Improving Mailserver Reputation

Submitted by h2b on
Problembeschreibung
System
Alle
Symptom
Mails sent from your server go into the recipient's spam or junk folder.

It is quite easy to set up a mailing system on your own server, but more often than not the recipients of your mails find them in their spam or junk folder – if at all. The reason is that most mail providers establish procedures to block unsolicited mails we have to deal with nowadays.

There are a few measures one can take to improve the reputation of a mailserver so that outgoing mails are accepted from most providers. Almost surely it is not enough to implement some of them, instead all of them are required.

  1.  Reverse DNS
    Ensure that reverse DNS lookups yields the right domain for the server IP.. Usually this can be set by the administrative interface of the webspace hoster (not the domain hoster): Connect the IP of the webspace your mailserver is running on to the domain from which the mails are sent from.

  2. Hostname
    Ensure that the hostname command yields the right server name, e.g.,
     
    hostname example.org

  3. SPF (Sender Policy Framework)
    Add a TXT record to the domain containing
     
    v=spf1 a mx ~all
    This usually can be done by the administrative interface of the domain hoster. It ensures that mails that claim to be sent from your domain must origin from an IP equal to the A or MX records of your domain.

  4. DKIM (Domain Keys Identified Mail)
    This is dependent on the mail program you are using. We give an example here for exim4 running on a Debian system.
    Generate a private and public key in
    /etc/exim4/dkim/:
      openssl genrsa -out example.org-private.pem 2048
      openssl rsa -in example.org-private.pem -out example.org.pem -pubout -outform PEM

    Add a TXT record named <selector>._domainkey to the domain containing
       
    v=DKIM1;k=rsa;p=
    following the actual public key generated above. Choose some arbitrary string for <selector>; it must conform to the corresponding entry in /etc/exim4/exim4.conf.localmacros (see below). If the domain service refuses the record because of its length, separate it into chunks included in quotation marks.
    After that adapt
    /etc/exim4/exim4.conf.localmacros like so
      DKIM_CANON = relaxed
      DKIM_SELECTOR = 20190215
      DKIM_DOMAIN = example.org
      DKIM_PRIVATE_KEY = /etc/exim4/dkim/example.org-private.pem

    and run
      update-exim4.conf
      service exim4 restart

Bereich

Eine weitere Maßnahme, die man treffen kann, ist das Anlegen eines TXT-Records namens _dmarc entsprechend der DMARC-Spezifikation (Domain-based Message Authentication, Reporting and Conformance). Damit lassen sich Kriterien für die SPF- und DKIM-Prüfung festlegen. In seiner einfachsten Form hätte dieser TXT-Record den Inhalt

  v=DMARC1; p=none

was soviel heißt wie "tue nichts weiter". Damit kann man anfangen und dann je nach Bedarf Spezifikationen hinzufügen, s. etwa Wikipedia.

Another measure one can take is creating a TXT record named  _dmarc according to the DMARC specification (Domain-based Message Authentication, Reporting and Conformance). This allows to define criteria for checking the SPF and DKIM values. In its simplest form, the content of this TXT record would be

  v=DMARC1; p=none

which means something like "do nothing". You can start with this and add more specifications later according to your needs, see  Wikipedia.