00:00:00
if you want to run a mail server on the
00:00:01
public internet you need to add a few
00:00:03
records on your dns server
00:00:05
so there are some dns records that are
00:00:07
absolutely necessary to send and receive
00:00:10
emails
00:00:10
but also some other ones that are
00:00:12
recommended to build a good reputation
00:00:15
and why is that so important well
00:00:17
because spam emails are really big
00:00:19
problem on the internet and most mail
00:00:21
servers will just reject your emails
00:00:23
if your mail server has a bad reputation
00:00:26
so in this video we talk about all the
00:00:27
different dns records
00:00:29
i will explain how they work and also
00:00:31
come up with some examples how i
00:00:33
configured that on my own domain the
00:00:35
digitallive.com
00:00:36
so if you want to know how to run a
00:00:38
fully functional email server on the
00:00:40
public internet
00:00:41
keep watching
00:00:47
hi everybody my name is christian and
00:00:49
welcome to the digital life
00:00:50
the right place for you to start your it
00:00:52
career achieve new skills
00:00:54
and learn how to become a real i.t
00:00:56
professional i always do
00:00:58
great videos and free training courses i
00:01:00
also do a lot
00:01:01
live streaming on youtube and twitch so
00:01:03
if that sounds all amazing to you
00:01:05
don't forget to subscribe to my channel
00:01:07
in this video we want to talk about dns
00:01:09
records for your mail server and how to
00:01:11
configure
00:01:12
them on your dns provider so i'm using
00:01:14
godaddy as my dns provider
00:01:16
so depending on what dns provider you
00:01:19
are using that can look
00:01:20
different but the dns records should all
00:01:23
work the same way
00:01:25
let's jump right into the dns
00:01:27
configuration for your mail server and
00:01:28
we will start with the most
00:01:30
simple dns record and this is an a
00:01:32
record so i strongly recommend you to
00:01:34
add an a record for your mail server
00:01:36
that will resolve to the public ip
00:01:38
address and this is very important we
00:01:40
will have a look at this later why
00:01:42
and this is also absolutely necessary if
00:01:45
your web server
00:01:46
is on a different ip address than your
00:01:48
mail server so when you add an a record
00:01:50
to your dns server you usually choose a
00:01:52
name like mail or
00:01:53
anything like this and this will be
00:01:55
added in front of your domain
00:01:57
so in my case this is
00:01:59
mail.thedigitallife.com
00:02:00
and this is also called the fully
00:02:02
qualified domain name of your mail
00:02:04
server
00:02:04
which will resolve to the public ip
00:02:06
address so everyone knows
00:02:08
how to contact your mail server if you
00:02:10
want to set up an a record for your mail
00:02:12
server you just go to the home page of
00:02:14
your dns provider in my case this is go
00:02:17
daddy and after login i select dns
00:02:20
manage zones and then i will enter the
00:02:22
name of my domain
00:02:24
in my case this is thedigitallife.com
00:02:26
and if we scroll down we can see a list
00:02:28
of all the different dns records that
00:02:30
are currently active so of course i have
00:02:32
added all the necessary records
00:02:34
already because otherwise i wouldn't be
00:02:36
able to receive emails
00:02:38
but i will show you step by step how you
00:02:40
would add those records yourself
00:02:42
but if you want to create a new one you
00:02:43
just scroll down click on add
00:02:45
and then select the type a record then
00:02:48
you should add the
00:02:49
name i would just recommend you to use
00:02:50
mail
00:02:53
and then you will need to enter the
00:02:54
public ip address of your mail server
00:02:57
click on save and you should see the a
00:02:59
records on top of that list here
00:03:01
the next dns record we need to add is
00:03:03
the mx record that stands for mail
00:03:05
exchanger and that will tell
00:03:07
anyone which mail server is responsible
00:03:09
for that specific domain let me do a
00:03:11
quick
00:03:12
example so when you want to send an
00:03:13
email to christian
00:03:15
thedigitallife.com your mail server will
00:03:17
first need to check
00:03:18
what mail server is responsible for the
00:03:20
domain the digitallive.com
00:03:22
so your mail server will do a dns lookup
00:03:24
to the mx record on my dns server
00:03:27
and that will tell you where should a
00:03:30
connection be established to so the mx
00:03:32
record on my dns server will point
00:03:34
to the a record of my mail server which
00:03:36
is the fully qualified domain name
00:03:38
so let me just show you how that works
00:03:41
to add a mail exchanger record just
00:03:43
click on add
00:03:44
and select the type mx then you need to
00:03:47
add a host name so this can be an ad
00:03:51
and this should point to the fully
00:03:52
qualified domain name of your maid
00:03:54
server so this is the a record we have
00:03:56
just created so in my case this is male
00:03:58
dot mail.thedigitallife.com
00:04:01
now we need to add a priority so when
00:04:02
you have different mail servers
00:04:04
you can add a priority so when one mail
00:04:07
server is offline for example you can
00:04:09
have a backup mail server so in my case
00:04:10
i just choose
00:04:11
zero because i only have one mail server
00:04:13
and 0 is the highest priority
00:04:16
just click on save note it could take
00:04:18
some time for your dns settings to get
00:04:20
updated but no you should be able to
00:04:22
receive any emails
00:04:23
but what about sending emails well
00:04:25
there's one particular dns record that
00:04:27
is absolutely necessary
00:04:29
for sending emails and this is the rdns
00:04:31
record
00:04:32
that stands for reverse dns and it's
00:04:35
also sometimes called the ptr for point
00:04:37
or resource record and this is very
00:04:38
important when you want to send emails
00:04:40
because most mail servers will
00:04:42
perform a simple reverse dns lookup to
00:04:45
perform simple anti-spam checks how does
00:04:47
that work
00:04:48
well the reverse dns lookup is what it
00:04:51
sounds like well it is a dns query but
00:04:53
just backward
00:04:54
so the receiving mail server will check
00:04:58
if your ip address is matching to the
00:05:00
fully qualified domain name of your maid
00:05:02
server
00:05:03
if you don't have a matching rdns record
00:05:06
that looks suspicious
00:05:07
so the receiving melter will probably
00:05:09
just reject your email and send you an
00:05:11
arrow
00:05:11
554 with pdr or just drop that email
00:05:15
silently
00:05:16
so we need to make sure you have set up
00:05:17
your rdns record correctly
00:05:19
note this is not a record you need to
00:05:22
set up on your dns provider because
00:05:24
it is a reverse lookup on your ip
00:05:26
address so that typically needs to be
00:05:28
added
00:05:29
on your provider where you have hosted
00:05:31
the public ip address of your server
00:05:33
so in my case i'm hosting that at vps at
00:05:36
a german hosting provider so don't worry
00:05:38
about the german here
00:05:39
so what you need to take care of is that
00:05:41
our dns record here
00:05:42
and this is the ipv4 address of my mail
00:05:46
server
00:05:47
and the host name should be set to
00:05:49
mail.thedigitallife.com remember this is
00:05:51
the a record
00:05:52
that will resolve to the public ip
00:05:53
address so you have
00:05:55
one dns query that will resolve from the
00:05:57
name to the ip address
00:05:59
and the rdns record vice versa so the
00:06:02
rdns server will resolve
00:06:03
from that ip address to this fully
00:06:05
qualified domain name
00:06:07
and these two things need to match okay
00:06:10
so we now have covered all the necessary
00:06:12
dns records for sending and receiving
00:06:14
mail so everything should work fine
00:06:15
right
00:06:16
well we are not finished yet because
00:06:18
there are a few dns records you can add
00:06:20
to improve the reputation of your mail
00:06:22
server and as i said
00:06:23
at the beginning this is very important
00:06:26
because sometimes
00:06:27
other mail servers will reject emails
00:06:29
from servers with a bad reputation and
00:06:31
they will even not send you an error
00:06:33
message so if you're missing those
00:06:34
additional dns records you cannot be
00:06:36
sure that your mail is really received
00:06:38
by the recipient
00:06:40
so you need to take care of that and we
00:06:42
will cover three different dns records
00:06:44
that are recommended to build a good
00:06:45
reputation let's start with the first
00:06:47
one
00:06:48
and this is the spf record also called a
00:06:50
sender policy framework
00:06:52
why do we need that well the problem is
00:06:54
that you can send an email
00:06:56
with any domain in the envelope from
00:06:58
type
00:06:59
even if the domain doesn't belong to you
00:07:01
so this is a very common method and this
00:07:03
is called spoofing so that is used by
00:07:05
attackers
00:07:06
spam mails and so on so they will try to
00:07:08
send emails in behalf of your domain
00:07:11
and this can be a threat the sender
00:07:13
policy framework is basically a txt
00:07:15
record on your dns server
00:07:17
that tells everybody which ip addresses
00:07:19
or which hosts are allowed
00:07:21
to send an email from your domain so
00:07:23
this is a very common method
00:07:25
and many many email servers will check
00:07:27
that spf record and when they cannot
00:07:29
validate
00:07:30
that a message is allowed to be sent
00:07:32
from your ip address
00:07:33
they can just reject that so we need to
00:07:35
make sure that you add an spf record on
00:07:38
your dns
00:07:39
provider as well let's take a look at my
00:07:41
spf records so this is this one here and
00:07:43
this is a txt
00:07:45
record for the host add and this will
00:07:47
start with the v equal
00:07:49
spf one so that tells us a protocol and
00:07:52
this is mandatory you need to set this
00:07:54
exactly to this name here then you type
00:07:57
ip4
00:07:59
column and then the public ip address of
00:08:01
your mail server so this will tell
00:08:03
everyone
00:08:03
so this ip address and only this ip
00:08:06
address
00:08:07
is allowed to send emails in behalf of
00:08:09
your domain
00:08:10
so if you want to add an spf record to
00:08:12
your domain you basically just click on
00:08:14
add
00:08:15
select the type txt and then add this
00:08:18
spf record as a txt value
00:08:20
so in my case this is this one here so
00:08:22
click on save and you should be fine
00:08:24
note you can add a few changes or
00:08:26
adjustments to this spf record
00:08:28
so that will tell the receiving mail
00:08:30
server how to react
00:08:32
when the spf check fails so if you want
00:08:35
to see all the different options i've
00:08:36
prepared you a cheat sheet for all these
00:08:38
different mails server dns records you
00:08:40
can just have a look at the video
00:08:41
description below
00:08:42
and have a look at the link to my cheat
00:08:44
sheet and then you will see all the
00:08:45
different options for all different dns
00:08:47
records so you don't need to remember
00:08:49
everything in this video
00:08:50
so spf is a good method to protect
00:08:52
against spoofing but it has some
00:08:54
limitations so
00:08:55
therefore we have another dns record
00:08:57
that is called deckim and that stands
00:08:59
for the main key identified mail
00:09:01
and this is an advanced protection
00:09:03
method and this allows receiving mail
00:09:04
server to check if that email was indeed
00:09:07
sent by the owner of this domain so when
00:09:09
you add deckim to your mail server your
00:09:11
mail server will add
00:09:12
a digital signature to every email you
00:09:15
send out
00:09:16
and this digital signature contains a
00:09:18
hash value that is encrypted with a
00:09:20
private key
00:09:21
and the public key is stored as a dns
00:09:23
record on your dns provider
00:09:25
so when the receiving mail server
00:09:26
receives the email with your decam
00:09:28
signature
00:09:29
that will tell the mail server where to
00:09:31
look up the public key of this signature
00:09:34
and that can be used to verify if the
00:09:36
decamp signature is valid
00:09:37
and this method effectively protects
00:09:39
your domain and spoofing and this is
00:09:41
very important
00:09:42
to add a dickham record to your mail
00:09:44
server you need to do a few things so as
00:09:46
i said this is encrypted via a private
00:09:48
key and validated via a public key
00:09:50
so you need to add a corresponding
00:09:53
private and public key pair on your mail
00:09:55
server
00:09:56
your mail server will know the private
00:09:58
key and only your mail server so don't
00:10:00
share the private key with anyone
00:10:02
and the public key is added as a dns
00:10:05
record on your dns provider adding dqm
00:10:07
keys in a mail call server is pretty
00:10:09
easy if you don't know what a mail call
00:10:10
server is well i've lately made a video
00:10:13
about
00:10:13
setting up a mail server with mail
00:10:15
called dockerized version
00:10:16
on a linux server in just about 10
00:10:18
minutes so if you want to know that
00:10:20
check out the video but you could also
00:10:22
use a free dickhim
00:10:23
generator on the public internet i've
00:10:25
put your link in the description below
00:10:27
so you could check out thedikimcore.org
00:10:29
that will generate a dickham private and
00:10:31
public
00:10:32
key for you you can copy on your mail
00:10:33
server and the public key you can add on
00:10:35
your public dns provider
00:10:37
if you are running a mail call server
00:10:38
you just go to the web interface
00:10:40
go to configuration arc dqm keys
00:10:43
and you can now add the dkpg you can see
00:10:46
i've just added
00:10:47
one key for the domain the
00:10:48
digitallive.com so this is a public key
00:10:51
and i can absolutely share with you
00:10:52
because
00:10:53
everyone can just look that up and the
00:10:55
public key is only for validating the
00:10:57
dqm signature
00:10:59
but the private key is actually stored
00:11:01
on the mail code server
00:11:03
if you want to generate a key pair on
00:11:05
mail code you just go
00:11:06
here and click on add dqm key enter the
00:11:09
name of your domain
00:11:10
don't miss to enter a correct selector
00:11:12
so by default this is dkim
00:11:14
so don't forget that this is very
00:11:16
important what you enter here as a
00:11:18
selector you need to enter on your
00:11:19
public dns server as well
00:11:21
then i would recommend you to select a
00:11:23
key length of 2048 bits
00:11:26
and just click on add so this will
00:11:28
generate a key pair like this here
00:11:30
and you can just copy this value here
00:11:32
and on your dns provider you click on
00:11:34
add
00:11:36
click on txt and now you need to enter
00:11:39
the host name beginning with the dkim
00:11:40
selector you have just used to create
00:11:42
the private and public key pair
00:11:44
so in my case this is a default dickhem
00:11:48
dodge underscore domain key
00:11:52
and then we can just paste the value we
00:11:53
have just copied as a txt value
00:11:56
so this starts with a dkm1 so this is a
00:11:59
version
00:12:00
and this should be always dkm1
00:12:03
then we have the encryption method so
00:12:05
this is rsa and this is the default
00:12:07
then we have some other optional
00:12:09
parameters you could also change if you
00:12:11
want to do that
00:12:12
remember if you want to know what all
00:12:14
these different arguments mean you can
00:12:16
have a look at the cheat sheet
00:12:17
on my written blog article and then the
00:12:20
p identifies the public key so everyone
00:12:22
can just look up
00:12:23
and use to verify your dkim signature
00:12:26
click on save so i hope this was not too
00:12:28
difficult well
00:12:30
it really depends on what mail server
00:12:31
you are using if you're not running
00:12:33
maleco and you don't have a graphical
00:12:34
user interface
00:12:35
well it probably could have been more
00:12:37
difficult to add this dickham key to
00:12:39
your mail server
00:12:40
and this is really depending on what
00:12:41
software you are using so i
00:12:43
can just show you the easy method with
00:12:45
mako because i don't want to cover
00:12:47
all these different mail servers that
00:12:48
are out there so if you're not sure how
00:12:50
to do that you should just refer
00:12:52
to the documentation of your mail server
00:12:54
and check out the documentation how to
00:12:55
add a diken key
00:12:56
and last but not least we have the next
00:12:58
record that is called the dmarc record
00:13:00
and that stands for
00:13:01
well i need to look up domain based
00:13:03
message authentication reporting and
00:13:05
conformance
00:13:06
wow so this extends your spf and dkim
00:13:10
record
00:13:10
so this will make sure that all your
00:13:12
emails are protected with spf and
00:13:14
dickhim and it will also tell the
00:13:16
receiving mail server what to do with
00:13:18
this email
00:13:19
when those checks fail to add a dmarc
00:13:22
record just click on add
00:13:23
select the type txt and the host name
00:13:26
should be
00:13:27
underscore demark
00:13:31
and now you need to fill in the value so
00:13:32
always start with v
00:13:34
equal d mark one and that always needs
00:13:36
to be this value
00:13:38
then enter p equal and then you can
00:13:41
choose
00:13:42
from three different values we have none
00:13:44
quarantine and reject
00:13:46
and that will tell the receiving mail
00:13:48
server what it should do
00:13:49
with an email that fails those spf or
00:13:53
dkm checks
00:13:54
so in case of quarantine the receiving
00:13:56
email server
00:13:57
should quarantine the email that is
00:13:59
failing those checks
00:14:00
but you could also choose none for do
00:14:02
nothing or reject so that will just
00:14:04
reject the email
00:14:05
there are also some other optional
00:14:07
arguments you could use to send daily
00:14:08
reports or specific
00:14:10
percentage of suspicious mails the dmarc
00:14:13
policy should apply to
00:14:14
so you can find all the different
00:14:16
options in my mail server dns record
00:14:18
cheat sheet
00:14:19
okay so now you should be able to send
00:14:21
receive emails and your domain should be
00:14:23
protected
00:14:23
against spoofing and other bad things
00:14:26
but we are not finished yet because
00:14:28
there are also some other dns records
00:14:29
they could be useful
00:14:31
when you want to use email clients like
00:14:32
outlook or thunderbird
00:14:34
and they should be able to auto discover
00:14:36
the settings of your mail server so you
00:14:38
don't need to specify
00:14:39
an imap server with a port number and so
00:14:41
on so this is also done via some dns
00:14:44
records
00:14:44
and they are defined in an rfc standard
00:14:47
6186 i remember
00:14:49
and you will find a link to that
00:14:50
standard in my written blog article
00:14:52
but this is not really so important
00:14:54
because i will show you all the
00:14:56
different dns records that are very
00:14:57
important
00:14:58
to enable those auto discovery features
00:15:01
on male clients
00:15:02
so if you want to add those auto
00:15:04
discovery dns records you need to add
00:15:06
those
00:15:07
srv records and there are a bunch of
00:15:09
different records that tell
00:15:11
the email client where to look up the
00:15:13
specific settings for your mail server
00:15:15
for example the imap setting
00:15:17
so there you will define the fully
00:15:18
qualified domain name of your imap
00:15:20
server
00:15:20
the port number and so on so those dns
00:15:23
records are defined in the rfc standard
00:15:25
but i also have added this one here so
00:15:27
this is used by some outlook
00:15:29
clients because outlook is always a
00:15:32
special thing i think
00:15:33
if you want to add those sov records
00:15:35
just click on add
00:15:36
select the type srv and then you will
00:15:39
need to start with the service so the
00:15:41
service could be
00:15:42
underscore as mtps imap or imaps
00:15:46
let's start with imap as for example
00:15:49
then you will need to specify the
00:15:50
protocol so this should always be
00:15:52
underscore tcp because this is always a
00:15:54
tcp connection
00:15:55
the name should be add and the target
00:15:58
should be the fully qualified domain
00:15:59
name of your imap s server
00:16:01
the priority is zero so there you could
00:16:04
also add a priority for fallback servers
00:16:06
and so on
00:16:07
the weight is one and the port number
00:16:10
for imap s in this case is 993. click on
00:16:13
save and then you just need to continue
00:16:15
with all the different records that are
00:16:16
defined in the rfc standards
00:16:18
remember you find all of these things in
00:16:20
my cheat sheet
00:16:21
if you want to test if all your settings
00:16:23
are correct i can just recommend you the
00:16:25
tool mx toolbox so this is a diagnostic
00:16:28
tool where you can check up a domain
00:16:30
name
00:16:30
so for example let's just check the
00:16:32
digital
00:16:34
live.com and let's perform an mx lookup
00:16:37
so this will automatically do some
00:16:39
diagnostic settings
00:16:41
and check if everything is working fine
00:16:43
so this is mail.thedigitallife.com this
00:16:45
is a public ip address the ttl value the
00:16:48
dmarc record is published
00:16:50
the dmarc policy is enabled and a dns
00:16:54
record is also found
00:16:55
you can also check other settings like
00:16:58
the blacklist check so that will reveal
00:17:01
if your mail server or the ip address of
00:17:03
your mail server is on one of these
00:17:04
blacklists
00:17:05
you could also do an spf record lookup
00:17:07
let's check that
00:17:08
and if we perform that we can see
00:17:10
there's our spf record
00:17:12
spf1 with the ip address dash all and
00:17:14
this is set up
00:17:15
correct so mx toolbox is a very useful
00:17:18
tool and i think it's absolutely
00:17:20
necessary to check if your dns records
00:17:22
are correct on your mail server
00:17:23
it also could reveal some warnings or
00:17:26
some things you could improve
00:17:28
so like ttl values or something like
00:17:30
that and i don't want to cover too much
00:17:31
in this video because i think we have
00:17:33
covered a lot
00:17:34
so i hope this helps you to configure
00:17:36
your mail server and your dns records
00:17:38
for your mail server
00:17:39
and you could understand some of the
00:17:41
advanced techniques how to
00:17:42
protect your domain again spam and
00:17:44
spoofing so
00:17:46
don't forget to hit the like button if
00:17:47
you enjoyed that video and if you have
00:17:49
any question you can also leave me a
00:17:51
comment or just join my discord
00:17:53
community a link in the video
00:17:54
description below check it out
00:17:56
before i go i need to thank mason who is
00:17:58
the producer of this show and all my
00:18:00
patreon supporters
00:18:01
so without you the community this
00:18:03
wouldn't be possible at all
00:18:05
so thanks everybody for watching enjoy
00:18:07
the rest of your day
00:18:08
take care of yourself and i see
00:18:17
[Music]
00:18:20
you
