best-practice
Top 10 tips (+1) for running your own mail server
Here are 11 ways to help email administrators make running their own email infrastructure a success.
In this Best Practice
- Introduction
- 1) Have a valid reverse DNS set-up for your mail server
- 2) Get a dedicated IP address for your mail server & limit the use of outbound port 25
- 3) Route ALL email traffic through your mail servers
- 4) Reject as many malicious emails at the initial email connection and SMTP connect
- 5) Deploy email authentication
- 6) Set up a Sender Policy Framework record in your DNS
- 7) Set-up DKIM to sign your emails
- 8) Set-up DMARC to resolve issues for the receiver if SPF or DKIM fail.
- 9) Use the same domain name for forward and reverse DNS, and all authentication
- 10) Choose your domain wisely, correctly utilizing subdomains
- 11) Always deploy robust email filtering practices
- Running smoothly…
Jump to
There’s much to be said for running your own mail server: privacy, flexibility and being in control of your own destiny; these are all good things. On the flip side, there’s usually a bit more to it than just installing a software package and clicking the Go! button.While the email ecosystem has lots of small complexities under the surface, it’s often the more basic things that can significantly help mail server administrators get things right. Here are our top tips to email success – you’ll certainly have a good start if you implement them all.
1) Have a valid reverse DNS set-up for your mail server
Email is heavily dependent on DNS. Often the first thing that needs to be configured is an MX record to tell the world where to send email for a specific domain. However, DNS plays an even more important role when sending emails: your mail server needs to have the correct reverse DNS set up.
Having valid reverse DNS (also known as a PTR record) is often the most basic requirement to get your mail accepted anywhere. And it works even better if the value of the reverse points back to the IP; the DNS matches both forward and in reverse.
2) Get a dedicated IP address for your mail server & limit the use of outbound port 25
It’s easy to mix up -for example- office traffic and mail server traffic when it’s all NAT’ed behind the same IP. But this can cause trouble: compromised end-user devices will be able to do bad things online while using the same external IP address of the mail server.
Get a dedicated IP address for your mail server, or make sure that proper firewall rules are in place that limits the use of outbound port 25 to mail servers. This can prevent a lot of trouble.
3) Route ALL email traffic through your mail servers
Email does not always come from email clients inside your organization: servers, printers, or other devices may send out the occasional message as well.
Route all of the above traffic through your mail server, enabling you to know what is being sent and where. Additionally, this ensures that messages are being sent correctly.
Lastly, in case of an issue arising internally, proper anti-spam controls will prevent any damage from leaking outside your network.
4) Reject as many malicious emails at the initial email connection and SMTP connect
The Simple Mail Transfer Protocol (SMTP) can inform the sender of the outcome of the delivery. Therefore, rejecting as much malicious or potentially malicious mail during the transmission will inform the sender immediately that the mail did not reach the recipient.
By using this feature, it is always clear to the sender that the delivery failed, potentially saving consternation between both parties. Accepting an email first and then later bouncing it back is considered bad practice.
5) Deploy email authentication
Due to the way the SMTP protocol is designed, it is easy for anyone sending malicious email to use domains that they don’t own. But thanks to the Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC) standards, it’s also easy to limit any damage that can be caused by that.
Deploy these where and when you can, as it can prevent damage should others decide to send mail in your name. Together, SPF, DKIM, and DMARC are often referred to as email authentication.
6) Set up a Sender Policy Framework record in your DNS
Always set up a Sender Policy Framework (SPF) record in your DNS, and ensure that it is as specific as possible, limiting the IP addresses allowed to send for your domain. Also, set-up DKIM to sign your outbound mails. The addition of both of these increases the robust nature of your email configuration.
7) Set-up DKIM to sign your emails
While SPF allows a receiver to verify if an IP address is allowed to send mail using your domain, DKIM allows verification that the mail that claims to come from a domain /really was/ authorized by the domain owner. By using – again – DNS, a lookup can be performed to get a public key to verify parts of the email. This virtually eliminates domain spoofing in email.
8) Set-up DMARC to resolve issues for the receiver if SPF or DKIM fail.
Even if SPF and DKIM are being used for verification, it is still unclear what a receiver should do when either one fails. DMARC solves this problem by publishing a policy in the DNS.
9) Use the same domain name for forward and reverse DNS, and all authentication
The more often the same domain is used for all these tips, the better. It makes it far easier for a recipient to see that you are communicating with them and not an imposter.
Use the same domain name for forward and reverse DNS for the email sender and all authentication. In the industry, this is called alignment; we call it common sense.
10) Choose your domain wisely, correctly utilizing subdomains
Many of the tips we’ve shared rely on DNS, which means that a domain name is involved. Choose your domain name wisely, as many email systems will take a domain’s reputation into account when determining how to treat an email message.
Setting up all the authentication standards can improve the reputation of your domain. Finally, always use your main business domain where possible: It’s much better to have marketing.example.com and news.example.com instead of example-news.com and example-mkt.com.
11) Always deploy robust email filtering practices
Last but not least, be careful when accepting email. Always deploy sensible filtering practices to prevent malicious emails from being delivered to your users. It’s not possible to prevent bad mail from being sent, but you can certainly help yourself when it comes to accepting only the good, leaving the bad and the ugly out.
Running smoothly…
If all the tips we’ve shared are implemented, you will discover that running your own email doesn’t have to be troublesome. In return, you will get a lot of freedom to do things the way you want while staying in control of your own destiny.
Now it’s time to focus on Domain Name Server Blocklists (DNSBLs), which can help you deal with spam and other malicious inbound emails. Until then: safe mailing!