added first true commit

tank/programming/Mailserver setup/DNS Records Quick Reference for Cloudflare.md

@@ -0,0 +1,253 @@
+
+**Replace `example.com` with your actual domain**
+**Replace `YOUR_PUBLIC_IP` with your mail server's public IP address**
+
+---
+
+## Required DNS Records
+
+### 1. MX Record (Mail Exchange)
+```
+Type: MX
+Name: @
+Content: mail.example.com
+Priority: 10
+Proxy: DNS only (gray cloud)
+TTL: Auto
+```
+
+### 2. A Record (Mail Server)
+```
+Type: A
+Name: mail
+Content: YOUR_PUBLIC_IP
+TTL: Auto
+Proxy: DNS only (gray cloud)
+```
+
+### 3. SPF Record (Sender Policy Framework)
+```
+Type: TXT
+Name: @
+Content: v=spf1 mx ~all
+TTL: Auto
+```
+
+**For stricter policy, use:**
+```
+v=spf1 mx -all
+```
+
+### 4. DKIM Record (DomainKeys Identified Mail)
+```
+Type: TXT
+Name: mail._domainkey
+Content: v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY_FROM_MAIL_TXT_FILE
+TTL: Auto
+```
+
+**To get your DKIM public key:**
+```bash
+cat /etc/opendkim/keys/example.com/mail.txt
+```
+
+**Important:** 
+- Remove quotes from the key
+- Remove line breaks (make it one continuous line)
+- Format: `v=DKIM1; k=rsa; p=MIGfMA0GCSq...`
+
+### 5. DMARC Record (Email Authentication)
+```
+Type: TXT
+Name: _dmarc
+Content: v=DMARC1; p=none; rua=mailto:dmarc@example.com
+TTL: Auto
+```
+
+**Policy Levels (in order of strictness):**
+- `p=none` - Monitor only (start here)
+- `p=quarantine` - Mark suspicious emails
+- `p=reject` - Reject failing emails (most strict)
+
+### 6. PTR Record (Reverse DNS)
+**⚠️ This MUST be configured at your hosting provider, NOT Cloudflare**
+
+Contact your VPS/hosting provider and request:
+```
+PTR for YOUR_PUBLIC_IP → mail.example.com
+```
+
+Example request email:
+```
+Subject: PTR Record Configuration Request
+
+Hello,
+
+Please configure the reverse DNS (PTR record) for my IP address:
+IP: YOUR_PUBLIC_IP
+PTR Record: mail.example.com
+
+Thank you!
+```
+
+---
+
+## Optional But Recommended
+
+### 7. Autodiscover (Easy client setup)
+```
+Type: CNAME
+Name: autodiscover
+Content: mail.example.com
+TTL: Auto
+Proxy: DNS only
+```
+
+### 8. Autoconfig (Mozilla clients)
+```
+Type: CNAME
+Name: autoconfig
+Content: mail.example.com
+TTL: Auto
+Proxy: DNS only
+```
+
+---
+
+## Verification Commands
+
+After adding DNS records, verify them with these commands:
+
+### Check MX Record
+```bash
+dig example.com MX
+# or
+nslookup -type=MX example.com
+```
+
+### Check A Record
+```bash
+dig mail.example.com A
+# or
+nslookup mail.example.com
+```
+
+### Check SPF Record
+```bash
+dig example.com TXT
+# or
+nslookup -type=TXT example.com
+```
+
+### Check DKIM Record
+```bash
+dig mail._domainkey.example.com TXT
+# or
+nslookup -type=TXT mail._domainkey.example.com
+```
+
+### Check DMARC Record
+```bash
+dig _dmarc.example.com TXT
+# or
+nslookup -type=TXT _dmarc.example.com
+```
+
+### Check PTR Record (Reverse DNS)
+```bash
+dig -x YOUR_PUBLIC_IP
+# or
+nslookup YOUR_PUBLIC_IP
+```
+
+---
+
+## Important Notes
+
+1. **Proxy Status**: Always use "DNS only" (gray cloud) for mail-related records. Never use Cloudflare proxy (orange cloud) for MX, A records pointing to mail servers, or mail-related TXT records.
+
+2. **Propagation Time**: DNS changes can take 1-48 hours to fully propagate worldwide. Be patient!
+
+3. **Testing Tools**: Use these to verify your setup:
+   - https://www.mail-tester.com (sends test email)
+   - https://mxtoolbox.com/SuperTool.aspx (DNS checker)
+   - https://dmarcian.com/dmarc-inspector/ (DMARC validator)
+   - https://www.dmarcanalyzer.com/dkim/dkim-check/ (DKIM validator)
+
+4. **Common Mistakes**:
+   - Forgetting to set PTR record at hosting provider
+   - Using Cloudflare proxy on mail records
+   - Not removing quotes/spaces from DKIM key
+   - Typos in subdomain names (_dmarc, _domainkey)
+
+5. **Priority Order**:
+   - Day 1: Add MX, A, and SPF records
+   - Day 2: Add DKIM record (after generating keys on server)
+   - Day 3: Add DMARC with `p=none` for monitoring
+   - Week 2+: Change DMARC to `p=quarantine` or `p=reject`
+
+---
+
+## Cloudflare Specific Settings
+
+### API Mode (Optional)
+If you want to automate DNS updates via API, you'll need:
+- Your Cloudflare Zone ID
+- An API token with DNS edit permissions
+
+### SSL/TLS Settings
+In Cloudflare dashboard:
+- Go to SSL/TLS → Overview
+- Set to "Full" or "Full (strict)" if you have valid certificates
+- Do NOT use "Flexible"
+
+### Email Routing
+Cloudflare offers Email Routing that can forward emails. If you're running your own server, make sure:
+- Email Routing is DISABLED, or
+- Configure it to work alongside your MX records
+
+---
+
+## Quick Setup Checklist
+
+- [ ] Add MX record pointing to mail.example.com
+- [ ] Add A record for mail.example.com with your IP
+- [ ] Add SPF TXT record
+- [ ] Generate DKIM keys on server
+- [ ] Add DKIM TXT record
+- [ ] Add DMARC TXT record (start with p=none)
+- [ ] Contact hosting provider for PTR record
+- [ ] Wait 24-48 hours for propagation
+- [ ] Test with dig/nslookup commands
+- [ ] Send test email to mail-tester.com
+- [ ] Check MXToolbox for any issues
+
+---
+
+## Example Complete DNS Setup
+
+For domain: `example.com`
+Mail server IP: `203.0.113.50`
+
+| Type | Name | Content | Priority | TTL | Proxy |
+|------|------|---------|----------|-----|-------|
+| MX | @ | mail.example.com | 10 | Auto | DNS only |
+| A | mail | 203.0.113.50 | - | Auto | DNS only |
+| TXT | @ | v=spf1 mx ~all | - | Auto | - |
+| TXT | mail._domainkey | v=DKIM1; k=rsa; p=MIGfM... | - | Auto | - |
+| TXT | _dmarc | v=DMARC1; p=none; rua=mailto:dmarc@example.com | - | Auto | - |
+| CNAME | autodiscover | mail.example.com | - | Auto | DNS only |
+
+PTR Record (at hosting provider):
+- 203.0.113.50 → mail.example.com
+
+---
+
+## Support Resources
+
+- **Cloudflare DNS Documentation**: https://developers.cloudflare.com/dns/
+- **SPF Record Checker**: https://www.kitterman.com/spf/validate.html
+- **DKIM Validator**: https://dkimvalidator.com/
+- **DNS Propagation Checker**: https://www.whatsmydns.net/
+
+Good luck with your DNS setup! 🚀