How to configure a mail server

This tutorial will give you instructions about how you can configure a mail server on Linux (same works for other platforms) that will not be treated as a spam by major email providers.

This will not show you how to install the mail server and assumes that you have one already installed. For some tutorial on how to install a mail server check out these resources:

 

Here is what we will be working with today:

  • Linux server (an Ubuntu 14.04 VPS)
  • Mail server
  • Let’s Encrypt to get a free SSL certificate
  • Domain name and registrar (I am using Freenom)
  • Nameservers (I am using custom nameservers from afraid.org but your domain registrar NS would work the same)
  • Mail-Tester to check the score of the mail server/messages
  • MX Toolbox to check various things related to IP/Domain
  • DKIM Core to generate DKIM records
  • DMARC Deployment Tools to generate DMARC records

 

Step one

First we need to make sure our reverse DNS (rDNS) is set up correctly. is a method of resolving an IP address into a domain name, just as the domain name system (DNS) resolves domain names into associated IP addresses.

Most of VPS providers such as AWS, Rackspace, DigitalOcean, and others allow you to set the reverse DNS in your account/VPS management area.

This value must be set to your domain name (hostname) that you will use for the mail server.

Screenshot from 2016-07-25 15:46:37

Once you make the change it can take sometime for the change to take effect, but usually it is done in a few minutes. To verify that the reverse DNS is set up properly use MX Toolbox reverse IP lookup

Screenshot from 2016-07-25 15:52:56

Step Two

In this step we set up SSL certificate. The mail server must be using an trusted SSL certificate that means it cannot be self-signed. Usually this would cost about $10/yr for a CA-signed certificate, but thanks to the great Let’s Encrypt that makes this possible for free.

  • If you are using Apache, use this tutorial to install letsencrypt command line and generate a certificate
  • If you are using xginx, use this one
  • Or you could just generate a certificate and manually configure mail server/web server/anything else to point to the generated cert file.
    ./letsencrypt-auto certonly --webroot -w /var/www/example -d example.com -d www.example.com -w /var/www/thing

To verify that the certificate is installed properly, use MX Toolbox HTTPS Lookup

Screenshot from 2016-07-26 13:40:35

 

Step three

Now let’s set up the domain records. In this step you need to go to your domain registrar (or in my case to afraid since it is my custom NS)

Here are some help pages from the major registrars on how you can add/modify records:

Part 1: Testing server before making changes

Head to Mail-Tester to check your server. You will see a randomly generated email address that you must send a message to from your server.

Screenshot from 2016-07-26 17:03:46

If you have a web mail send the email from there, otherwise send it from command line or from a script, etc.

I have webmail installed so I sent it from there.

Screenshot from 2016-07-26 17:08:58

Once you send the email, check Mail-Tester score

Screenshot from 2016-07-26 17:10:12

A score less than 10/10 is not good enough, so now we need to fix that. Since the SSL certificate is set up properly and the reverse DNS resolve to our domain name, then the DomainKeys, DMARC (Domain-based Message Authentication, Reporting & Conformance), and SPF (Sender Policy Framework) records need to be set up correctly.

Part 2: Setting up A record and MX record

Make sure you have an A record for mail.example.com that points to the server’s IP address.

Make sure you have an MX record for example.com

example:

verifye.ml (G) A 64.137.202.68
mail.verifye.ml (G) A 64.137.202.68
verifye.ml (G) MX 10:mail.verifye.ml
Part 3: Setting up SPF

Mail-Tester will suggest a TXT record for SPF, but you can use the one in my example, just replace my IP address with yours

verifye.ml (G) TXT “v=spf1 a mx ip4:64.137.202.68 ~all”
Part 4: Generating and setting up DomainKeys records

To generate DKIM use DKIM Core, then copy the generated key and paste it in your TXT record

Example:

mail._domainkey.verifye.ml TXT “k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD…

Now add the following record too

_domainkey.verifye.ml TXT “t=y; o=~;”
Part 5: Generating and setting up DMARC records

You can use DMARC Record Assistant or use my records below

_dmarc.verifye.ml.verifye.ml TXT “v=DMARC1; p=none”
_dmarc.verifye.ml TXT “v=DMARC1; p=none”
mail._dmarc.verifye.ml TXT “v=DMARC1; p=none”
Part 6: Test again

If necessary repeat test until you get to 10/10

Screenshot from 2016-07-26 17:34:08
Finally….

Check out my VerifyEmail PHP Class that can validate emails by connecting to their mail servers

VerifyEmail – PHP class to validate email address

… and if you like this tutorial and the PHP class (or you are just awesome)

Buy Me a Coffee at ko-fi.com

 

 

8 thoughts on “How to configure a mail server”

  1. Hi!
    great article… what do you recommend for free and safe control panel for vpsDime?
    and could you make an article on how to configure a vps / server from zero with/without control panel.
    Thanks you, your work really helped me and it’s enjoyable to read as well.

Leave a Reply