` or `Relaxed` mode, use `Relaxed`. Your server will also ask for a "selector". This has to be a valid DNS segment (essentially only lowercase letters and numbers). For simplicity, we chose `mail`. ### Public key The public key is displayed on the right side of the key generator. If you accidentally closed the generator, open it again and import your private key. 1. Copy everything without the header and footer line and paste into an empty text document. 2. Replace all line breaks with spaces so you end up with a single line 3. Put `k=rsa;p=` at the start of the line 4. Add a TXT record to your domain. The value is your long text line, the name is `mail._domainkey.ayra.ch` ("mail" is the selector you've chosen earlier) The record value will look something like this: k=rsa;p=MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQBokQdbLVLXF3lHafZRolnm WMO15l/eTnEL6ymDRTSKAG8czf/djNzhBTfDr8vvHMXiYQAcGj4VqAjObNkq6uM+ euf60dY4QMtaqy3sgb/IToGm3UY9IErrZeLJ620QHiRFxxuMqK5ooyZeXUUWAKu0 Lvdt5AF/TrTEy3LEdW/VkzWyfhRJ7c0IDBaPEifsHuumSi4f/wJ/kpfjiLz4GbI5 k63Gv1a+TUyaPpHFiR7Uzryk9i08ok8yotRLTKL2tNa1k7HWA9YUKNSxljKw8Mfo cn8mZGRGJfO5/N3DmshvUeRaivKpFmEklpiveiunxVI9o+S+7ajnMNzwKtjA8Nmx AgMBAAE= ## Outgoing spam check It's a good idea to check outgoing E-mails for spam and viruses too and reject them yourself when spam is detected. This can help you in avoiding your domain being flagged as a spam domain if other people use your mail server. ## Flagged E-Mails If you feel like you did everything correct but your messages are still getting flagged for spam, try to get hold of a flagged message. You need the message from the recipient and not from your outgoing logs. Be aware that forwarding messages with the headers can be challenging for average users. The headers in the message will most likely contain entries added by the spam filter. You can check these entries for the reason why your message was marked. There will most likely be multiple lines. Each one mentions a reason and adds "points" to your message. Once a certain score is reached, the message is marked as spam. Many issues mentioned in those lines can be corrected by properly configuring your systems. Issues related to the text content of the E-mail need a reformatting of the message. Here are some tips for avoiding being marked as spam: For automated messages, be sure to provide an unsubscribe link. Make sure that the message size is not too large and doesn't contains large images. If your message contains text formatting, add an unformatted message part too. E-mail clients usually do this but some newsletter tools might not.