How do I configure DNS records for a mail server?
How do I configure DNS records for a mail server?
Purpose
Various types of DNS records are essential for a mail server. To ensure the smooth exchange of emails and keep the good reputation of your mail server, this article will guide you through how to set up each type of DNS record.
Resolution
How DNS works with a mail server
DNS stands for "Domain Name System". It's a system that resolves the domain names of Internet servers with their underlying IP addresses.
For smooth email communication, it's essential to configure the DNS MX and A records so that other mail servers can reach your server over the Internet. There are also DNS records such as SPF, DKIM, DMARC, and TLSA for authentication, which help protect against spam and identity theft.
Once you have obtained a domain name for your mail server from a DNS service provider, you can set up all these records through the domain's DNS server.
A record
An A record or address record maps a domain or a subdomain to its IP address. It allows end users to type in a human-readable domain name while the computer can process the IP address behind it.
Please point the A record to the IP address of your Synology NAS.
See the image below for example:
MX record
An MX record or mail exchanger record tells which mail servers accept emails on behalf of a domain and where emails sent to your domain should be routed through SMTP (Simple Mail Transfer Protocol).
Each MX record contains a hostname and a priority. The hostname indicates where emails should be delivered, while the priority number indicates the order in which mail servers should be used. A lower number indicates a higher priority.
To make sure an email address like "alex@example.com" works, you have to set up an MX record for the domain "example.com" as shown in the image below:
SPF record
An SPF record or sender policy framework record helps prevent email spoofing by specifying the servers that are allowed to send emails on behalf of a domain.
A basic SPF record is a TXT record that includes the tags and values as shown in the following table. For more information on SPF record syntax, please visit this website.
|
Tag
|
Value
|
Example
|
|---|---|---|
v |
SPF version. For now, please use version "spf1".
|
v=spf1 |
ip4 |
Authorized mail server's IP address. This must be an IPv4 address or range in the standard format.
|
ip4:your mail server's IP address |
all |
This value defines whether receiving servers should reject messages from unauthorized senders.
|
|
Following the format above, if the domain name is "example.com" with the IP address being "93.184.216.34", the SPF record could be:
- Name:
example.com - Information:
v=spf1 ip4:93.184.216.34 -all
DKIM record
DKIM stands for DomainKeys Identified Email. By affixing a digital signature to each outgoing email, DKIM provides a way to validate that an email is indeed authorized by the domain owner.
Before configuring DKIM, generate a public key for your mail server at the following locations:
- MailPlus Server > Domain > Edit > General > Advanced
- Mail Server > Security > Authentication
With the key generated, you can get started with the DKIM record. A DKIM record is added as a TXT record in the following format:
|
Format
|
Example
|
|
|---|---|---|
|
Name
|
DKIM selector prefix._domainkey.your domain name |
abc._domainkey.example.com |
|
Information
|
v=DKIM1; k=rsa; p=DKIM public key |
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQE |
DMARC record
DMARC, which stands for Domain-based Message Authentication, Reporting, and Conformance, determines what happens to an email that fails SPF and DKIM check. With the reporting feature of DMARC, a domain owner can gain insight into the mail traffic to better detect spoofing attacks.
A DMARC record is a TXT record that includes the following tags and values:
|
Tag
|
Value
|
Example
|
|---|---|---|
v |
DMARC version. For now, please use version "DMARC1".
|
v=DMARC1 |
p |
Policy enforced on unauthenticated emails.
|
|
pct |
Percentage of emails to be enforced by the specified policy.
|
pct=100(i.e., 100% of emails will be monitored, quarantined, or rejected.) |
rua=mailto |
Email address where to receive reports.
|
rua=mailto:your email address |
Following the format above, if the domain name is "example.com" and the email address for receiving reports is "postmaster@example.com", the DMARC record could be:
- Name:
_dmarc.example.com - Information:
v=DMARC1; p=none; pct=100; rua=mailto:postmaster@example.com
TLSA record
A TLSA (Transport Layer Security Authentication) record associates a TLS server certificate with the domain name where the record resides. If another mail server is using DANE when delivering emails to MailPlus Server, it will authenticate MailPlus Server's TLSA record. Without the record, MailPlus Server cannot pass the authentication, and you might not be able to receive emails sent from that particular mail server.
To generate a TLSA record, you can use an online generator or the MailPlus built-in generator (in Security > Authentication > DANE).
Then, deploy the TLSA record to your public DNS.
Notes:
-allis the recommended option because it can better ensure emails come from an authorized sender.p=noneis a good starting point for analyzing email flows, but it is a loose policy that will not block any suspicious messages. We recommend changing top=quarantineto better guard against domain spoofing after SPF, DKIM, and DMARC have been enabled for a while.- When using a local DNS server like Synology Directory Server, make sure to update the entries in the local DNS view. This prevents SPF, DKIM, and DMARC issues caused by missing data in the local resolution.
- The examples and images in this article are for demonstration purposes only. The actual interface depends on each DNS provider. If you have problems configuring DNS records, please contact your domain provider for assistance.