No announcement yet.

What to do to ensure Emails are delivered

  • Filter
  • Time
  • Show
Clear All
new posts

  • What to do to ensure Emails are delivered

    If you want to use your own Mail server, then there are some steps you need to keep in mind so you do not get your mail rejected.

    Reverse DNS

    Many providers do not accept mails that arrive from IPs with a generic PTR Record, so in this case you should set it to a FQDN for example mail.<your_domain> or and other subdomain.
    In my case I will use for this “tutorial”.

    To make this change go to the PowerPanel -> Network -> Nameserver -> Reverse DNS

    After you did change the rDNS you need to wait 12 to 48 hours until it does Propagate worldwide, you can check if the value is set over the shell or for example MXTOOLBOX.

    Checking over the Shell:

    host <IP>
    $ host domain name pointer
    To check over MxToolBox click here

    This is a important step as Providers like GMX will reject the mails if it is not done. (normally you will then get a bounce like mail rejected 554 bad ptr)

    SMTP Banner (and Hostname)

    Firstly you should set the Hostname that should match the rDNS record, for this you can over the SSH use the command “hostname”

    (If you have a vServer then you need to change it over vServer -> Hostname and not over the shell)

    After you did change that you can make the changes to the Postfix configuration. For that you need to edit the file: /etc/postfix/ and make sure there the “smtpd_banner” is set as below:

    smtpd_banner = $myhostname ESMTP $mail_name
    a quick way to check it is:

    cat /etc/postfix/ |grep 'smtpd_banner'
    Output should the be:
    smtpd_banner = $myhostname ESMTP $mail_name
    After you saved the changes you can restart the Postfix:

    systemctl restart postfix
    - or -
    service postfix restart
    SPF Record

    The SPF (sender policy framework) is a validation system against email spoofing, you can read more about it on wikipedia

    A easy way to generate the SPF is by using
    In my case after I did fill the form it gives me

    Code:  IN TXT "v=spf1 mx a ~all"
    So on your DNS you need to add a new entry as TXT with for example the value v=spf1 mx a ~all

    Please keep in mind that this change can all take up to 48 hours until it does Propagate worldwide

    To check your entry you can again use SSH or MXTOOLBOX:

    Checking over SSH:

    dig TXT <domain> +short
    # dig TXT +short
    "v=spf1 mx a ~all"
    To check over MxToolBox click here

    DKIM Record

    (This example will be done for Debian there may need to be some changes on other systems)

    1st: Install the Packages need:

    apt-get install opendkim opendkim-tools

    2nd: Create the needed folders and provide the right permissions:

    mkdir -p /etc/opendkim/keys
    chown -R opendkim. /etc/opendkim
    chmod go-rw /etc/opendkim/keys
    3rd: Configure the Postfix so it does use the opendkim: (for that add the lines bellow to the /etc/postfix/

    # OpenDKIM
    milter_protocol = 6
    milter_default_action = accept

    4th: OpenDKIM Configuration: (Edit the /etc/opendkim.conf )

    # OpenDKIM agiert als Mail Filter (= Milter) in den
    # Modi signer (s) und verifier (v) und verwendet eine
    # Socket-Datei zur Kommunikation (alternativ: lokaler Port)
    Mode                    sv
    #Socket                  local:/var/run/opendkim/opendkim.sock
    Socket                inet:12345@localhost
    # OpenDKIM verwendet diesen Benutzer bzw.
    # diese Gruppe
    UserID                  opendkim:opendkim
    UMask                   002
    PidFile                 /var/run/opendkim/
    # OpenDKIM bei Problemen neustarten,
    # aber max. 10 mal pro Stunde
    AutoRestart             yes
    AutoRestartRate         10/1h
    # Logging (wenn alles funktioniert eventuell reduzieren)
    Syslog                  yes
    SyslogSuccess           yes
    LogWhy                  yes
    # Verfahren, wie Header und Body durch
    # OpenDKIM verarbeitet werden sollen.
    Canonicalization        relaxed/relaxed
    # interne Mails nicht mit OpenDKIM verarbeiten
    ExternalIgnoreList      refile:/etc/opendkim/trusted
    InternalHosts           refile:/etc/opendkim/trusted
    # welche Verschlüsselungs-Keys sollen für welche
    # Domains verwendet werden
    # (refile: für Dateien mit regulären Ausdrücke)
    SigningTable            refile:/etc/opendkim/signing.table
    KeyTable                /etc/opendkim/key.table
    # diesen Signatur-Algorithmus verwenden
    SignatureAlgorithm      rsa-sha256
    # Always oversign From (sign using actual From and a null From to prevent
    # malicious signatures header fields (From and/or others) between the signer
    # and the verifier.  From is oversigned by default in the Debian pacakge
    # because it is often the identity key used by reputation systems and thus
    # somewhat security sensitive.
    OversignHeaders         From
    5th: Configure the “exceptions” (Internal and Trusted domains/IPs that do not need it) That is added in /etc/opendkim/trusted

    6th: Attribute the right key to each domain: (Edit /etc/opendkim/signing.table and /etc/opendkim/key.table)

    /etc/opendkim/signing.table :

    * help-server
    * example
    * otherdomain
    /etc/opendkim/key.table :

    7th: Generate the DKIM Key

    opendkim-genkey -d -b 2048 -r -s 201705
    you will then get two files: 201705.txt and 201705.private

    Now we will move them and rename:

    mv 201705.txt     /etc/opendkim/keys/help-server.txt
    mv 201705.private /etc/opendkim/keys/help-server.private
    chown -R opendkim. /etc/opendkim
    8th: Add the DomainKey to the DNS, for that go to the /etc/opendkim/keys/help-server.txt file and copy the key and add it to the DNS

    9th: Restart the affected services:

    systemctl restart opendkim.service
    systemctl restart postfix.service
    10th: Check if it all works, for that you can use for example

    Blacklist Check

    Blacklist can also be one of the big reasons for a “mail rejected” bounce back, the quickest way to check if your server IP got blacklisted is using MxToolBox or dnsbl

    Here a example:

    So in my case there is none. If your IP is listed it will show the ones where you are on the top of the table with a “details” button where then on the end of the page you will have a link to the blacklist so you can check the reason and also start the delisting.

    If you having issues with or and Microsoft domain then you may want to register yourself in the Smart Network Data Service (SNDS) and add there your IPs so you can check their status. Please keep in mind that you need to prove your ownership to add the IPs, that can be done over the rDNS by having your Email in the whois of the domain that is there.

    For gmail you can use there form if you have issues sending Emails to them. (Click here for the form)

    Hope this did help you, if you have any additional questions let me know

    Best Regards,
    Last edited by Martin; 10-13-2017, 07:31 PM.

  • #2
    Hi Martin,
    Excellent breakdown. I am having mail issues and need to run through this. I am however on a SERVER4YOU server where I have many domains allocated via Plesk. Reviewing the process you have laid out above, I'm unsure if I need to run through this for each and every domain I have in order to resolve the delivery issues (or how I set multiple SMTP banners, one for each domain).

    Can you shed any light on how I can do this or what step I need to take ?



    • #3
      Hey Chily Thank you

      IF you do have multiple Domains you only need to make the DKIM and SPF on each.
      The Hostname and Reverse DNS can only be set once so most use the main domain for it. Important here is just that the entry is not the generic one.

      Best Regards,


      • #4
        Thanks Martin. Hostname and rDNS was set automatically after applying the hostname to the contract named server name.
        A customer on one of my added domains was noting that mails were not coming in from their customers (rejection messages from icloud, gmx etc) and also some mails sent out from the domain were not being received by their customers too.

        DKIM & SPF setting would fix these issues ?



        • #5
          It does help, not sure if it will solve it as I cannot check the hole configuration with this details I have


          • #6
            Everything is made , but still received FAIL on DKIM - check attachments
            Attached Files