User Guides Developer Reference Support FAQs Log in

Enhance Email Deliverability with a Reverse DNS, SPF, and DKIM Record

A PTR record is crucial for email servers, establishing Reverse DNS mapping and verifying server IP legitimacy. It's vital for email deliverability, preventing spam flags and contributing to FCrDNS. Servers lacking PTR records may face rejection, impacting delivery. Additionally, SPF records specify authorized email servers, preventing spoofing. DKIM further authenticates outgoing emails, enhancing trust and communication.

This tutorial will guide you on how to install and configure a email server and a PTR, SPF and DKIM records using IONOS Cloud DNS API. The steps we will follow are:

  1. Reserve an IPv4 in your IONOS Cloud setup.

  2. Create an A and MX record for your email server. For information on common record types, see Create records of other types.

  3. Install and configure the email server on a Dedicated Core Server in the IONOS Cloud.

  4. Test the email deliverability from the Dedicated Core Server.

  5. Add a pointer record (PTR), DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) record for your email server.

  6. Test the email deliverability after adding PTR, DKIM and SPF records.

Info:

  • Pointer Record (PTR): A type of DNS record that maps an IP address to a domain name, commonly used for reverse DNS lookups to verify the authenticity of the sender's domain.

  • DomainKeys Identified Mail (DKIM): A method for validating the authenticity of email messages by adding a digital signature to the email headers, allowing receiving servers to verify that the message has not been altered and comes from a legitimate sender.

  • Sender Policy Framework (SPF): A DNS-based email authentication protocol used to prevent email spoofing by specifying which IP addresses are allowed to send emails on behalf of a particular domain. This helps to detect and prevent email fraud.

  1. Switch to IPv6 and configure your email server to use IPv6.

Result: Email deliverability is achieved using reverse DNS, MX, A, DKIM, and SPF records for both IPv4 and IPv6.

Reserve an IPv4 in IONOS Cloud

To reserve an IPv4 in IONOS Cloud, follow these steps:

1. In the DCD, go to Menu > Management > IP Management.

2. In IP Management, click Reserve IPs, and a new pop-up window appears. Enter the following information:

  • Name: Enter a suitable name.

  • Number of IPs: Select the number of IP addresses to be reserved.

  • Region: Select a region that is the same as the region of your Dedicated Core server. Click Reserve IPs to reserve the IP addresses and confirm the reservation by selecting OK.

3. Exit the IP Management window and return to the IONOS Cloud Workspace.

Result: The IPv4 address is reserved.

Create an A and MX record for your email server

1. To create an A record for your email server, follow these steps:

Info: We already own the zone mail.demo-ionos.cloud and will use it for this tutorial. Previously, we have created a zone demo-ionos.cloud using the IONOS Cloud DNS API. For more information on how to create a zone using IONOS Cloud DNS API, see Create a zone using IONOS Cloud DNS API.

Prerequisite: Make sure to use your own <zone_id> and <your_server_ip> along with your <authorization token>.

curl --location 'https://dns.de-fra.ionos.com/zones/<zone_id>/records' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <authorization_token>' \
--data '{
  "properties": {
    "name": "",
    "type": "A",
    "content": "<your_server_ip>",
    "ttl": 60,
    "priority": 0,
    "enabled": true
  }
}'

2. Create an MX record for demo-ionos.cloud using the IONOS Cloud DNS API:

curl --location 'https://dns.de-fra.ionos.com/zones/<zone_id>/records' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <authorization_token>' \
--data '{
  "properties": {
    "name": "",
    "type": "MX",
    "content": "mail.demo-ionos.cloud",
    "ttl": 60,
    "priority": 10,
    "enabled": true
  }
}'

Result: The IPv4 address is reserved.

Info: For more information on how to create a record for a zone using IONOS Cloud DNS API, see Create a record for a zone using IONOS Cloud DNS API.

Set up a Dedicated Core Server in IONOS Cloud

Note:

  • The user who creates the server has full root or administrator access rights. A server, once provisioned, retains all its settings (resources, drive allocation, password, and so on), even after server restart at the operating system level.

  • The server will only be removed from your virtual data center once you delete it in the DCD.

To set up a Dedicated Core server in IONOS Cloud, follow these steps:

1. Create a Dedicated Core server and configure the server in the Settings tab by following the steps in Create a Dedicated Core Server.

2. Configure the server Network settings by following the steps in the Dedicated Core Server network settings.

3. Configure the server Storage settings by following the steps in the Dedicated Core Server storage settings.

4. Continue to provision the changes and start the Dedicated Core Server by following the steps in the Provision changes and starting the Dedicated Core Server.

Result: A Dedicated Core Server is set up and started along with the configuration of Settings, Network, and Storage setup.

Dedicated Core Server network settings

In the DCD > Inspector pane on the right, configure the following network details in the Network tab.

1. Name: Choose a name unique to this Virtual Data Center (VDC).

2. MAC: Assigned on VM creation.

3. LAN: Select the LAN connection that is connected to the internet, by default LAN 1.

4. Firewall: By default, the firewall is disabled. To enable firewall rules, make sure that incoming and outgoing traffic is allowed on port 25 for UDP and TCP.

5. In the IPv4 Configuration, click Add IP and select the same IP address that you used to create an A record.

Result: The Network settings for a Dedicated Core server are configured.

Dedicated Core Server storage settings

Warning: The storage type cannot be changed after provisioning.

In the DCD > Inspector pane on the right, configure the following storage details in the Storage tab.

1. Click SSD and a new pop-up window Create New Attached Storage appears.

2. Configure the following storage details:

  • Name: Enter a name that is unique within your VDC.

  • Availability Zone: Leave on "Auto".

  • Size in GB: Enter "20" which is sufficient for this tutorial.

  • Performance: Select "Standard".

  • Image: You can select one of IONOS images or snapshots, or use your own. For this tutorial, we will use an Ubuntu server image from IONOS. To make the same choice, select ubuntu-22.04-server-cloudimg-amd64 under IONOS Images.

  • Password: Create a password for the "root" user of the server. You will need this password to SSH and make changes.

  • SSH Keys: Select an SSH key stored in the SSH Key Manager.

  • Ad-hoc SSH Key: If you have not created an SSH key, copy and paste the public part of your SSH key into this field.

  • Cloud-Init user data: You can add the below Cloud-Init user data to your server. This will install Postfix, OpenDKIM, and OpenDKIM tools. Replace <your-email-domain> with your email domain.

#cloud-config

packages:
  - postfix
  - opendkim
  - opendkim-tools
  - mailutils

write_files:
  - path: /etc/postfix/main.cf
    content: |
      # Postfix configuration
      smtpd_banner = <your-email-domain> ESMTP $mail_name (IONOS CloudDNS Mail)
      biff = no
      append_dot_mydomain = no
      readme_directory = no
      compatibility_level = 3.6
      # TLS parameters
      smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
      smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
      smtpd_tls_security_level=may
      smtp_tls_CApath=/etc/ssl/certs
      smtp_tls_security_level=may
      smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
      smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
      myhostname = ubuntu
      alias_maps = hash:/etc/aliases
      alias_database = hash:/etc/aliases
      myorigin = /etc/mailname
      mydestination = $myhostname, <your-email-domain>, ubuntu, localhost.localdomain, localhost
      relayhost =
      mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
      mailbox_size_limit = 0
      recipient_delimiter = +
      inet_interfaces = all
      inet_protocols = all
      # Enable OpenDKIM milter
      milter_default_action = accept
      milter_protocol = 6
      smtpd_milters = inet:localhost:12301
      non_smtpd_milters = inet:localhost:12301

  - path: /etc/opendkim.conf
    content: |
      # OpenDKIM configuration
      Syslog                  yes
      SyslogSuccess           yes
      Canonicalization        relaxed/simple
      OversignHeaders         From
      Domain                  <your-email-domain>
      Selector                mail
      KeyFile                 /etc/opendkim/keys/<your-email-domain>/mail.private
      UserID                  opendkim
      UMask                   007
      Socket                  inet:12301@localhost
      PidFile                 /run/opendkim/opendkim.pid
      TrustAnchorFile         /usr/share/dns/root.key

  - path: /etc/cloud-init/opendkim-keys.sh
    permissions: '0755'
    content: |
      #!/bin/bash
      mkdir -p /etc/opendkim/keys/<your-email-domain> &&
      opendkim-genkey -t -s mail -d <your-email-domain> &&
      mv mail.private /etc/opendkim/keys/<your-email-domain>/ &&
      chown -R opendkim:opendkim /etc/opendkim/keys/<your-email-domain> &&
      systemctl restart opendkim

  - path: /etc/mailname
    content: "<your-email-domain>"

runcmd:
  - sudo apt-get update
  - sudo apt-get install -y postfix opendkim opendkim-tools mailutils
  - sudo systemctl enable postfix opendkim
  - sudo systemctl start postfix
  - /etc/cloud-init/opendkim-keys.sh

  • Boot from Device: Select this checkbox to make the SSD drive bootable.

3. Click Create SSD Storage to create the SSD storage.

Result: The Storage settings for a Dedicated Core server are configured.

Provision changes and start the Dedicated Core Server

1. Select the newly created Dedicated Core server.

2. From the Settings tab in the Inspector pane, select Power > Start.

3. Click Provision Changes in the lower right corner and further click Provision Now.

Result: The Dedicated Core server is provisioned and started.

Next steps: After your changes are provisioned and the server is started, select your Dedicated Core server, click the Network tab in the Inspector pane and copy one of the IPv4 addresses.

Test email deliverability

Note: You can now connect to your Dedicated Core Server, and send a test email. The email might be marked as spam, depending on your email provider. At this point, you have configured only A and MX records.

1. Connect to your Dedicated Core Server via ssh:

ssh root@<your_server_ip>

2. Test the configuration using the following bash command:

echo "This is a test email" | mail -s "Test Email" -a "From: sender@mail.demo-ionos.cloud" <your-email>@<your-domain>

Info: Replace <your-email>@<your-domain> with your email address.

You should receive an email titled Test Email containing the message This is a test email. However, depending on your email provider, the email might be redirected to your spam folder. For example, the email can be in the spam folder with a note Mail system could not verify that demo-ionos.cloud actually sent this message (and not a spammer).

3. Check the mail.log file to see the status of the email delivery:

tail -f /var/log/mail.log

4. Get the public key for the DKIM record:

Info: Public key for the DKIM record can be found in the /mail.txt file. This is necessary to create the DKIM record.

root@ubuntu:~# cat /mail.txt

The output should be similar to something like this:

mail._domainkey	IN	TXT	( "v=DKIM1; h=sha256; k=rsa; t=y; "
	  "p=MIIBIjANBgkdfdfwefweyQEFAAOCAQ8AMIIBCgKCAQEAvJk3SIlLNap0Mt9fMIKaTDKAUGykTrTyaFmFvJZ3KLMp2tFQqZE99HBeZMofACOaMBkT0ykGxf6MR8zJrvNQTGCDPVVqZjsph7514+HyHTK/rjvz3c2ysbq1JBFz8g6G9R5cLowjqsYp1jggPKmCapfi4QQdbSYEcYPj8+TCz2D8U9xpGdbwxtMO01vuQgFlqkfIWFm4mDH4vY"
	  "efBH4+O2ndr657j4oFsdcLptwpQLmEFlSpzcSn/K2OoPwbFGoaQomLC1lQiTFycGOe+wIVNTtMrVpyMEDQikzm1knIejivpwFEDAv7zOcPSRTHzU1L2ky7DAHquwhEUeYOwIDAQAB" )  ; ----- DKIM key mail for mail.demo-ionos.cloud

Here, you need to save the public key for the next step.

Result: You have tested email deliverability with A and MX records.

Add a Reverse DNS, DKIM and SPF record for your email server

1. Create a PTR record for your email server using the IONOS Cloud DNS API:

curl --location 'https://dns.de-fra.ionos.com/reverserecords' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <authorization_token>' \
--data '{
  "properties": {
    "name": "mail.demo-ionos.cloud",
    "description": "The Reverse DNS record is used for mail.demo-ionos.cloud",
    "ip": "<your_server_ip>"
  }
}'

2. Create an SPF record for mail.demo-ionos.cloud using IONOS Cloud DNS API:

curl --location 'https://dns.de-fra.ionos.com/zones/<zone_id>/records' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <authorization_token>' \
--data '{
  "properties": {
    "name": "",
    "type": "TXT",
    "content": "v=spf1 a:mail.demo-ionos.cloud -all",
    "ttl": 60,
    "enabled": true
  }
}
'

Info:

  • For your SPF record make sure that instead of mail.demo-ionos.cloud you use your own domain name.

  • After creating the PTR record and the SPF record, it might take around 10 minutes to propagate.

3. Create a DomainKeys Identified Mail (DKIM) record for mail.demo-ionos.cloud using the IONOS Cloud DNS API:

curl --location 'https://dns.de-fra.ionos.com/zones/<zone_id>/records' \
--header 'Content-Type: application/json' \
--header 'Authorization Bearer <authorization_token>' \
--data '{
  "properties": {
    "name": "mail._domainkey",
    "type": "TXT",
    "content": "v=DKIM1; h=sha256; k=rsa; t=y; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvJk3SIlLNap0Mt9fMIKaTDKAUGykTrTyaFmFvJZ3KLMp2tFQqZE99HBeZMofACOaMBkT0ykGxf6MR8zJrvNQTGCDPVVqZjsph7514+HyHTK/rjvz3c2ysbq1JBFz8g6G9R5cLowjqsYp1jggPKmCapfi4QQdbSYEcYPj8+TCz2D8U9xpGdbwxtMO01vuQgFlqkfIWFm4mDH4vYefBH4+O2ndrBVh6C49mOptwpQLmEFlSpzcSn/K2OoPwbFGoaQomLC1lQiTFycGOe+wIVNTtMrVpyMEDQikzm1knIejivpwFEDAv7zOcPSRTHzU1L2ky7DV8RfPFwjNifSkezeYOwIDAQAB",
    "ttl": 6000,
    "enabled": true
  }
}
'

4. Test the email deliverability using the following bash command:

echo "This is a test email" | mail -s "Test Email" -a "From:sender@mail.demo-ionos.cloud" <your-email>@<your-domain>

Result: You have created reverse DNS, SPF, and DKIM records for your email server and tested email deliverability.

Info: Replace <your-email>@<your-domain> with your email address.

Switch to IPv6

Once you have configured your email server to use IPv4, you can now configure your email server to use IPv6.

1. To enable IPv6 for your LAN, select the LAN connection connected to the internet, then select the IPv6 enabled option. Provision your changes.

2. After the changes are provisioned and IPv6 is enabled you can configure your NIC in the Network tab. Provide the following details:

  • Name: Your choice is recommended to be unique to this Virtual Data Center (VDC).

  • MAC: The Media Access Control (MAC) address will be assigned automatically upon provisioning.

  • LAN: Select a LAN for which you want to configure the network.

  • Firewall: To activate the firewall, choose between Ingress / Egress / Bidirectional.

  • IPv4 Configuration: Provide the following details:

    • Primary IP: The primary IP address is automatically assigned by the IONOS DHCP server. You can, however, enter an IP address for manual assignment by selecting one of the reserved IPs from the drop-down list. Private IP addresses should be entered manually. The Network Interface Controller (NIC) has to be connected to the Internet.

    • Failover: If you have an HA setup including a failover configuration on your VMs, you can create and manage IP failover groups that support your High Availability (HA) setup.

    • Firewall: Configure the firewall.

    • DHCP: It is often necessary to run a Dynamic Host Configuration Protocol (DHCP) server in your VDC (e.g. Preboot Execution Environment (PXE) boot for fast rollout of VMs). If you use your own DHCP server, clear this checkbox so that your IPs are not reassigned by the IONOS DHCP server.

    • Add IP: In order to use "floating" or virtual IPs, you can assign additional IPs to a NIC by selecting them from the drop-down menu.

  • IPv6 Configuration: Provide the following details:

    • NIC IPv6 CIDR: You can populate an IPv6 CIDR block with prefix length /80 or allow it to be automatically assigned from the VDCs allocated range, by selecting PROVISION CHANGES. You can also choose 1 or more individual /128 IPs. Only the first IP is automatically allocated. The remaining IPs can be assigned as per your requirement. The maximum number of IPv6 IPs that can be allocated per NIC is 50.

    • DHCPv6: It is often necessary to run your own DHCPv6 server in your Virtual Data Center (VDC) (e.g. PXE boot for fast rollout of VMs). If you use your own DHCPv6 server, clear this checkbox so that your IPs are not reassigned by the IONOS DHCPv6 server.

    • Add IP: In order to use "floating" or virtual IPs, you can assign additional IPs to a NIC by selecting them from the drop-down menu.

To create the PTR record, use the automatically assigned IPv6 address from the VDCs allocated range. Continue and select PROVISION CHANGES.

3. Create a PTR record for your mail server using IONOS Cloud DNS API:

curl --location 'https://dns.de-fra.ionos.com/reverserecords' \
--header 'Authorization: Bearer <authorization_token>' \
--header 'Content-Type: application/json' \
--data '{
    "properties": {
        "ip": "2001:0db8::1",
        "name": "mail.demo-ionos.cloud",
        "description": "IPv6 PTR record for mail.demo-ionos.cloud"
    }
}

Note: Replace 2001:0db8::1 with your own IPv6 address.

4. Create an AAAA record for mail.demo-ionos.cloud pointing to the IPv6 address that was assigned to your server:

curl --location 'https://dns.de-fra.ionos.com/zones/<zone_id>/records' \
--header 'Authorization: Bearer <authorization_token>' \
--header 'Content-Type: application/json' \
--data '{
  "properties": {
    "name": "",
    "type": "AAAA",
    "content": "2001:0db8::1",
    "ttl": 60,
    "priority": 0,
    "enabled": true
  }
}

Note: Replace 2001:0db8::1 with your own IPv6 address.

5. You need to alter the SPF record to include the IPv6 address. To update the SPF record, you need to get <spf_record_id> using:

curl --location --request GET 'https://dns.de-fra.ionos.com/zones/<zone_id>/records' \
--header 'Authorization: Bearer <authorization_token>' \
--header 'Content-Type: application/json'

6. Update the SPF record to include the IPv6 address using:

curl --location --request PUT 'https://dns.de-fra.ionos.com/zones/<zone_id>/records/<spf_record_id>' \
--header 'Authorization: Bearer <authorization_token>' \
--header 'Content-Type: application/json' \
--data '{
  "properties": {
    "name": "",
    "type": "TXT",
    "content": "v=spf1 ip4:<IPv4 address of email server> ip6:<IPv6 address of email server> ~all",
    "ttl": 60,
    "enabled": true
  }
}'

Note: Replace <IPv4 address of email server> and <IPv6 address of email server> with IPv4 and IPv6 addresses of the email server.

7. Login to the email server using the new IPv6 address and test again the email deliverability using:

ssh root@2001:0db8::1

and send an email:

```bash
echo "This is a test email" | mail -s "Test Email" -a "From:sender@mail.demo-ionos.cloud" <your-email>@<your-domain>

8. We can check the mail.log using:

tail -f /var/log/mail.log

Result: You have switched from IPv4 to IPv6 and tested email deliverability.

PreviousSet Up a Secondary ZoneNextCross Connect

Last updated