I spent last week configuring an email server, specifically DKIM, SPF, and Amavisd, and Postfix to pass the various testing services.
When I was reviewing my message headers at a Gmail.com test account, it seemed Google wanted to see my server IPv6 address in my SPF record.
The test address @port25.com wanted the same information. Here's how I got my server to pass...
Technical Background Info
1. CentOS 6.3 64 Bit
2. Followed HowToForge "Perfect Server for CentOS 6.3 64 Bit"
3. Followed HowToForge Installation for DKIM opendkim software for signing email messages
4. Using ISPConfig 3
5. Dedicated Server
6. Configured my PTR (or rdns) record for my mail server properly with hosting company and allowed time to propagate.
How to get your IPv6 address on your ISPconfig server?
IPv6 is slowly being used more often, although most web hosting companies still rely on IPv4 184.108.40.206 addresses for general operation.
Some hosts will leave an IPv6 record in your server's networking configuration files. On CentOS 6.3, try:
]# vi /etc/sysconfig/network-scripts/ifcfg-eth0
The IPv6 address will be listed somewhere inside that file. It will be long and contain the ":" symbol to separate values. Note that IPv6 addresses might appear very long in your server config, but abbreviated when Gmail (or any other mail service) reports on your server.
If you don't have an IPv6 listed, contact your host to get one assigned or configured. Alternatively, you can convert your usual IPv4 to IPv6 here
- (Caution - do this at your own risk, when in doubt let your network admin take care of this)
SPF Record Setup and DNS Configuration
ISPConfig 3 allows you to add a TXT record to use as your SPF record. Some verification services might complain that you don't have an actual
SPF entry, but they will also check your domain's TXT records and evaluate them, too. If the TXT is configured properly, you should be fine.
contains a complete digest of the SPF syntax, FAQs, and advice. In general, it is best to setup a minimal record that discourages spammers from accessing your system or spoofing your server. Additionally, Gmail seems to prefer a hardfail designation "-all" (at the end without quotes) on your SPF record opposed to a "~all" softfail record.
Here's my server/domain's TXT record, using anonymous information where appropriate:
v=spf1 a mx ip4:220.127.116.11 ip6:111A:222A:3333:4444:0000:0000:0000:9494/128 include:anotherdomain.com -all
1.The order in which this information is presented matters. Don't put "spf1" anywhere except the beginning.
2. The "a" and "mx" records tell a service checking your SPF record that the domain's A record and MX record designate it to send email.
3. The ip4 address MUST be the same as the domain sending mail, typically your server's main IP for simplicity.
4. The ip6 address MUST be the same as the domain sending the mail, as above with your ip4 address. Usually your server's main IP.
5. The "/128" at the end of the ip6 record designates a range of IP addresses. Double check with your host admin if you're not sure about what IP allocation you have.
6. The "include:anotherdomain.com" is optional. I only used it because this allows my server to accept email from an external domain and relay it to the recipient address. You can read HowToForge's Instructions for setting up a Relay Server Here
If you relay mail through myserver.mail.com from 123domain.com and an "include:123domain.com" record is NOT included in your TXT record for myserver.mail.com, some services may reject the email being relayed from 123domain.com.
Test your Configuration
I found a few reliable services for testing your email server, DKIM records, and SPF records.
First things first, do a general DNS test on your domain name at www.dnsstuff.com
. If any red warnings are reported, it's best to fix these before testing your email server further. Allow time for any changes to your DNS to propagate, sometimes 20 minutes but possibly up to 24 hours.
Next, visit your ISPConfig3 control panel and setup your email domain. Make sure to program firstname.lastname@example.org
as email boxes, sometimes checked by email services to make sure someone in charge of the server will get complaint and failure notices.
Now login to your SquirrelMail account, typically https://[serverip]/webmail
Compose a new message and send to the following addresses:
- Probably the best and most reliable email server testing service. Allow up to 20 minutes for a response since it takes time to process your request. Port 25 will also run a SpamAssassin test on your message and assign it a score. A negative or slightly positive score (up to 2 or so) means your email will usually be delivered without issues. A high positive score (2-5) means you might have problems.
- Less detailed compared to port25, but will nonetheless indicate if you have any problems.
3. Visit www.brandonchecketts.com/emailtest.php
. You'll be given a test email address that is active for a short time. Copy/paste the test email address given and send an email to it. Then, return to the web page and click "get results" to see how your email was received. This is faster than port25 and detailed, but doesn't check IPv6 info (yet).
4. Visit www.appmaildev.com/en/dkim
which will guide you through testing your email server with Yahoo and Gmail. Like www.brandonchecketts.com
, you can also test your server using a temporary email address supplied by the appmaildev.com website. Simply click "Next Step" at the top of the page to get a temporary address. You'll receive results in an email reply.
Final Advice and Troubleshooting
If your server isn't sending email or the responses you receive from the testing services indicated severe problems, visit www.mxtoolbox.com
to test your server's DNS, functionality, and SMTP port responses.
Most importantly, check your server's log files for errors. On CentOS:
]# vi /var/log/maillog
If your server is functioning correctly but the test services are giving you bad results, check to see if your IP is on a blacklist. You can visit mxtoolbox.com for a quick test. Occasionally people who buy new dedicated servers will get bad IPs from a previous owner. You can contact each blacklist and explain your situation to get removed. Many require that you program a valid PTR (rdns) record first!
Avoid sending constant test emails to Gmail, Yahoo, Live, or Hotmail if your server is not configured properly. Eventually these services will send your email to the SPAM box and might even blacklist your server. Use the email testing services BEFORE doing a live test with a web-based provider.
Allow time for your TXT records to propagate!
Set the refresh time in your ISPConfig DNS TXT record to 3600. This will update the record more frequently but not too often. Test to see your changes to SPF have gone live on the web at the Kitterman.com SPF Query Tool
. Once your updated records are reported at this service and are valid, continue with other testing.