This tutorial will give you instructions about how you can configure a mail server on Linux (same works for other platforms) that will not be treated as a spam by major email providers.
This will not show you how to install the mail server and assumes that you have one already installed. For some tutorial on how to install a mail server check out these resources:
- How To Install and Setup Postfix on Ubuntu 14.04 (Digital Ocean)
- How To Run Your Own Mail Server with Mail-in-a-Box on Ubuntu 14.04 (Digital Ocean)
- You can also install VestaCP that has all of that included
- How To Install VestaCP and Set Up a Website on Ubuntu 14.04 (Digital Ocean)
Here is what we will be working with today:
- Linux server (an Ubuntu 14.04 VPS)
- Mail server
- Let’s Encrypt to get a free SSL certificate
- Domain name and registrar (I am using Freenom)
- Nameservers (I am using custom nameservers from afraid.org but your domain registrar NS would work the same)
- Mail-Tester to check the score of the mail server/messages
- MX Toolbox to check various things related to IP/Domain
- DKIM Core to generate DKIM records
- DMARC Deployment Tools to generate DMARC records
First we need to make sure our reverse DNS (rDNS) is set up correctly. is a method of resolving an IP address into a domain name, just as the domain name system (DNS) resolves domain names into associated IP addresses.
Most of VPS providers such as AWS, Rackspace, DigitalOcean, and others allow you to set the reverse DNS in your account/VPS management area.
This value must be set to your domain name (hostname) that you will use for the mail server.
Once you make the change it can take sometime for the change to take effect, but usually it is done in a few minutes. To verify that the reverse DNS is set up properly use MX Toolbox reverse IP lookup
In this step we set up SSL certificate. The mail server must be using an trusted SSL certificate that means it cannot be self-signed. Usually this would cost about $10/yr for a CA-signed certificate, but thanks to the great Let’s Encrypt that makes this possible for free.
- If you are using Apache, use this tutorial to install letsencrypt command line and generate a certificate
- If you are using xginx, use this one
- Or you could just generate a certificate and manually configure mail server/web server/anything else to point to the generated cert file.
./letsencrypt-auto certonly --webroot -w /var/www/example -d example.com -d www.example.com -w /var/www/thing
To verify that the certificate is installed properly, use MX Toolbox HTTPS Lookup
Now let’s set up the domain records. In this step you need to go to your domain registrar (or in my case to afraid since it is my custom NS)
Here are some help pages from the major registrars on how you can add/modify records:
Part 1: Testing server before making changes
Head to Mail-Tester to check your server. You will see a randomly generated email address that you must send a message to from your server.
If you have a web mail send the email from there, otherwise send it from command line or from a script, etc.
I have webmail installed so I sent it from there.
Once you send the email, check Mail-Tester score
A score less than 10/10 is not good enough, so now we need to fix that. Since the SSL certificate is set up properly and the reverse DNS resolve to our domain name, then the DomainKeys, DMARC (Domain-based Message Authentication, Reporting & Conformance), and SPF (Sender Policy Framework) records need to be set up correctly.
Part 2: Setting up A record and MX record
Make sure you have an A record for mail.example.com that points to the server’s IP address.
Make sure you have an MX record for example.com
Part 3: Setting up SPF
Mail-Tester will suggest a TXT record for SPF, but you can use the one in my example, just replace my IP address with yours
|verifye.ml (G)||TXT||“v=spf1 a mx ip4:18.104.22.168 ~all”|
Part 4: Generating and setting up DomainKeys records
To generate DKIM use DKIM Core, then copy the generated key and paste it in your TXT record
Now add the following record too
Part 5: Generating and setting up DMARC records
You can use DMARC Record Assistant or use my records below
Part 6: Test again
If necessary repeat test until you get to 10/10
Check out my VerifyEmail PHP Class that can validate emails by connecting to their mail servers
… and if you like this tutorial and the PHP class (or you are just awesome)