Email server DNS settings-Explanation of MX, SPF, and dkim records

Email server DNS settings

DNS record, you need to go to your domain name registrar to set up or manage your own DNS server. Many domain name vendors do not support TXT records or dkim records, so you cannot use SPF and dkim functions.
DNS modification takes more than 48 hours to take effect.
Hichina in China does not support dkim. Currently, xinnet supports SPF and dkim.

1. MX record
The MX record of an email is preferably directed to the record of the machine. Do not direct it directly to the IP address (not compliant with the specifications ).
1.1 Add a record
Mail.example.com 192.168.1.100
1.2 add MX records
Example.com mail.example.com
1.3 Test MX records
# Host exmple.com
Example.com mail is handled by 10 mail.example.com.
# NSLookup mail.example.com
Name: mail.example.com
Address: 192.168.1.100

2. SPF records
SPF refers to the sender policy framework. It is a DNS record type proposed to prevent spam. SPF is a TXT record type. The essence of the SPF record is to inform the recipient that all emails sent from the IP addresses listed in this domain name are valid emails, not fake spams. Setting SPF is an important step to correctly set the Domain Name Record for mail sending and stmp.
For example:
SPF record pointing to host a record
Example.com. 3600 in TXT "V = spf1 MX mx: mail.example.com ~ All"
SPF record pointing to IP Address
Example.com. 3600 in TXT "V = spf1 ip4: 192.168.1.100 ~ All"

2.1 how to view SPF
Run the following command in DOS mode in Windows:
NSLookup-type = TXT Domain Name
For UNIX operating systems:
# Dig-t txt Domain Name

2.2 SPF is described as follows:
V = spf1 indicates the version of spf1
Ip4 indicates IPv4 verification (ip6 indicates IPv6 verification). Note that there is no space between "ip4:" and "ip ".
~ All indicates end

2.3 SPF record example
Let's look at this SPF:
Yourdomain.com "V = spf1 a MX mx: mail.jefflei.com ip4: 202.96.88.88 ~ All"
The specific description of this SPF record allows sending @ yourdomain.com the IP address is: A (this A refers to the IP address resolved by yourdomain.com, and should be canceled if not configured)
Mx (MX corresponding to yourdomain.com, that is, the IP address of the record of mail.yourdomain.com)
MX: mail.jefflei.com (if the MX record mail.jefflei.com has not been configured, it should also be canceled)
Ip4: 202.96.88.88 (directly the IP address 202.152.186.85)
Other syntaxes are as follows:
-Fail indicates that no other matching occurs.
~ Soft failure, usually used for testing
? Ignore

If there is more than one outbound IP address, it must contain multiple
V = spf1 ip4: 202.96.88.88 ip4: 202.96.88.87 ~ All

2.4 Test SPF setting results
After setting the SPF record in DNS, send an email to your Gmail, and view the source file of the email. A similar email header should be displayed, where pass indicates that the email is successfully set.
Written ed-SPF: Pass (Google.com: domain of test@jefflei.com designates
202.96.88.87 as permitted sender) Client-IP = 202.96.88.87;
Note that if the IP address of the server is changed, you must modify the SPF at the same time !!!

2.5 prevent spam using SPF records
In UNIX, you can install and configure plug-ins such as spamassassin to prevent spam and phishing)

3. dkim record
Dkim technology adds an encrypted digital sign to each email and then compares it with a record in a valid Internet address database. After an email is received, only emails that match the encrypted information in the database can enter the user's inbox. It can also check the integrity of emails and prevent unauthorized modification by hackers. The basic working principle of dkim is also based on the traditional key authentication method, which generates two sets of keys, public key and private key ), the Public Key is stored in DNS, and the private key is stored in the sender server. The private key is automatically generated and attached to the mail header and sent to the sender's server. The Public Key is placed on the DNS server for automatic access. The receiving server will receive the private key in the mail header and obtain the public key on the DNS, and then compare it to check whether the sender's domain name is legal. If not, it is determined as spam.
Since digital signatures cannot be counterfeited, this technology will be a fatal blow to spam makers, and it will be difficult for them to be like in the past, by stealing the sender's name, changing the attachment attributes, and other small tricks. Prior to this, spammers had escaped Email filtering by converting text into images and other methods, and gradually dropped the number of spam emails again.
Note: Only 2.6.0 and later versions of amavisd-New integrate the dkim function.

3.1 you can use iredmail. Tips to obtain the dkim of the domain name, or enter
# Amavisd-New showkeys
; Key #1, domain example.com,/var/lib/dkim/example.com. pem
Dkim. _ domainkey.example.com. 3600 txt (
"V = dkim1; P ="
"Province"
"/Zzhmmnpzkecvvjfak + t7e388ofgu/knyh6kbkwpzxhun5hooyvjmudqar2fcsvk"
"Z + keys"
"N38ifyu + jalbydlbwqidaqab ")

3.2 Add the above record to the DNS record of the ISP
Dkim. _ domainkey.example.com. V = dkim1; P = migfma0.... (Omitted) dlbwqidaqab

3.3 After adding a DNS record, if the record takes effect, run the command to check
# Amavisd-New testkeys
Testing: dkim. _ domainkey.example.com => pass

Check DNS settings
There are several ways to check whether the DNS settings take effect and work properly:
1. NSLookup
# NSLookup
Default Server: Unknown
Address: 192.168.1.1
> Server 4.2.2.1
Default Server: vnsc-pri.sys.gtei.net
Address: 4.2.2.1
> Set type = mx
> Example.com
Server: vnsc-pri.sys.gtei.net
Address: 4.2.2.1
Non-Authoritative Answer:
Example.com MX preference = 20, mail exchanger = mail.example.com
> Set type = txt
> Example.com
Server: vnsc-pri.sys.gtei.net
Address: 4.2.2.1
Non-Authoritative Answer:
Example.com text =
"V = spf1 ip4: 192.168.1.100-all"
> Dkim. _ domainkey.example.com
Server: vnsc-pri.sys.gtei.net
Address: 4.2.2.1
Non-Authoritative Answer:
Dkim. _ domainkey.example.com text =
"V = dkim1; P = migfma0gcsqgsib3dqebaquaa4gnadcbiqkbgqcsgzaivyhaos2jbp3chw0
Awrtnaewv1p4eazp/juf8t1betbvg6wjr3ywn5ijcpi9vnw96nmf/u5mgtblwz + azdbkboy7jbb/hio +
Mpmmfdjay3w8koxlcuqkdysxoys45ytfjej66s51ehh3w + ixpyw3i/nwhjy3a5/mxnk4xjqidaqab"

2. Linux dig
MX record
# Host exmple.com
Example.com mail is handled by 10 mail.example.com.

SPF record
# Dig TXT hotmail.com
; <> Dig 9.4.2-P2 <> TXT hotmail.com
; Global Options: printcmd
; Got answer:
;-> Header <-opcode: Query, status: noerror, ID: 43130
; Flags: qr rd ra; query: 1, answer: 1, authority: 0, additional: 0

; Question Section:
; Hotmail.com. In txt

; Answer section:
Hotmail.com. 3600 in TXT "V = spf1 include: spf-a.hotmail.com include: spf-b.hotmail.com include: spf-c.hotmail.com include: spf-d.hotmail.com include ~ All"

; Query time: 176 msec
; Server: 64.71.161.8 #53 (64.71.161.8)
; When: Sat Dec 5 08:43:51 2009
; MSG size rcvd: 157

Dkim records

# Dig TXT dkim. _ domainkey.example.com