Enhance email deliverability with a Reverse DNS and SPF record

A PTR (Pointer) record is crucial for a mail server as it establishes a Reverse DNS mapping, verifying the legitimacy of the server's IP address. This record is vital for email deliverability, preventing emails from being flagged as spam during Reverse DNS checks. It contributes to forward-confirmed Reverse DNS (FCrDNS), aligning forward and Reverse DNS entries to enhance server credibility. Servers lacking a valid PTR record may face rejection by other mail servers, impacting deliverability. Overall, a PTR record is a standard best practice, promoting trustworthiness and smooth email communication. Additionally, an SPF (Sender Policy Framework) record is essential for email deliverability, as it specifies authorized mail servers for a domain, preventing email spoofing and further bolstering the authenticity of outgoing emails.

This tutorial will guide you on how to install and configure a mail server and a PTR record using IONOS Cloud DNS API. The steps we will follow are:

  1. Set up a Dedicated Core server in IONOS Cloud.

  2. Create an A and MX record for your mail server.

  3. Install and configure mail server.

  4. Add a Reverse DNS record and SPF record for your mail server.

  5. Test the email deliverability.

Set up a Dedicated Core Server in IONOS Cloud

Note:

  • The user who creates the server has full root or administrator access rights. A server, once provisioned, retains all its settings (resources, drive allocation, password, and so on), even after server restart at the operating system level.

  • The server will only be removed from your virtual data center once you delete it in the DCD.

To set up a Dedicated Core server in IONOS Cloud, follow these steps:

1. Create a Dedicated Core server and configure the server in the Settings tab by following the steps in Create a Dedicated Core Server.

2. Configure the server Network settings by following the steps in the Dedicated Core Server network settings.

3. Configure the server Storage settings by following the steps in the Dedicated Core Server storage settings.

4. Continue to provision the changes and start the Dedicated Core Server by following the steps in the Provision changes and starting the Dedicated Core Server.

Result: A Dedicated Core Server is set up and started along with the configuration of Settings, Network, and Storage setup.

Dedicated Core Server network settings

In the DCD > Inspector pane on the right, configure the following network details in the Network tab.

1. Name: Choose a name unique to this Virtual Data Center (VDC).

2. MAC: Assigned on VM creation.

3. LAN: Select the LAN connection that is connected to the internet, by default LAN 1.

4. Firewall: By default, the firewall is disabled. To enable firewall rules, make sure that incoming and outgoing traffic is allowed on port 25 for UDP and TCP.

5. IP Management: To reserve an IP for the server, click IP Management under Management in the top menu bar.

6. Click Reserve IP and a new pop-up window Reserve IP appears. Add a Name, Number of IPs and select a region that is the same as the region of your Dedicated Core server. Click Reserve IP to reserve the IP and confirm the reservation by pressing OK.

7. Exit the IP management window and return to the Network tab of your Dedicated Core Server.

8. In the IPv4 Configuration click Add IP and a select one of your reserved IPs.

Result: The Network settings for a Dedicated Core server are configured.

Dedicated Core Server storage settings

Warning: The storage type cannot be changed after provisioning.

In the DCD > Inspector pane on the right, configure the following storage details in the Storage tab.

1. Click SSD and a new pop-up window Create New Attached Storage appears.

2. Configure the following storage details:

  • Name: Enter a name that is unique within your VDC.

  • Availability Zone: Leave on "Auto".

  • Size in GB: Enter "50" which is sufficient for this tutorial.

  • Performance: Select "Standard".

  • Image: You can select one of IONOS images or snapshots, or use your own. For this tutorial, we will use an Ubuntu server image from IONOS. To make the same choice, select ubuntu-22.04-server-cloudimg-amd64 under IONOS Images.

  • Password: Create a password for the "root" user of the server. You will need this password to SSH and make changes.

  • SSH Keys: Select an SSH key stored in the SSH Key Manager.

  • Ad-hoc SSH Key: If you have not created an SSH key, copy and paste the public part of your SSH key into this field.

  • Cloud-Init user data: Leave on "No configuration".

  • Boot from Device: Select this checkbox to make the SSD drive bootable.

3. Click Create SSD Storage to create the SSD storage.

Result: The Storage settings for a Dedicated Core server are configured.

Provision changes and start the Dedicated Core Server

1. Select the newly created Dedicated Core server.

2. From the Settings tab in the Inspector pane, select Power > Start.

3. Click Provision Changes in the lower right corner and further click Provision Now.

Result: The Dedicated Core server is provisioned and started.

Next steps: After your changes are provisioned and the server is started, select your Dedicated Core server, click the Network tab in the Inspector pane and copy one of the IPv4 addresses.

Create an A and MX record for your mail server

1. Create an A record for demo-ionos.cloud using IONOS Cloud DNS API:

We already own the zone mail.demo-ionos.cloud and we will use it for this tutorial. Previously we have created a zone demo-ionos.cloud using IONOS Cloud DNS API. To get more information how to create a zone using IONOS Cloud DNS API, please refer to Create a zone using IONOS Cloud DNS API.

Replace <zone_id> with your zone id.

curl --location 'https://dns.de-fra.ionos.com/zones/<zone_id>/records' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <authorization_token>' \
--data '{
  "properties": {
    "name": "",
    "type": "A",
    "content": "<your_server_ip>",
    "ttl": 60,
    "priority": 0,
    "enabled": true
  }
}'

For more information on how to create a record for a zone using IONOS Cloud DNS API, please refer to Create a record for a zone using IONOS Cloud DNS API. In the above example make sure to use your own <zone_id> and <your_server_ip> along with your <authorization token>.

2. Create an MX record for demo-ionos.cloud using IONOS Cloud DNS API:

curl --location 'https://dns.de-fra.ionos.com/zones/<zone_id>/records' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <authorization_token>' \
--data '{
  "properties": {
    "name": "",
    "type": "MX",
    "content": "mail.demo-ionos.cloud",
    "ttl": 60,
    "priority": 10,
    "enabled": true
  }
}'

For more information on how to create a record for a zone using IONOS Cloud DNS API, please refer to Create a record for a zone using IONOS Cloud DNS API.

Install and configure mail server

1. Connect to your Dedicated Core server via SSH:

ssh root@<your_server_ip>

and make sure that you are executing the following commands as root.

sudo su -

2. Update the system:

apt update && sudo apt upgrade -y

If a kernel is updated it is suggested that you reboot the server.

systemctl reboot

3. Install Postfix:

apt install postfix

Follow the on-screen prompts to configure Postfix. Select Internet Site and enter the domain name of your mail server, in this tutorial we will use our domain mail.demo-ionos.cloud.

4. Install OpenDKIM:

apt install opendkim opendkim-tools

5. Generate OpenDKIM keys:

Execute the following commands to generate OpenDKIM keys for your domain and move them to the appropriate directory:

mkdir -p /etc/opendkim/keys/mail.demo-ionos.cloud &&
opendkim-genkey -t -s mail -d mail.demo-ionos.cloud &&
mv mail.private /etc/opendkim/keys/mail.demo-ionos.cloud/ &&
chown -R opendkim:opendkim /etc/opendkim/keys/mail.demo-ionos.cloud

Replace mail.demo-ionos.cloud with your domain name.

6. Edit the OpenDKIM configuration file:

vi /etc/opendkim.conf

Add or modify the following lines:

Domain                  mail.demo-ionos.cloud
KeyFile                 /etc/opendkim/keys/mail.demo-ionos.cloud/mail.private
Selector                mail
Socket                  inet:12301@localhost

Replace mail.demo-ionos.cloud with your domain name.

7. Install Postfix and Mailutils:

apt install postfix mailutils

Follow the on-screen prompts to configure Postfix. Select Internet Site and enter the domain name of your mail server, for example, demo-ionos.cloud.

7. Configure Postfix to use OpenDKIM:

vi /etc/postfix/main.cf

Modify the line containing information about smtp_banner to include the domain name of your mail server, for example, mail.demo-ionos.cloud. The line should look like this:

smtpd_banner = mail.demo-ionos.cloud ESMTP $mail_name (IONOS CloudDNS Mail)

and add the following lines at the end of the file:

# Add at the end of the file
# Enable OpenDKIM milter
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301

and the complete /etc/postfix/main.cf file looks like this:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = mail.demo-ionos.cloud ESMTP $mail_name (IONOS CloudDNS Mail)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
# fresh installs.
compatibility_level = 3.6



# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level=may

smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache


smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = ubuntu
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, mail.demo-ionos.cloud, ubuntu, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
# Add at the end of the file
# Enable OpenDKIM milter
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301

8. Restart services:

systemctl restart opendkim
systemctl restart postfix

9. Test the configuration:

echo "This is a test email" | mail -s "Test Email" -a "From: sender@mail.demo-ionos.cloud" <your-email>@<your-domain>

Replace <your-email>@<your-domain> with your email address.

In your mailbox you should receive an email with the subject "Test Email" and the body "This is a test email" but it might be in the spam folder, depending on your email provider. In our case the email was in the spam folder with a note "Mail system could not verify that demo-ionos.cloud actually sent this message (and not a spammer)."

10. Check the mail log:

tail -f /var/log/mail.log

Add a Reverse DNS record and SPF record for your mail server

1. Create a PTR record for your mail server using IONOS Cloud DNS API:

curl --location 'https://dns.de-fra.ionos.com/reverserecords' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <authorization_token>' \
--data '{
  "properties": {
    "name": "mail.demo-ionos.cloud",
    "description": "The Reverse DNS record is used for mail.demo-ionos.cloud",
    "ip": "<your_server_ip>"
  }
}'

2. Create an SPF record for mail.demo-ionos.cloud using IONOS Cloud DNS API:

curl --location 'https://dns.de-fra.ionos.com/zones/<zone_id>/records' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <authorization_token>' \
--data '{
  "properties": {
    "name": "",
    "type": "TXT",
    "content": "v=spf1 a:mail.demo-ionos.cloud -all",
    "ttl": 60,
    "enabled": true
  }
}
'

For your SPF record make sure that instead of mail.demo-ionos.cloud you use your own domain name.

After creating the PTR record and the SPF record, it might take around 10 minutes to propagate.

3. Test again the email deliverability:

echo "This is a test email" | mail -s "Test Email" -a "From:sender@mail.demo-ionos.cloud" <your-email>@<your-domain>

Replace <your-email>@<your-domain> with your email address.

Switch to IPv6

Once you have configured your mail server to use IPv4, you can now configure your mail server to use IPv6.

For this to start working, you need to have an IPv6 address assigned to your server. First, remove the previously created A record that points to the IPv4 address of your server and the IPv4 PTR record.

1.\ Get the record id of the A record that points to the IPv4 address of your server using:

curl --location --request GET 'https://dns.de-fra.ionos.com/zones/<zone_id>/records' \
--header 'Authorization: Bearer <authorization_token>' \
--header 'Content-Type: application/json' \

2. Remove the A record that points to the IPv4 address of your server using:

curl --location --request DELETE 'https://dns.de-fra.ionos.com/zones/<zone_id>/records/<record_id>' \
--header 'Authorization: Bearer <authorization_token>' \
--header 'Content-Type: application/json' \

3. Get the record id of the PTR record that points to the IPv4 address of your server using:

curl --location --request GET 'https://dns.de-fra.ionos.com/reverserecords' \
--header 'Authorization: Bearer <authorization_token>' \
--header 'Content-Type: application/json' \

4. Remove the PTR record using:

curl --location --request DELETE 'https://dns.de-fra.ionos.com/reverserecords/<reverse_record_id>' \
--header 'Authorization: Bearer <authorization_token>' \
--header 'Content-Type: application/json' \

5. Now SSH again to the server and confirm that the mail server is not working anymore using:

ssh root@<your_server_ip>
echo "This is a test email" | mail -s "Test Email" -a "From:sender@mail.demo-ionos.cloud" <your-email>@<your-domain>

You can check the mail log using:

tail -f /var/log/mail.log

6. To enable IPv6 for your LAN, select the LAN connection connected to the internet, then select the IPv6 enabled option. Provision your changes.

7. After the changes are provisioned and IPv6 is enabled you can configure your NIC in the Network tab. Provide the following details:

  • Name: Your choice is recommended to be unique to this Virtual Data Center (VDC).

  • MAC: The Media Access Control (MAC) address will be assigned automatically upon provisioning.

  • LAN: Select a LAN for which you want to configure the network.

  • Firewall: To activate the firewall, choose between Ingress / Egress / Bidirectional.

  • IPv4 Configuration: Provide the following details:

    • Primary IP: The primary IP address is automatically assigned by the IONOS DHCP server. You can, however, enter an IP address for manual assignment by selecting one of the reserved IPs from the drop-down list. Private IP addresses should be entered manually. The Network Interface Controller (NIC) has to be connected to the Internet.

    • Failover: If you have an HA setup including a failover configuration on your VMs, you can create and manage IP failover groups that support your High Availability (HA) setup.

    • Firewall: Configure the firewall.

    • DHCP: It is often necessary to run a Dynamic Host Configuration Protocol (DHCP) server in your VDC (e.g. Preboot Execution Environment (PXE) boot for fast rollout of VMs). If you use your own DHCP server, clear this checkbox so that your IPs are not reassigned by the IONOS DHCP server.

    • Add IP: In order to use "floating" or virtual IPs, you can assign additional IPs to a NIC by selecting them from the drop-down menu.

  • IPv6 Configuration: Provide the following details:

    • NIC IPv6 CIDR: You can populate an IPv6 CIDR block with prefix length /80 or allow it to be automatically assigned from the VDCs allocated range, by selecting PROVISION CHANGES. You can also choose 1 or more individual /128 IPs. Only the first IP is automatically allocated. The remaining IPs can be assigned as per your requirement. The maximum number of IPv6 IPs that can be allocated per NIC is 50.

    • DHCPv6: It is often necessary to run your own DHCPv6 server in your Virtual Data Center (VDC) (e.g. PXE boot for fast rollout of VMs). If you use your own DHCPv6 server, clear this checkbox so that your IPs are not reassigned by the IONOS DHCPv6 server.

    • Add IP: In order to use "floating" or virtual IPs, you can assign additional IPs to a NIC by selecting them from the drop-down menu.

To create the PTR record, use the automatically assigned IPv6 address from the VDCs allocated range. Continue and select PROVISION CHANGES.

8. Create a PTR record for your mail server using IONOS Cloud DNS API:

curl --location 'https://dns.de-fra.ionos.com/reverserecords' \
--header 'Authorization: Bearer <authorization_token>' \
--header 'Content-Type: application/json' \
--data '{
    "properties": {
        "ip": "2001:0db8::1",
        "name": "mail.demo-ionos.cloud",
        "description": "IPv6 PTR record for mail.demo-ionos.cloud"
    }
}

Replace 2001:0db8::1 with your own IPv6 address.

9. Create an AAAA record for mail.demo-ionos.cloud pointing to the IPv6 address that was assigned to your server:

curl --location 'https://dns.de-fra.ionos.com/zones/<zone_id>/records' \
--header 'Authorization: Bearer <authorization_token>' \
--header 'Content-Type: application/json' \
--data '{
  "properties": {
    "name": "",
    "type": "AAAA",
    "content": "2001:0db8::1",
    "ttl": 60,
    "priority": 0,
    "enabled": true
  }
}

Replace 2001:0db8::1 with your own IPv6 address.

10. Login to the mail server using the new IPv6 address and test again the email deliverability using:

ssh root@2001:0db8::1

and send an email:

```bash
echo "This is a test email" | mail -s "Test Email" -a "From:sender@mail.demo-ionos.cloud" <your-email>@<your-domain>

We can check the mail log using:

tail -f /var/log/mail.log

Last updated