Setting Up Mail Services (SMTP, SPF, DKIM, DMARC) on Your Domain
Team 5 min read
#webdev
#dns
#security
#tutorial
Introduction
Email deliverability matters. A correctly configured SMTP setup paired with SPF, DKIM, and DMARC helps ensure your messages reach inboxes rather than spam folders. In this guide you’ll learn how to set up a mail sending path for your domain, publish the essential DNS records, and test your configuration.
Prerequisites
- Domain you own and manage (e.g., example.com)
- Access to your DNS provider to add TXT and DKIM records
- A mail sending source: either your own mail server (MTA) or a trusted SMTP relay
- A TLS certificate for encrypted SMTP connections (Let’s Encrypt or similar)
SMTP and mail transfer basics
-
Decide how you will send mail: run your own SMTP server (MTA such as Postfix, Exim) or use a trusted relay service (e.g., SendGrid, Mailgun, Amazon SES).
- Self-hosted SMTP
- Pros: full control, no per-email fees
- Cons: you’re responsible for deliverability reputation, TLS, and maintenance
- Typical path: configure MTA, enable TLS, and set a submission port (587) for authenticated clients
- Example starting steps (Debian/Ubuntu):
sudo apt-get update && sudo apt-get install postfixand then configure TLS in your main configuration
- Relay service
- Pros: built-in deliverability tooling, scalable, less maintenance
- Cons: ongoing cost based on usage
- Usually involves authenticating to the relay with an API key or username/password
- Self-hosted SMTP
-
Core goal: ensure outgoing mail is authenticated and signed so receivers can verify it came from your domain
-
Quick security tip: enable TLS for inbound and outbound mail when possible and avoid open relays
SPF (Sender Policy Framework)
- Purpose: declare which servers are allowed to send mail for your domain
- How to publish
- Create a DNS TXT record for your domain (or subdomain you send from)
- Example records (replace with your actual sending sources):
- If you send from your own server and a third-party service: v=spf1 ip4:203.0.113.12 include:spf.thirdparty-service.com ~all
- If you only send from your own server: v=spf1 mx ~all
- Practical notes
- Start with ~all (soft fail) to observe without hard rejection
- If you’re confident about all sources, switch to -all for strict enforcement
- Keep SPF records under the limit of DNS lookups (typically 10)
- Testing SPF
- Query the TXT record:
dig TXT example.com - Use SPF validation tools to confirm the syntax and authorized senders
- Query the TXT record:
DKIM (DomainKeys Identified Mail)
- Purpose: cryptographically sign outgoing mail so recipients can verify content integrity and authenticity
- Generate keys
- On a typical Linux host, generate a 2048-bit DKIM key:
opendkim-genkey -t -s mail -d example.com
- This creates files like mail.private (private key) and mail.txt (DNS TXT record)
- On a typical Linux host, generate a 2048-bit DKIM key:
- Publish DKIM DNS record
- The DNS TXT record is for the selector mail (or your chosen selector) at:
mail._domainkey.example.com
- Use the contents of mail.txt as the TXT value
- The DNS TXT record is for the selector mail (or your chosen selector) at:
- Configure your MTA to sign mail
- Example (Postfix with OpenDKIM):
- Enable and configure the milter in your mail server
- Ensure Postfix passes outgoing mail to the DKIM signer
- Typical settings involve:
- milter_default_action = accept
- inet_interfaces = all
- smtpd_milters = inet:localhost:8891
- non_smtpd_milters = inet:localhost:8891
- Example (Postfix with OpenDKIM):
- Testing DKIM
- Send a test message and check the DKIM-Signature header in the received mail
- Use online DKIM validators or:
dig TXT mail._domainkey.example.comto verify the key is published
DMARC (Domain-based Message Authentication, Reporting & Conformance)
- Purpose: define how receivers should handle mail that fails SPF or DKIM checks and request reports
- Publish a DMARC policy
- DNS TXT record for
_dmarc.example.com - Example policies (start with none or quarantine to observe):
- v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-reports@example.com; pct=100
- v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com; pct=100
- As you gain confidence, move to p=reject to block unauthenticated mail
- DNS TXT record for
- Alignment matters
- DMARC requires SPF and/or DKIM alignment with the From header domain
- Ensure your envelope-from (MAIL FROM) aligns with your From header domain when using SPF
- DMARC reporting
- Rua (aggregate reports) gives you a summary of authentication results
- Ruf (forensic reports) provides details about failed messages (optional)
- Testing DMARC
- Check the DMARC TXT via:
dig TXT _dmarc.example.com - Use DMARC analysis tools to review reports and alignment
- Check the DMARC TXT via:
Testing and verification
- Basic checks
- SPF:
dig TXT example.comand confirm a v=spf1 record exists - DKIM:
dig TXT mail._domainkey.example.comshows your public key - DMARC:
dig TXT _dmarc.example.comshows your DMARC policy
- SPF:
- End-to-end testing
- Send a test email to a mailbox you control
- Verify headers: DKIM-Signature present and valid, SPF pass, and DMARC alignment in reports (if enabled)
- Tools
- Online: MXToolbox, DMARC analyzers, DKIM validators, SPF checkers
- Local tests: mail clients and command-line mail utilities can help verify signing and delivery
Best practices and troubleshooting
- Start with a conservative approach
- Use p=none initially to collect data without blocking mail
- Gradually tighten to p=quarantine and then p=reject as you gain confidence
- Separate concerns
- Run mail delivery from a dedicated host or service to minimize impact on your website
- Use distinct subdomains for mail sending if needed (e.g., mail.example.com)
- Include all sending sources in SPF
- Add any third-party services you use (marketing emails, transactional emails) to SPF
- Keep keys secure
- Protect DKIM private keys and rotate them periodically
- Monitor and iterate
- Review DMARC reports to identify misconfigurations or unauthorized sources
- Ensure TLS is enabled and enforced where possible
- Troubleshooting common issues
- SPF or DKIM failures due to misconfigured domains or selectors
- DNS propagation delays after publishing records
- DKIM signature failures when mail is modified in transit by intermediaries
Conclusion
Setting up SMTP, SPF, DKIM, and DMARC creates a robust foundation for reliable email delivery. By publishing accurate DNS records, signing messages, and defining sensible DMARC policies, you reduce the likelihood of your mail being mistaken for spam and improve visibility to recipients. Regular testing and monitoring will help you catch issues early and keep your domain’s email channel healthy.