mail server DNS settings-----MX, SPF, Dkim Records detailed

DNS settings for mail servers

DNS records, you need to go to your domain host to set up or you manage the DNS server yourself. Many domain hosts do not support TXT records or do not support Dkim records, so you will not be able to use SPF and dkim features.
DNS modification takes more than 48 hours to take effect.
The domestic million network is not supported Dkim, the current new network is to support SPF and dkim.

1.MX Records
The MX record of the message is best to point to the machine a record and try not to point directly to the IP address (not conforming to the specification).
1.1 Adding a record
Mail.example.com 192.168.1.100
1.2 adding MX records
example.com mail.example.com
1.3 Testing MX records
# host Exmple.com
example.com Mail is handled by ten mail.example.com.
#nslookup mail.example.com
Name:mail.example.com
address:192.168.1.100

2.SPF Records
SPF refers to the sender Policy Framework, which is a type of DNS record that is proposed to protect against spam, and SPF is a type of txt record. The essence of the SPF record is to announce to the recipient that the mail from this domain name is legitimate, not fake spam, from the IP listed on the list. Setting up SPF is a very important step in correctly setting the domain name records and STMP sent by mail.
For example:
SPF record points to a host record
example.com. 3600 in TXT "V=SPF1 mx mx:mail.example.com ~all"
SPF record points to IP address
example.com. 3600 in TXT "V=spf1 ip4:192.168.1.100 ~all"

2.1 How to view SPF
After Windows enters DOS mode, the following commands are used:
Nslookup-type=txt Domain Name
UNIX operating systems are used under:
# DIG-T TXT domain

A brief description of the 2.2 SPF is as follows:
V=SPF1 represents the version of SPF1
IP4 on behalf of IPV4 (IP6 is verified with IPv6), note that there is no space between "IP4:" and "IP"
~all the end of the representative

2.3 SPF Record Sample release
We look at this SPF:
YourDomain.com "v=spf1 a mx mx:mail.jefflei.com ip4:202.96.88.88 ~all"
This SPF record specifically describes the allowed @yourdomain. com IP address is: A (this refers to the yourdomain.com resolved IP address, if no configuration should be canceled)
MX (yourdomain.com corresponding to MX, which is the IP for mail.yourdomain.com A records)
Mx:mail.jefflei.com (if not configured mail.jefflei.com This MX record should also be canceled)
ip4:202.96.88.88 (Directly 202.152.186.85 this IP address)
Other syntax is as follows:
-fail, indicating that no other match occurred
~ represents soft failure, usually used in testing
? Delegate ignores

If there is more than one outgoing IP, you must include multiple
V=SPF1 ip4:202.96.88.88 ip4:202.96.88.87 ~all

2.4 Test SPF Settings Results
After you set up the SPF record in DNS, send a message to your Gmail, and then view the source file for the message, you should see a similar message header with pass indicating that the setting was successful.
Received-spf:pass (Google.com:domain of [email protected] designates
202.96.88.87 as permitted sender) client-ip=202.96.88.87;
It is important to note that if the IP of the server is changed, the spf!!! must be modified at the same time

2.5 using SPF records to prevent junk e-mail
Plug-ins such as configuration SpamAssassin can be installed under UNIX to prevent spam and phishing messages (Phishing)


3.DKIM Records
DKIM Technology compares a record in a legitimate Internet address database by adding an encrypted digital flag to each e-mail message. When an e-mail message is received, only the encrypted information is matched to the records in the database to be able to access the user's Inbox. It also checks the integrity of the message and avoids unauthorized changes such as hackers. The basic working principle of DKIM is also based on the traditional key authentication method, which will produce two sets of keys, public key and private key, the public key will be stored in DNS, and the private key will be stored in the sending server. The private key is automatically generated and attached to the message header and sent to the sender's server. The public key is placed on the DNS server for automatic access. The receiving server will receive the private key that is entrained in the message header and obtain the public key on the DNS itself, then make comparisons, compare the legal name of the sender, and, if it is not legal, the spam message. Since digital signatures are not counterfeit, this technology will be a deadly blow to spammers, and it is hard to do so in the same way as in the past by stealing the sender's name, changing the attachment properties, and so on. Prior to that, spammers avoided mail filtering by converting text into images, and the number of spam messages that had been declining once again increased.
Note: Amavisd-new is only 2.6.0 and later the DKIM feature is integrated.

3.1 You can get dkim for the domain name via iredmail.tips, or you can enter it at the command line
# amavisd-new Showkeys
; key#1, domain example.com,/VAR/LIB/DKIM/EXAMPLE.COM.PEM
Dkim._domainkey.example.com. 3600 TXT (
"V=DKIM1; P= "
"Migfma0gcsqgsib3dqebaquaa4gnadcbiqkbgqdgnvmuqrkqyeysizqtgtm3xrzf"
"/zzhmmnpzkecvvjfak+t7e388ofgu/knyh6kbkwpzxhun5hooyvjmudqar2fcsvk"
"Z+jofj8vh3rxotla1zhdyfd7hiczxdegmqz8mjm5rjpprrgzxnpownydsd6ndj86"
"N38ifyu+jalbydlbwqidaqab")

3.2 Add the above record to the DNS record of the ISP
Dkim._domainkey.example.com. V=DKIM1; P=migfma0 .... (omitted) Dlbwqidaqab

3.3 After the DNS record is added, if the record is in effect, you can run the command to detect
# amavisd-new Testkeys
Testing:dkim._domainkey.example.com = Pass

Check DNS settings
Here are a few ways to help you detect if DNS settings are in effect and working correctly:
1.nslookup
#nslookup
Default Server:unknown
address:192.168.1.1
> Server 4.2.2.1
Default server:vnsc-pri.sys.gtei.net
address:4.2.2.1
> Set TYPE=MX
> example.com
Server:vnsc-pri.sys.gtei.net
address:4.2.2.1
Non-authoritative Answer:
example.com MX preference = $, mail exchanger = mail.example.com
> Set Type=txt
> example.com
Server:vnsc-pri.sys.gtei.net
address:4.2.2.1
Non-authoritative Answer:
example.com Text =
"V=spf1 Ip4:192.168.1.100-all"
> dkim._domainkey.example.com
Server:vnsc-pri.sys.gtei.net
address:4.2.2.1
Non-authoritative Answer:
dkim._domainkey.example.com Text =
"V=DKIM1; p= migfma0gcsqgsib3dqebaquaa4gnadcbiqkbgqcsgzaivyhaos2jbp3chw0
awrtnaewv1p4eazp/juf8t1betbvg6wjr3ywn5ijcpi9vnw96nmf/u5mgtblwz+azdbkboy7jbb/hio+
Mpmmfdjay3w8koxlcuqkdysxoys45ytfjej66s51ehh3w+ixpyw3i/nwhjy3a5/mxnk4xjqidaqab "

2.linux Dig
MX record
# host Exmple.com
example.com Mail is handled by ten mail.example.com.

SPF Record
# Dig txt hotmail.com
; <<>> DiG 9.4.2-p2 <<>> txt hotmail.com
;; Global Options:printcmd
;; Got Answer:
;; ->>header<<-opcode:query, Status:noerror, id:43130
;; Flags:qr Rd RA; Query:1, Answer:1, authority:0, additional:0

;; QUESTION section:
; hotmail.com. In TXT

;; ANSWER section:
hotmail.com. 3600 in TXT "V=spf1 include:spf-a.hotmail.com include:spf-b.hotmail.com include:spf-c. hotmail.com include:spf-d.hotmail.com ~all "

;; Query time:176 msec
;; server:64.71.161.8#53 (64.71.161.8)
;; When:sat Dec 5 08:43:51 2009
;; MSG SIZE rcvd:157

Dkim record

#dig txt dkim._domainkey.example.com

mail server DNS settings-----MX, SPF, Dkim Records detailed