====== Mail Servers ======

  * [[SendGrid]]
  * [[mailx]]
  * [[opendkim]]
  * [[postfix]]
  * [[sendmail]]
  * [[ssmtp]]

  * [[http://www.mail-tester.com/|Mail Tester]]
  * [[http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/default.aspx|Sender ID Framework SPF Record Wizard]] - very nice interface to generate SPF DNS records.
  * [[http://www.openspf.org/FAQ/Common_mistakes|SPF Common Mistakes]]
  * [[http://www.openspf.org/Project_Overview|Sender Policy Framework - Project Overview]]
  * [[http://www.openspf.org/SPF_Record_Syntax|SPF Record Syntax]]
  * [[http://www.kitterman.com/spf/validate.html|SPF Query Tool]]
  * [[http://mxtoolbox.com/SuperTool.aspx|MX Toolbox]]
  * [[https://toolbox.googleapps.com/apps/checkmx/|Google Apps Toolbox: Check MX]]
  * [[https://support.google.com/a/answer/174125|Google Apps MX record values]]

=== SPF Records ===

SPF records are DNS ''TXT'' records that verify that the server that is sending outgoing email from your domain name is authorized.

Here's a basic example where any email sent out from the domain's A record is authorized. Otherwise, do a hard fail.

Using as an example, ''beandog.org'':

<code>
v=spf1 a -all
</code>

Authorize only servers that have MX entries in DNS (such as mail.beandog.org), or in other words, for mail servers that receive incoming mail for that domain:

<code>
v=spf1 mx -all
</code>

Find the current MX servers using dig:

<code>
dig +short mx beandog.org
0 mail.beandog.org.
</code>

Allow a specific IP address to send mail:

<code>
v=spf1 ip4:208.111.40.179 -all
</code>

=== MX Records ===

To create DNS entries for an MX server, there are two parts: the A entry for the mail server, and the MX entry for the name assigned to the A entry.

This example uses a subdomain to set to the mail server. Even though it's not needed, it make using the exampler simpler.

First add an A address for ''mx.beandog.org'' assigned to IP ''144.202.87.191''.

Next, add an MX entry for entry ''@'' and assign to ''mx.beandog.org'' with the priority at whatever number you'd like (0 or 10 is fine).

This approach allows an external server that may or may not have ''beandog.org'' as its main address send mail for your domain. By adding a DNS entry, and flagging its A address as allowed to send mail, the ''mx'' part of the SPF record will allow for that server to be authenticated.

=== DKIM ===

Use [[openssl]] to generate a private/public key pair (using here similar naming scheme to SSH so it makes more sense):

<code>
openssl genrsa -out dkim_rsa 1024
openssl rsa -in dkim_rsa -pubout -out dkim_rsa.pub
</code>

Here's **an example** of a private and public key pair:

<code>
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCt5N5njq8VngIYr9S6KbIcfqkVAUdo2Bi7JoAa0G6TuOzCg73/
ByfJzOZFaKlOLdihVfJy2LqaciMtseBJoXhMgH/eE2tLEXM3Sw4ub4PSXsXsYysS
SqzFdberGaiRTDbavdTIDfpYmX8jyyP1Rg5j1S3rppeHeBixA2fcdrWSRQIDAQAB
AoGActPKuP9TRicMo1iYVEXsQzywUhqCGQ15ZzvJI+u22P0n+locQCdtcqhG9lZi
VimX/xFOA+BxeEMeT7JBtN1XHbZmWheWC1xxLoY/R9M7fLfpKYKYXtq4kf70h4Gi
PAgy05DJkXHSZhhlWZvCffC385DuIIaqYnW3DUZOyGvLdBECQQDcHJzUBjvFrI6j
8I+tvk4vIy5hcKgimnr+kYmTo2wBr54KWtTKX+Vq2zbXNCz+yJ/Zclxn+XDreLe6
ONqRgsbjAkEAyj8kxUwyd4AUuItCCLbqydSQ7pMOWmFjkt2v0H9+Do05moejK+sj
Wn1MF23eE2rv3wtQ18/v+sNOpo3IEtfitwJAVoptYrNcttikcHJ5mx8SkFftuWPY
x1ojd4lzJPgA1BzfL0UNGtBfXAb6ZdxewIHSz2S2Ti71pa8d1Xra/JEFbwJBALL4
EYfuF7KbyrpLsRGZHEeiLOaRh1//UmgCeLRePaSO4GyYnpIcr9pBinYpKR2xwbZ0
gwOW5FvZPN4yFNxn4h0CQBfaCVymFJM+hkwlCLwHxg0PUZChlHgSa/9AqPV1j3UU
kibarRT1Lfl8FY4XWeXMi+8pt3Nma2FuHFPY8+M5Y78=
-----END RSA PRIVATE KEY-----
</code>

<code>
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCt5N5njq8VngIYr9S6KbIcfqkV
AUdo2Bi7JoAa0G6TuOzCg73/ByfJzOZFaKlOLdihVfJy2LqaciMtseBJoXhMgH/e
E2tLEXM3Sw4ub4PSXsXsYysSSqzFdberGaiRTDbavdTIDfpYmX8jyyP1Rg5j1S3r
ppeHeBixA2fcdrWSRQIDAQAB
-----END PUBLIC KEY-----
</code>

You'll need the pubkey string to add to a DNS TXT record:

<code>
grep -v "^-" dkim_rsa.pub | awk 1 ORS=''
</code>

<code>
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCt5N5njq8VngIYr9S6KbIcfqkVAUdo2Bi7JoAa0G6TuOzCg73/ByfJzOZFaKlOLdihVfJy2LqaciMtseBJoXhMgH/eE2tLEXM3Sw4ub4PSXsXsYysSSqzFdberGaiRTDbavdTIDfpYmX8jyyP1Rg5j1S3rppeHeBixA2fcdrWSRQIDAQAB
</code>

Choose a name selector to use in the DNS text record which will prefix the name ''._domainkey''. Here, the selector is named ''nx''.

<code>
nx._domainkey.beandog.org
</code>

For the value of the TXT record, use DKIM version, the key type, and the public key string:

<code>
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCt5N5njq8VngIYr9S6KbIcfqkVAUdo2Bi7JoAa0G6TuOzCg73/ByfJzOZFaKlOLdihVfJy2LqaciMtseBJoXhMgH/eE2tLEXM3Sw4ub4PSXsXsYysSSqzFdberGaiRTDbavdTIDfpYmX8jyyP1Rg5j1S3rppeHeBixA2fcdrWSRQIDAQAB
</code>

=== Mail Tester ===

[[http://www.mail-tester.com/|Mail Tester]] is a great site that you can send emails to and see how it is regarded by other mail servers.  It will give recommendations on how to improve SPF records, DKIM signing, SpamAssassin results, etc.

You can use ''mailx'' to send email directly.  When using it, set the ''From:'' address properly as it would be sent:

<code>
echo testing email | mail -r website@domain.com -s testing [mail-checker address] 
</code>