Enhance Email Deliverability with a Reverse DNS, SF, and DKIM Record

a ptr record is crucial for email servers, establishing reverse dns mapping and verifying server ip legitimacy it's vital for email deliverability, preventing spam flags and contributing to fcrdns servers lacking ptr records may face rejection, impacting delivery additionally, spf records specify authorized email servers, preventing spoofing dkim further authenticates outgoing emails, enhancing trust and communication target audience this tutorial is intended to help both developers and technical decision makers what you will learn this tutorial will guide you on how to install and configure a email server and a ptr, spf and dkim records using ionos cloud dns api https //api ionos com/docs/dns/v1/ you will learn to reserve an ipv4 address in your setup create an a and mx record for your email server for information on common record types, see create records of other types install and configure the email server on a dedicated core server in the test the email deliverability from the dedicated core server add a pointer record (ptr), domainkeys identified mail (dkim) and sender policy framework (spf) record for your email server test the email deliverability after adding ptr, dkim and spf records switch to ipv6 and configure your email server to use ipv6 before you begin pointer record (ptr) a type of dns record that maps an ip address to a domain name, commonly used for reverse dns lookups to verify the authenticity of the sender's domain domainkeys identified mail (dkim) a method for validating the authenticity of email messages by adding a digital signature to the email headers, allowing receiving servers to verify that the message has not been altered and comes from a legitimate sender sender policy framework (spf) a dns based email authentication protocol used to prevent email spoofing by specifying which ip addresses are allowed to send emails on behalf of a particular domain this helps to detect and prevent email fraud procedure reserve an ipv4 in to reserve an ipv4 in , follow these steps 1 in the dcd , go to menu > network services > ip management 2 in ip management , click reserve ips , and a new pop up window appears enter the following information name enter a suitable name number of ips select the number of ip addresses to be reserved region select a region that is the same as the region of your dedicated core server click reserve ips to reserve the ip addresses and confirm the reservation by selecting ok 3 exit the ip management window and return to the workspace expected result the ipv4 address is reserved create an a and mx record for your email server 1 to create an a record for your email server, follow these steps prerequisite make sure to use your own \<zone id> and \<your server ip> along with your \<authorization token> curl location 'https //dns de fra ionos com/zones/\<zone id>/records' \\ \ header 'content type application/json' \\ \ header 'authorization bearer \<authorization token>' \\ \ data '{ "properties" { "name" "", "type" "a", "content" "\<your server ip>", "ttl" 60, "priority" 0, "enabled" true } }' 2 create an mx record for demo ionos cloud using the ionos cloud dns api https //api ionos com/docs/dns/v1/ curl location 'https //dns de fra ionos com/zones/\<zone id>/records' \\ \ header 'content type application/json' \\ \ header 'authorization bearer \<authorization token>' \\ \ data '{ "properties" { "name" "", "type" "mx", "content" "mail demo ionos cloud", "ttl" 60, "priority" 10, "enabled" true } }' expected result the a and mx records for your email server are created info for more information on how to create a record for a primary zone using ionos cloud dns api, see create a dns record set up a dedicated core server in note the user who creates the server has full root or administrator access rights a server, once provisioned, retains all its settings (resources, drive allocation, password, and so on), even after server restart at the operating system level the server will only be removed from your virtual data center once you delete it in the dcd to set up a dedicated core server in , follow these steps 1 create a dedicated core server and configure the server in the settings tab by following the steps in create a dedicated core server https //docs ionos com/cloud/compute services/compute engine/how tos/set up dedicated core#create a dedicated core server 2 dedicated core server network settings in the dcd https //docs ionos com/cloud/set up ionos cloud/data center designer > inspector pane on the right, configure the following network details in the network tab 1 name choose a name unique to this virtual data center (vdc) https //docs ionos com/support/general information/glossary of terms#virtual data center vdc 2 mac assigned on vm creation 3 lan select the lan connection that is connected to the internet, by default lan 1 4 firewall by default, the firewall is disabled to enable firewall rules, make sure that incoming and outgoing traffic is allowed on port 25 for udp and tcp 5 in the ipv4 configuration, click add ip and select the same ip address that you used to create an a record dedicated core server network settings expected result the network settings for a dedicated core server are configured 3 dedicated core server storage settings warning the storage type cannot be changed after provisioning in the dcd https //docs ionos com/cloud/set up ionos cloud/data center designer > inspector pane on the right, configure the following storage details in the storage tab 1 click ssd and a new pop up window create new attached storage appears 2 configure the following storage details name enter a name that is unique within your vdc availability zone leave on "auto" size in gb enter "20" which is sufficient for this tutorial performance select "standard" image you can select one of images or snapshots, or use your own for this tutorial, we will use an ubuntu server image from to make the same choice, select ubuntu 22 04 server cloudimg amd64 under images password create a password for the "root" user of the server you will need this password to ssh and make changes ssh keys select an ssh key stored in the ssh key manager ad hoc ssh key if you have not created an ssh key, copy and paste the public part of your ssh key into this field cloud init user data you can add the below cloud init user data to your server this will install postfix, opendkim, and opendkim tools replace \<your email domain> with your email domain #cloud config packages \ postfix \ opendkim \ opendkim tools \ mailutils write files \ path /etc/postfix/main cf content | \# postfix configuration smtpd banner = \<your email domain> esmtp $mail name (ionos clouddns mail) biff = no append dot mydomain = no readme directory = no compatibility level = 3 6 \# tls parameters smtpd tls cert file=/etc/ssl/certs/ssl cert snakeoil pem smtpd tls key file=/etc/ssl/private/ssl cert snakeoil key smtpd tls security level=may smtp tls capath=/etc/ssl/certs smtp tls security level=may smtp tls session cache database = btree ${data directory}/smtp scache smtpd relay restrictions = permit mynetworks permit sasl authenticated defer unauth destination myhostname = ubuntu alias maps = hash /etc/aliases alias database = hash /etc/aliases myorigin = /etc/mailname mydestination = $myhostname, \<your email domain>, ubuntu, localhost localdomain, localhost relayhost = mynetworks = 127 0 0 0/8 \[ ffff 127 0 0 0]/104 \[ 1]/128 mailbox size limit = 0 recipient delimiter = + inet interfaces = all inet protocols = all \# enable opendkim milter milter default action = accept milter protocol = 6 smtpd milters = inet\ localhost 12301 non smtpd milters = inet\ localhost 12301 \ path /etc/opendkim conf content | \# opendkim configuration syslog yes syslogsuccess yes canonicalization relaxed/simple oversignheaders from domain \<your email domain> selector mail keyfile /etc/opendkim/keys/\<your email domain>/mail private userid opendkim umask 007 socket inet 12301\@localhost pidfile /run/opendkim/opendkim pid trustanchorfile /usr/share/dns/root key \ path /etc/cloud init/opendkim keys sh permissions '0755' content | \#!/bin/bash mkdir p /etc/opendkim/keys/\<your email domain> && opendkim genkey t s mail d \<your email domain> && mv mail private /etc/opendkim/keys/\<your email domain>/ && chown r opendkim\ opendkim /etc/opendkim/keys/\<your email domain> && systemctl restart opendkim \ path /etc/mailname content "\<your email domain>" runcmd \ sudo apt get update \ sudo apt get install y postfix opendkim opendkim tools mailutils \ sudo systemctl enable postfix opendkim \ sudo systemctl start postfix \ /etc/cloud init/opendkim keys sh boot from device select this checkbox to make the ssd drive bootable 3 click create ssd storage to create the ssd storage expected result the storage settings for a dedicated core server are configured 4 provision changes and start the dedicated core server 1 select the newly created dedicated core server 2 from the settings tab in the inspector pane, select power > start 3 click provision changes in the lower right corner and further click provision now expected result the dedicated core server is provisioned and started next steps after your changes are provisioned and the server is started, select your dedicated core server, click the network tab in the inspector pane and copy one of the ipv4 addresses expected result a dedicated core server is set up and started along with the configuration of settings , network , and storage setup test email deliverability note you can now connect to your dedicated core server, and send a test email the email might be marked as spam, depending on your email provider at this point, you have configured only a and mx records 1 connect to your dedicated core server via ssh ssh root@\<your server ip> 2 test the configuration using the following bash command echo "this is a test email" | mail s "test email" a "from sender\@mail demo ionos cloud" \<your email>@\<your domain> info replace \<your email>@\<your domain> with your email address you should receive an email titled test email containing the message this is a test email however, depending on your email provider, the email might be redirected to your spam folder for example, the email can be in the spam folder with a note mail system could not verify that demo ionos cloud actually sent this message (and not a spammer) 3 check the mail log file to see the status of the email delivery tail f /var/log/mail log 4 get the public key for the dkim record info public key for the dkim record can be found in the /mail txt file this is necessary to create the dkim record the output should be similar to something like this mail domainkey in txt ( "v=dkim1; h=sha256; k=rsa; t=y; " &#x9; "p=miibijanbgkdfdfwefweyqefaaocaq8amiibcgkcaqeavjk3sillnap0mt9fmikatdkaugyktrtyafmfvjz3klmp2tfqqze99hbezmofacoambkt0ykgxf6mr8zjrvnqtgcdpvvqzjsph7514+hyhtk/rjvz3c2ysbq1jbfz8g6g9r5clowjqsyp1jggpkmcapfi4qqdbsyecypj8+tcz2d8u9xpgdbwxtmo01vuqgflqkfiwfm4mdh4vy" &#x9; "efbh4+o2ndr657j4ofsdclptwpqlmeflspzcsn/k2oopwbfgoaqomlc1lqitfycgoe+wivnttmrvpymedqikzm1kniejivpwfedav7zocpsrthzu1l2ky7dahquwheueyowidaqab" ) ; dkim key mail for mail demo ionos cloud here, you need to save the public key for the next step expected result you have tested email deliverability with a and mx records add a reverse dns, dkim and spf record for your email server 1 create a ptr record for your email server using the ionos cloud dns api https //api ionos com/docs/dns/v1/ curl location 'https //dns de fra ionos com/reverserecords' \\ \ header 'content type application/json' \\ \ header 'authorization bearer \<authorization token>' \\ \ data '{ "properties" { "name" "mail demo ionos cloud", "description" "the reverse dns record is used for mail demo ionos cloud", "ip" "\<your server ip>" } }' 2 create an spf record for mail demo ionos cloud using ionos cloud dns api https //api ionos com/docs/dns/v1/ curl location 'https //dns de fra ionos com/zones/\<zone id>/records' \\ \ header 'content type application/json' \\ \ header 'authorization bearer \<authorization token>' \\ \ data '{ "properties" { "name" "", "type" "txt", "content" "v=spf1 ip4 \<your server ip> all", "ttl" 60, "enabled" true } } ' info for your spf record make sure that instead of mail demo ionos cloud you use your own domain name after creating the ptr record and the spf record, it might take around 10 minutes to propagate 3 create a domainkeys identified mail (dkim) record for mail demo ionos cloud using the ionos cloud dns api https //api ionos com/docs/dns/v1/ curl location 'https //dns de fra ionos com/zones/\<zone id>/records' \\ \ header 'content type application/json' \\ \ header 'authorization bearer \<authorization token>' \\ \ data '{ "properties" { "name" "mail domainkey", "type" "txt", "content" "v=dkim1; h=sha256; k=rsa; t=y; p=miibijanbgkqhkig9w0baqefaaocaq8amiibcgkcaqeavjk3sillnap0mt9fmikatdkaugyktrtyafmfvjz3klmp2tfqqze99hbezmofacoambkt0ykgxf6mr8zjrvnqtgcdpvvqzjsph7514+hyhtk/rjvz3c2ysbq1jbfz8g6g9r5clowjqsyp1jggpkmcapfi4qqdbsyecypj8+tcz2d8u9xpgdbwxtmo01vuqgflqkfiwfm4mdh4vyefbh4+o2ndrbvh6c49moptwpqlmeflspzcsn/k2oopwbfgoaqomlc1lqitfycgoe+wivnttmrvpymedqikzm1kniejivpwfedav7zocpsrthzu1l2ky7dv8rfpfwjnifskezeyowidaqab", "ttl" 6000, "enabled" true } } ' 4 test the email deliverability using the following bash command echo "this is a test email" | mail s "test email" a "from\ sender\@mail demo ionos cloud" \<your email>@\<your domain> expected result you have created reverse dns, spf, and dkim records for your email server and tested email deliverability info replace \<your email>@\<your domain> with your email address switch to ipv6 once you have configured your email server to use ipv4, you can now configure your email server to use ipv6 1 to enable ipv6 for your lan, select the lan connection connected to the internet, then select the ipv6 enabled option provision your changes 2 after the changes are provisioned and ipv6 is enabled you can configure your nic in the network tab provide the following details name your choice is recommended to be unique to this virtual data center (vdc) mac the media access control (mac) address will be assigned automatically upon provisioning lan select a lan for which you want to configure the network firewall to activate the firewall, choose between ingress / egress / bidirectional ipv4 configuration provide the following details primary ip the primary ip address is automatically assigned by the dhcp server https //docs ionos com/support/general information/glossary of terms#server you can, however, enter an ip address for manual assignment by selecting one of the reserved ips from the drop down list private ip addresses should be entered manually the network interface controller (nic) https //docs ionos com/support/general information/glossary of terms#nic has to be connected to the internet failover if you have an ha setup including a failover configuration on your vms, you can create and manage ip failover groups that support your high availability (ha) setup firewall configure the firewall dhcp it is often necessary to run a dynamic host configuration protocol (dhcp) server in your vdc (e g preboot execution environment (pxe) boot for fast rollout of vms) if you use your own dhcp server, clear this checkbox so that your ips are not reassigned by the dhcp server add ip in order to use "floating" or virtual ips, you can assign additional ips to a nic by selecting them from the drop down menu ipv6 configuration provide the following details nic ipv6 cidr you can populate an ipv6 cidr block with prefix length /80 or allow it to be automatically assigned from the vdcs allocated range, by selecting provision changes you can also choose 1 or more individual /128 ips only the first ip is automatically allocated the remaining ips can be assigned as per your requirement the maximum number of ipv6 ips that can be allocated per nic is 50 dhcpv6 it is often necessary to run your own dhcpv6 server in your virtual data center (vdc) (e g pxe boot for fast rollout of vms) if you use your own dhcpv6 server, clear this checkbox so that your ips are not reassigned by the dhcpv6 server add ip in order to use "floating" or virtual ips, you can assign additional ips to a nic by selecting them from the drop down menu to create the ptr record, use the automatically assigned ipv6 address from the vdcs allocated range continue and select provision changes 3 create a ptr record for your mail server using ionos cloud dns api https //api ionos com/docs/dns/v1/ note replace 2001 0db8 1 with your own ipv6 address curl location 'https //dns de fra ionos com/reverserecords' \\ \ header 'authorization bearer \<authorization token>' \\ \ header 'content type application/json' \\ \ data '{ "properties" { "ip" "2001 0db8 1", "name" "mail demo ionos cloud", "description" "ipv6 ptr record for mail demo ionos cloud" } } 4 create an aaaa record for mail demo ionos cloud pointing to the ipv6 address that was assigned to your server note replace 2001 0db8 1 with your own ipv6 address curl location 'https //dns de fra ionos com/zones/\<zone id>/records' \\ \ header 'authorization bearer \<authorization token>' \\ \ header 'content type application/json' \\ \ data '{ "properties" { "name" "", "type" "aaaa", "content" "2001 0db8 1", "ttl" 60, "priority" 0, "enabled" true } } 5 you need to alter the spf record to include the ipv6 address to update the spf record, you need to get \<spf record id> using curl location request get 'https //dns de fra ionos com/zones/\<zone id>/records' \\ \ header 'authorization bearer \<authorization token>' \\ \ header 'content type application/json' 6 update the spf record to include the ipv6 address using note replace \<ipv4 address of email server> and \<ipv6 address of email server> with ipv4 and ipv6 addresses of the email server curl location request put 'https //dns de fra ionos com/zones/\<zone id>/records/\<spf record id>' \\ \ header 'authorization bearer \<authorization token>' \\ \ header 'content type application/json' \\ \ data '{ "properties" { "name" "", "type" "txt", "content" "v=spf1 ip4 \<ipv4 address of email server> ip6 \<ipv6 address of email server> all", "ttl" 60, "enabled" true } }' 7 login to the email server using the new ipv6 address and test again the email deliverability using and send an email ```bash echo "this is a test email" | mail s "test email" a "from\ sender\@mail demo ionos cloud" \<your email>@\<your domain> 8 we can check the mail log using tail f /var/log/mail log expected result you have switched from ipv4 to ipv6 and tested email deliverability final result you have successfully set up an email server with reverse dns, spf, and dkim records using the dns api email deliverability is now improved for both ipv4 and ipv6 configurations conclusion by following this tutorial, you have configured an email server with reverse dns, spf, and dkim records using the dns api to enhance email deliverability these steps help ensure your emails are authenticated and trusted, reducing the risk of being flagged as spam