Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
email_protection_resources [2018/01/14 03:46]
Stephane de Labrusse [MX record]
email_protection_resources [2018/05/26 15:24] (current)
Dan Brown [How to configure it?] remove errant italics
Line 3: Line 3:
 The email server is a central communication hub for your company. It needs to be protected and secured against spam, but also you must be sure that your emails are correctly delivered to your recipients and not rejected or tagged as spam by other platforms like Google Apps, Outlook 365, etc. The email server is a central communication hub for your company. It needs to be protected and secured against spam, but also you must be sure that your emails are correctly delivered to your recipients and not rejected or tagged as spam by other platforms like Google Apps, Outlook 365, etc.
  
-Around an Email Server, you have always methods to verify the emails are not sent by a spam host, like SPF, DKIM, DMARC, rDNS: This is what we will talk. In all probability if you do not configure properly all of these authentication methods your email will be refused.+Around an Email Server, you have always methods to verify the emails are not sent by a spam host, like SPF, DKIM, DMARC, rDNS: This is what we will talk. In all probability if you do not configure properly all of these authentication methods your email will be refused. For the impatient, they can check now and see what they have to configure: go to https://​www.mail-tester.com and send an email to the address given (only three free tests per day). Think to remove your smarthost sender if you have one configured.
  
-For the impatientthey can check now and see what they have to configure: go to https://www.mail-tester.com and send an email to the address given (only three free tests per day). Think to remove your smarthost sender if you have one configured.+It is easy to install and create a mail server with nethserver, but you must configure ​the DNS zone of your domain name in the settings of your public DNS providerwe want to detail all the mandatory DNS recordsThis settings are really important it is likely the phone number of your serverAs a side note, the DNS is not relevant of the email server, it is used by all services which need to be reachable on internet.
  
 <WRAP center round important 60%> <WRAP center round important 60%>
Line 38: Line 38:
 The purpose of DNS is to use easy to remember domain names for websites instead of their numeric IP addresses. It also enables website owners to change their web hosts without changing domain names. Website owners can simply change the DNS entry for their domain name and point to their new web host’s name servers. The purpose of DNS is to use easy to remember domain names for websites instead of their numeric IP addresses. It also enables website owners to change their web hosts without changing domain names. Website owners can simply change the DNS entry for their domain name and point to their new web host’s name servers.
  
-<WRAP center round todo 60%> +
-It is easy to install and create a mail server with nethserver, but you must configure the DNS zone of your domain name in the settings of your public DNS provider, we want to explain all the mandatory DNS records. ​  +
-</​WRAP>​ +
- +
 ===== DNS ===== ===== DNS =====
  
Line 58: Line 55:
 This is an example at 1&1 {{::​screenshot-2018-1-13_1_1_gestion_des_domaines.png?​400|}} This is an example at 1&1 {{::​screenshot-2018-1-13_1_1_gestion_des_domaines.png?​400|}}
  
-===How to check it===+===How to configure it ?=== 
 +ask to google 
 +<​file>​ 
 +set A record YourDnsProvider 
 +</​file>​ 
 + 
 +===How to check it ?===
  
 The domain must be tested The domain must be tested
Line 74: Line 77:
 164.132.xxx.xxx 164.132.xxx.xxx
 </​file>​ </​file>​
 +
 === sub.domain.com === === sub.domain.com ===
  
-Nethserver creates several sub domain by default to be reached from outside or internally (check /​etc/​hosts),​ you have to declare them to your (external) public DNS provider and creates for each one a '​A'​ record with the internet IP of your server+Nethserver creates several sub domain by default to be reached from outside or internally (check /​etc/​hosts),​ you have to declare them to your (external) public DNS provider and creates for each one a '​A'​ record with the internet IP of your server. This is not relevant to your email server, but generally for all services running on your server and needing to be reachable on the internet.
  
 **At minimal you must create these sub.domains and set the '​A'​ records to the internet IP of your server** **At minimal you must create these sub.domains and set the '​A'​ records to the internet IP of your server**
Line 99: Line 103:
  
 <​file>​ <​file>​
-mail.domain.com ​      ​A ​      ​12.34.56.78+prometheus.domain.com ​      A       ​12.34.56.78 
 +smtp.domain.com ​            ​A ​      ​12.34.56.78 
 +mail.domain.com ​            A       ​12.34.56.78
 </​file>​ </​file>​
  
-===How to check it===+===How to configure it ?=== 
 +ask to google 
 +<​file>​ 
 +set A record YourDnsProvider 
 +</​file>​ 
 + 
 +===How to check it ?===
  
 Each subdomain must be tested Each subdomain must be tested
Line 140: Line 152:
 This is an example at 1&1 This is an example at 1&1
 {{::​screenshot-2018-1-13_1_1_gestion_des_domaines_1_.png?​400|}} {{::​screenshot-2018-1-13_1_1_gestion_des_domaines_1_.png?​400|}}
-===Examples of configuration===+===How to configure it ?===
 ask to google ask to google
 <​file>​ <​file>​
Line 146: Line 158:
 </​file>​ </​file>​
  
-===How to check it===+===How to check it ?===
  
   * Web tools   * Web tools
Line 192: Line 204:
  
  
-====How to check it====+====How to check it ?====
  
   * Web tools   * Web tools
Line 222: Line 234:
  
  
-====Examples of configuration====+====How to configure it ?====
 Ask to google Ask to google
  
 <​file>​ <​file>​
-PTR record YourIpProvider+set PTR record YourIpProvider
 </​file>​ </​file>​
  
-====How to check it====+====How to check it ?====
  
   * Web tools   * Web tools
Line 286: Line 298:
 If your domain is under an SPAM attack trying to spoofing your domain, try to change the SPF to -all for a while, and reset to ~all when the attack ends. Keep selected the -all if you want to be strict with the SPF entry and you are sure that your DNS entry is correct. ​ If your domain is under an SPAM attack trying to spoofing your domain, try to change the SPF to -all for a while, and reset to ~all when the attack ends. Keep selected the -all if you want to be strict with the SPF entry and you are sure that your DNS entry is correct. ​
  
-====Examples of configuration====+====How to configure it ?====
   * [[https://​www.mail-tester.com/​spf/​|mail-tester.com]]   * [[https://​www.mail-tester.com/​spf/​|mail-tester.com]]
   * [[https://​support.smtp2go.com/​hc/​en-gb/​sections/​205104687-SPF-DKIM-Setup-Guides|smtp2go.com]]   * [[https://​support.smtp2go.com/​hc/​en-gb/​sections/​205104687-SPF-DKIM-Setup-Guides|smtp2go.com]]
  
-====How to check it====+====How to check it ?====
   * Web tools   * Web tools
 https://​mxtoolbox.com/​spf.aspx https://​mxtoolbox.com/​spf.aspx
Line 316: Line 328:
 Dkim is really simple with NethServer, go to the email panel and allow DKIM in the setting of your domain, then retrieve the digital key of this domain. Then this key must be saved in a **TXT record** in your (external) public DNS provider. Dkim is really simple with NethServer, go to the email panel and allow DKIM in the setting of your domain, then retrieve the digital key of this domain. Then this key must be saved in a **TXT record** in your (external) public DNS provider.
  
-DKIM needs to be configured in the public DNS. You must create a **TXT** record '​default._domainkey'​ or '​default._domainkey.domain.com'​ in the DNS zone of your provider. **Your DKIM selector is default**+DKIM needs to be configured in the public DNS. You must create a **TXT** record '%%default._domainkey%%' or '%%default._domainkey.domain.com%%' in the DNS zone of your provider. **Your DKIM selector is default**
  
 <​file>​ <​file>​
Line 325: Line 337:
 {{::​screenshot-2017-12-30_1_1_gestion_des_domaines_1_.png?​900|}} {{::​screenshot-2017-12-30_1_1_gestion_des_domaines_1_.png?​900|}}
  
-====Examples of configuration====+====How to configure it ?====
   * [[https://​support.smtp2go.com/​hc/​en-gb/​sections/​205104687-SPF-DKIM-Setup-Guides|smtp2go.com]]   * [[https://​support.smtp2go.com/​hc/​en-gb/​sections/​205104687-SPF-DKIM-Setup-Guides|smtp2go.com]]
-====How to check it====+====How to check it ?====
   * Web tools   * Web tools
 https://​mxtoolbox.com/​dkim.aspx https://​mxtoolbox.com/​dkim.aspx
Line 365: Line 377:
 </​file>​ </​file>​
  
-==== How to check it ====+Here's a more complex DMARC entry for the test domain DMARC site: 
 + 
 +<​file>​ 
 +v=DMARC1; p=quarantine;​ rua=mailto:​reports@dmarc.site;​ ruf=mailto:​reports@dmarc.site;​ adkim=r; aspf=r; rf=afrf 
 +</​file>​ 
 + 
 +  * The "​p"​ option has three options: none, quarantine, or reject, for how email that violates policies should be handled 
 +  * The adkim and aspf options define how strictly DKIM and SPF policy should be applied, with '​s'​ indicating strict and '​r'​ indicating relaxed 
 +  * The RUA provides an address for aggregate data reports, while the RUF provides an address for forensic reports 
 +==== How to check it ?====
   * Web tools   * Web tools