**Replace `example.com` with your actual domain** **Replace `YOUR_PUBLIC_IP` with your mail server's public IP address** --- ## Required DNS Records ### 1. MX Record (Mail Exchange) ``` Type: MX Name: @ Content: mail.example.com Priority: 10 Proxy: DNS only (gray cloud) TTL: Auto ``` ### 2. A Record (Mail Server) ``` Type: A Name: mail Content: YOUR_PUBLIC_IP TTL: Auto Proxy: DNS only (gray cloud) ``` ### 3. SPF Record (Sender Policy Framework) ``` Type: TXT Name: @ Content: v=spf1 mx ~all TTL: Auto ``` **For stricter policy, use:** ``` v=spf1 mx -all ``` ### 4. DKIM Record (DomainKeys Identified Mail) ``` Type: TXT Name: mail._domainkey Content: v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY_FROM_MAIL_TXT_FILE TTL: Auto ``` **To get your DKIM public key:** ```bash cat /etc/opendkim/keys/example.com/mail.txt ``` **Important:** - Remove quotes from the key - Remove line breaks (make it one continuous line) - Format: `v=DKIM1; k=rsa; p=MIGfMA0GCSq...` ### 5. DMARC Record (Email Authentication) ``` Type: TXT Name: _dmarc Content: v=DMARC1; p=none; rua=mailto:dmarc@example.com TTL: Auto ``` **Policy Levels (in order of strictness):** - `p=none` - Monitor only (start here) - `p=quarantine` - Mark suspicious emails - `p=reject` - Reject failing emails (most strict) ### 6. PTR Record (Reverse DNS) **⚠️ This MUST be configured at your hosting provider, NOT Cloudflare** Contact your VPS/hosting provider and request: ``` PTR for YOUR_PUBLIC_IP → mail.example.com ``` Example request email: ``` Subject: PTR Record Configuration Request Hello, Please configure the reverse DNS (PTR record) for my IP address: IP: YOUR_PUBLIC_IP PTR Record: mail.example.com Thank you! ``` --- ## Optional But Recommended ### 7. Autodiscover (Easy client setup) ``` Type: CNAME Name: autodiscover Content: mail.example.com TTL: Auto Proxy: DNS only ``` ### 8. Autoconfig (Mozilla clients) ``` Type: CNAME Name: autoconfig Content: mail.example.com TTL: Auto Proxy: DNS only ``` --- ## Verification Commands After adding DNS records, verify them with these commands: ### Check MX Record ```bash dig example.com MX # or nslookup -type=MX example.com ``` ### Check A Record ```bash dig mail.example.com A # or nslookup mail.example.com ``` ### Check SPF Record ```bash dig example.com TXT # or nslookup -type=TXT example.com ``` ### Check DKIM Record ```bash dig mail._domainkey.example.com TXT # or nslookup -type=TXT mail._domainkey.example.com ``` ### Check DMARC Record ```bash dig _dmarc.example.com TXT # or nslookup -type=TXT _dmarc.example.com ``` ### Check PTR Record (Reverse DNS) ```bash dig -x YOUR_PUBLIC_IP # or nslookup YOUR_PUBLIC_IP ``` --- ## Important Notes 1. **Proxy Status**: Always use "DNS only" (gray cloud) for mail-related records. Never use Cloudflare proxy (orange cloud) for MX, A records pointing to mail servers, or mail-related TXT records. 2. **Propagation Time**: DNS changes can take 1-48 hours to fully propagate worldwide. Be patient! 3. **Testing Tools**: Use these to verify your setup: - https://www.mail-tester.com (sends test email) - https://mxtoolbox.com/SuperTool.aspx (DNS checker) - https://dmarcian.com/dmarc-inspector/ (DMARC validator) - https://www.dmarcanalyzer.com/dkim/dkim-check/ (DKIM validator) 4. **Common Mistakes**: - Forgetting to set PTR record at hosting provider - Using Cloudflare proxy on mail records - Not removing quotes/spaces from DKIM key - Typos in subdomain names (_dmarc, _domainkey) 5. **Priority Order**: - Day 1: Add MX, A, and SPF records - Day 2: Add DKIM record (after generating keys on server) - Day 3: Add DMARC with `p=none` for monitoring - Week 2+: Change DMARC to `p=quarantine` or `p=reject` --- ## Cloudflare Specific Settings ### API Mode (Optional) If you want to automate DNS updates via API, you'll need: - Your Cloudflare Zone ID - An API token with DNS edit permissions ### SSL/TLS Settings In Cloudflare dashboard: - Go to SSL/TLS → Overview - Set to "Full" or "Full (strict)" if you have valid certificates - Do NOT use "Flexible" ### Email Routing Cloudflare offers Email Routing that can forward emails. If you're running your own server, make sure: - Email Routing is DISABLED, or - Configure it to work alongside your MX records --- ## Quick Setup Checklist - [ ] Add MX record pointing to mail.example.com - [ ] Add A record for mail.example.com with your IP - [ ] Add SPF TXT record - [ ] Generate DKIM keys on server - [ ] Add DKIM TXT record - [ ] Add DMARC TXT record (start with p=none) - [ ] Contact hosting provider for PTR record - [ ] Wait 24-48 hours for propagation - [ ] Test with dig/nslookup commands - [ ] Send test email to mail-tester.com - [ ] Check MXToolbox for any issues --- ## Example Complete DNS Setup For domain: `example.com` Mail server IP: `203.0.113.50` | Type | Name | Content | Priority | TTL | Proxy | |------|------|---------|----------|-----|-------| | MX | @ | mail.example.com | 10 | Auto | DNS only | | A | mail | 203.0.113.50 | - | Auto | DNS only | | TXT | @ | v=spf1 mx ~all | - | Auto | - | | TXT | mail._domainkey | v=DKIM1; k=rsa; p=MIGfM... | - | Auto | - | | TXT | _dmarc | v=DMARC1; p=none; rua=mailto:dmarc@example.com | - | Auto | - | | CNAME | autodiscover | mail.example.com | - | Auto | DNS only | PTR Record (at hosting provider): - 203.0.113.50 → mail.example.com --- ## Support Resources - **Cloudflare DNS Documentation**: https://developers.cloudflare.com/dns/ - **SPF Record Checker**: https://www.kitterman.com/spf/validate.html - **DKIM Validator**: https://dkimvalidator.com/ - **DNS Propagation Checker**: https://www.whatsmydns.net/ Good luck with your DNS setup! 🚀