Mail Servers

SPF Records

SPF records are DNS TXT records that verify that the server that is sending outgoing email from your domain name is authorized.

Here's a basic example where any email sent out from the domain's A record is authorized. Otherwise, do a hard fail.

Using as an example, beandog.org:

v=spf1 a -all

Authorize only servers that have MX entries in DNS (such as mail.beandog.org), or in other words, for mail servers that receive incoming mail for that domain:

v=spf1 mx -all

Find the current MX servers using dig:

dig +short mx beandog.org
0 mail.beandog.org.

Allow a specific IP address to send mail:

v=spf1 ip4:208.111.40.179 -all

MX Records

To create DNS entries for an MX server, there are two parts: the A entry for the mail server, and the MX entry for the name assigned to the A entry.

This example uses a subdomain to set to the mail server. Even though it's not needed, it make using the exampler simpler.

First add an A address for mx.beandog.org assigned to IP 144.202.87.191.

Next, add an MX entry for entry @ and assign to mx.beandog.org with the priority at whatever number you'd like (0 or 10 is fine).

This approach allows an external server that may or may not have beandog.org as its main address send mail for your domain. By adding a DNS entry, and flagging its A address as allowed to send mail, the mx part of the SPF record will allow for that server to be authenticated.

DKIM

Use openssl to generate a private/public key pair (using here similar naming scheme to SSH so it makes more sense):

openssl genrsa -out dkim_rsa 1024
openssl rsa -in dkim_rsa -pubout -out dkim_rsa.pub

Here's an example of a private and public key pair:

-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCt5N5njq8VngIYr9S6KbIcfqkVAUdo2Bi7JoAa0G6TuOzCg73/
ByfJzOZFaKlOLdihVfJy2LqaciMtseBJoXhMgH/eE2tLEXM3Sw4ub4PSXsXsYysS
SqzFdberGaiRTDbavdTIDfpYmX8jyyP1Rg5j1S3rppeHeBixA2fcdrWSRQIDAQAB
AoGActPKuP9TRicMo1iYVEXsQzywUhqCGQ15ZzvJI+u22P0n+locQCdtcqhG9lZi
VimX/xFOA+BxeEMeT7JBtN1XHbZmWheWC1xxLoY/R9M7fLfpKYKYXtq4kf70h4Gi
PAgy05DJkXHSZhhlWZvCffC385DuIIaqYnW3DUZOyGvLdBECQQDcHJzUBjvFrI6j
8I+tvk4vIy5hcKgimnr+kYmTo2wBr54KWtTKX+Vq2zbXNCz+yJ/Zclxn+XDreLe6
ONqRgsbjAkEAyj8kxUwyd4AUuItCCLbqydSQ7pMOWmFjkt2v0H9+Do05moejK+sj
Wn1MF23eE2rv3wtQ18/v+sNOpo3IEtfitwJAVoptYrNcttikcHJ5mx8SkFftuWPY
x1ojd4lzJPgA1BzfL0UNGtBfXAb6ZdxewIHSz2S2Ti71pa8d1Xra/JEFbwJBALL4
EYfuF7KbyrpLsRGZHEeiLOaRh1//UmgCeLRePaSO4GyYnpIcr9pBinYpKR2xwbZ0
gwOW5FvZPN4yFNxn4h0CQBfaCVymFJM+hkwlCLwHxg0PUZChlHgSa/9AqPV1j3UU
kibarRT1Lfl8FY4XWeXMi+8pt3Nma2FuHFPY8+M5Y78=
-----END RSA PRIVATE KEY-----
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCt5N5njq8VngIYr9S6KbIcfqkV
AUdo2Bi7JoAa0G6TuOzCg73/ByfJzOZFaKlOLdihVfJy2LqaciMtseBJoXhMgH/e
E2tLEXM3Sw4ub4PSXsXsYysSSqzFdberGaiRTDbavdTIDfpYmX8jyyP1Rg5j1S3r
ppeHeBixA2fcdrWSRQIDAQAB
-----END PUBLIC KEY-----

You'll need the pubkey string to add to a DNS TXT record:

grep -v "^-" dkim_rsa.pub | awk 1 ORS=''
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCt5N5njq8VngIYr9S6KbIcfqkVAUdo2Bi7JoAa0G6TuOzCg73/ByfJzOZFaKlOLdihVfJy2LqaciMtseBJoXhMgH/eE2tLEXM3Sw4ub4PSXsXsYysSSqzFdberGaiRTDbavdTIDfpYmX8jyyP1Rg5j1S3rppeHeBixA2fcdrWSRQIDAQAB

Choose a name selector to use in the DNS text record which will prefix the name ._domainkey. Here, the selector is named nx.

nx._domainkey.beandog.org

For the value of the TXT record, use DKIM version, the key type, and the public key string:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCt5N5njq8VngIYr9S6KbIcfqkVAUdo2Bi7JoAa0G6TuOzCg73/ByfJzOZFaKlOLdihVfJy2LqaciMtseBJoXhMgH/eE2tLEXM3Sw4ub4PSXsXsYysSSqzFdberGaiRTDbavdTIDfpYmX8jyyP1Rg5j1S3rppeHeBixA2fcdrWSRQIDAQAB

Mail Tester

Mail Tester is a great site that you can send emails to and see how it is regarded by other mail servers. It will give recommendations on how to improve SPF records, DKIM signing, SpamAssassin results, etc.

You can use mailx to send email directly. When using it, set the From: address properly as it would be sent:

echo testing email | mail -r website@domain.com -s testing [mail-checker address]