Skip to main content


The most important service on is the mail server. It is actually made up of multiple services that handle different aspects of the email process.

These parts are listed in the following table. Each service name links to its respective page.

Service Protocol Description
Postfix SMTP Handles sending mail from and receiving mail to from other servers
Dovecot IMAP Handles storage of emails on the server and provides access to those emails to email clients
dkimpy-milter DKIM Signs outgoing emails so the recipient's email server can verify the legitimacy. Can also verify the signatures on incoming mail.

In addition to these services, some DNS records are required to ensure functionality of the email server.

Domain names

The mail server for the domain is However, both of these domains point to the same server. The hostname of the server, as far as Postfix is concerned, is, as that's what clients will expect to be connected to. However, we still want to send/receive mail to/from <user>

We'll refer to as our domain and as our mail server's hostname.

DNS Records

Mail servers use multiple DNS records to provide information about their functionality:

Name DNS record type Purpose
MX MX Defines the address of the mail server for its domain. Used by other MTAs to find the mail server for mail addressed to
A A Specifies the IPv4 address for the given hostname.
AAAA AAAA Same as A, but for IPv6.
SPF TXT Defines a list of rules about what IP addresses are allowed to send mail for the record's domain. Used to prevent forged sender addresses.
DKIM TXT Lists the public key used for DKIM signing of outgoing mail.
DMARC TXT Sets rules for recipient MTAs to follow regarding DKIM/SPF policy failures. Also lists instructions for recipient MTAs to follow to notify of DKIM/SPF failures.

A/AAAA records

These are the simplest type of record. They simply define the IP address that a given hostname corresponds to.

We define an A and an AAAA record for that points to our server. Instead of defining a second A/AAAA record for, we use a CNAME record that points to

MX records

The MX record specifies the mail server for a given domain. Other MTAs use this when trying to send mail to our domain. Mail addressed to anything ending in will be sent to the mail server listed in the MX record for

We define an MX record for with the value This makes the mail server for the domain.

SPF records

Sender Policy Framework (SPF) is a simple mechanism to help prevent sender address forgery. It accomplishes this by specifying a list of IP addresses that are allowed to send mail for the given domain. SPF, on its own, only checks the envelope from address. This means the From: header can still be spoofed. Enable DMARC to protect against this.

SPF records are just TXT records with specific content. The SPF rules can be customized to your liking. The rules listed below are the ones I've decided to use.

We define a TXT record for with the following content:

v=spf1 +mx -all
  • v=spf1: Specifies the SPF version
  • +mx: Allow IP addresses pointed to by the MX record for our domain to send mail for the domain
  • Allow IP addresses pointed to by the A record for to send mail for the domain
  • Allow IP addresses pointed to by the A record for to send mail for the domain
  • -all: Reject mail sent from all other IP addresses. This must be the last parameter.

Both +a: rules are likely redundant, as the MX record already points to our mail server and is allowed in a previous rule. That being said, better safe than sorry.

DKIM records

The DKIM record holds the public key that corresponds to our DKIM signing key. MTAs that receive mail from us will retrieve our public key from the DKIM DNS record and use it to verify the mail's DKIM signature. It is important that this record is kept up to date with our DKIM configuration, otherwise recipient MTAs may mark our messages as being forged or as spam.

We generated the value for this record when setting up our DKIM service. See here for details. The DNS record content will be saved in the <keyname>.dns file.

DKIM records are just TXT records. However, the record name must be <selector>._domainkey.<domain>, where <selector> is the selector we chose in our DKIM configuration and <domain> is our domain.

We define a TXT record for with the following content:

v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxOlorHTT/rsI5WWobgA0/+XRWAav1F5As1YoUVEUknIPbIJDuMIbEbV468XdHsp63PvwF2uz9A3iEefaGIMOpcJrgIcb3X5el0/x89kxK/zDDruiAzpcLwdy6urEmQhdRfoi1stdOhDlo8dNQj5vRORceJ2v5fUJ3VUV9eWd7cGOjhladUWedYgdIdiYqsbR6CeYIhpKK1v414 UmtB1sKcxHgxbROm+yjM6iJaSQbF9iLUlBEHOBfRc1vVuw0N+LQpRDNaaHSom0SusrMnXnjb33ANNCFMITwL9fZm9mR+sR+m+2QGvhLyODJMsxRCBKSSZhrjP2Csa80ZnOtNX91QIDAQAB

There must not be any whitespace in the value of the p= key. Do not insert spaces or line breaks.

DMARC records

DMARC records are used to tell other MTAs how to handle SPF and DKIM failures, as well as how to report these failures (and non-failures, if wanted). DMARC records can be a little complex. The DMARC record we use is explained below, but the alternative options are not. To learn more, see for an interactive DMARC demonstration. To make it easier to create your own DMARC record, see Scott Kitterman's DMARC Record Assistant.

Like SPF and DKIM, DMARC records are also implemented using DNS TXT records. The DMARC TXT record must be made for _dmarc.<domain>, where <domain> is our domain.

We define a TXT record for with the following content:

v=DMARC1; p=none;;; fo=1; rf=afrf; sp=none
  • v=DMARC1: Specify DMARC version 1 is in use.
  • p=none: Don't do anything for mail that fails SPF and DKIM.
  • sp=none: Same as p= parameter, but for subdomains only.
  • Send aggregate data reports to These reports are typically sent daily by recipient MYAs.
  • Report DKIM/SPF policy failures to
  • fo=1: Send a failure report if either SPF or DKIM fails. Normally a report is sent only when both fail.
  • rf=afrf: Specify AFRF report format. This is the only supported format currently.