This tutorial will give you instructions about how you can configure a mail server on Linux (same works for other platforms) that will not be treated as a spam by major email providers.

This will not show you how to install the mail server and assumes that you have one already installed. For some tutorial on how to install a mail server check out these resources:

Here is what we will be working with today:

  • Linux server (an Ubuntu 14.04 VPS)
  • Mail server
  • Let’s Encrypt to get a free SSL certificate
  • Domain name and registrar (I am using Freenom)
  • Nameservers (I am using custom nameservers from but your domain registrar NS would work the same)
  • Mail-Tester to check the score of the mail server/messages
  • MX Toolbox to check various things related to IP/Domain
  • DKIM Core to generate DKIM records
  • DMARC Deployment Tools to generate DMARC records


First we need to make sure our reverse DNS (rDNS) is set up correctly. is a method of resolving an IP address into a domain name, just as the domain name system (DNS) resolves domain names into associated IP addresses.

Most of VPS providers such as AWS, Rackspace, DigitalOcean, and others allow you to set the reverse DNS in your account/VPS management area.

This value must be set to your domain name (hostname) that you will use for the mail server.

Once you make the change it can take sometime for the change to take effect, but usually it is done in a few minutes. To verify that the reverse DNS is set up properly use MX Toolbox reverse IP lookup


In this step we set up SSL certificate. The mail server must be using an trusted SSL certificate that means it cannot be self-signed. Usually this would cost about $10/yr for a CA-signed certificate, but thanks to the great Let’s Encrypt that makes this possible for free.

  • If you are using Apache, use this tutorial to install letsencrypt command line and generate a certificate
  • If you are using xginx, use this one
  • Or you could just generate a certificate and manually configure mail server/web server/anything else to point to the generated cert file.
 ./letsencrypt-auto certonly --webroot -w /var/www/example -d -d -w /var/www/thing


Now let’s set up the domain records. In this step you need to go to your domain registrar (or in my case to afraid since it is my custom NS)

Here are some help pages from the major registrars on how you can add/modify records:

Part 1: Testing server before making changes

Head to Mail-Tester to check your server. You will see a randomly generated email address that you must send a message to from your server.

If you have a web mail send the email from there, otherwise send it from command line or from a script, etc.

I have webmail installed so I sent it from there.

Once you send the email, check Mail-Tester score

A score less than 10/10 is not good enough, so now we need to fix that. Since the SSL certificate is set up properly and the reverse DNS resolve to our domain name, then the DomainKeys, DMARC (Domain-based Message Authentication, Reporting & Conformance), and SPF (Sender Policy Framework) records need to be set up correctly.

Part 2: Setting up A record and MX record

Make sure you have an A record for that points to the server’s IP address.

Make sure you have an MX record for
example: (G)		A (G)	A (G)		MX

Part 3: Setting up SPF

Mail-Tester will suggest a TXT record for SPF, but you can use the one in my example, just replace my IP address with yours (G)	TXT	“v=spf1 a mx ip4: ~all”

Part 4: Generating and setting up DomainKeys records

To generate DKIM use DKIM Core, then copy the generated key and paste it in your TXT record


Now add the following record too	TXT	“t=y; o=~;”

Part 5: Generating and setting up DMARC records

You can use DMARC Record Assistant or use my records below	TXT	“v=DMARC1; p=none”		TXT	“v=DMARC1; p=none”		TXT	“v=DMARC1; p=none”

Part 6: Test again

If necessary repeat test until you get to 10/10