How to proper dns zone config for selfhosted email server

Question

Looking to harden the sending authentication of my email server, I am looking for some usefull hints on the topic.

As I have in total 4 Vps Servers where emails will be send from, registration confirmation, password resets etc... aswell multiple domains, I am looking to harden the security of the email autorizations.

So I have VPS1 that is the emailserver based on IRedMail, where I configured

domain 1, 2, 3, 4 and 5

The websites for the domains are respectively on different vps servers so with each a different IP adress.

Domain 1, 2 and 3 are on VPS2 Domain 4 is on vps 3 and domain 5 on vps 4

What would be the best aproach to properly create my SPF and DMARC records

Any help on this topic is highly appreciated.

Answer 1

Assuming all VPS servers connect to VPS 1 to send out emails, and the MX record for all domains points to the IP address of VPS 1:

SPF

Create an SPF TXT record for all domains: "v=spf mx ~all". The ~ is used rather than the - in the all statement. This is somewhat controversial, but relates to the notes below. The hard fail - often has undesirable deliverability consequences.

Note that the Return-Path (where the bounces go) domain is checked by SPF checks, and not the From address (this is why we need DMARC). So, if your emails use different bounce addresses than From addresses, the domain in the Bounce address will be checked for an SPF record.

Keep in mind that SPF check will fail on emails forwarded by Transport / Inbox Rules or mailing lists(unless the Return-Path header is rewritten). Note that the Return-Path (where the bounces go) domain is checked by SPF checks, and not the From address (this is why we need DMARC). So, if your emails use different bounce addresses than From addresses, the domain in the Bounce address will be checked for an SPF record. The same is true for when you use subdomains. For every subdomain you use as bounce address, you need to setup an SPF (and MX) record.

DMARC

Create a 'DMARC' TXT record in each domain at _dmarc.domain.com: "v=DMARC1;p=reject". Since your setup is so straightforward you might not want to bother with reports in XML format sent to you or a 3rd party service, since you know that only one host should be authorized to send emails on behalf of your domains. If you expand your services, you may add the rua tag to enable receiving reports.

DKIM

I would strongly advise to add a DKIM signing configuration to your setup to improve deliverability in the case that SPF authentication fails as described in above scenarios. DKIM will survive forwarding where SPF fails, although DKIM authentication might fail when parts of the email are changed in transport (e.g. address rewrting). Together, SPF and DKIM will complement each other to improve deliverability.

Some basic advice for setting up DKIM is to create a DKIM key pair with a bitlength of 2048 and publish the public key in a DNS TXT record at ._domainkey.domain.com where you can choose your own selector name. For key rotation purposes it is wise to configure a second selector record to use when the initial private key was compromised or as best practice rotation on a schedule (e.g. every 6 months).

There is much more to say about DKIM signing best practices, however, this is beyond the scope of your question and perfectly layed out in the RFC.

Disclaimer

This setup reflects my choises on how to set up email authentication in your described scenario. There are assumptions in certain areas, which may not be correct or complete and would otherwise lead to a different approach.