To avoid being flagged a spammer, your DNS server (and SMTP server) needs to be configured for:

  • PTR Records (Host)
  • SPF Records (DNS)
  • DKIM Records (DNS + SMTP)
  • DMARC Records (DNS + an email address)
  • TLS Certificate (an SSL Certifiate for your mail domain)

The last one is required to send encrypted mail.

PTR Record

Also known as the Reverse DNS. This is SUPER REQUIRED OMG!

It should reference your mail server. i.e.

# should return IP address

# using that IP
dig -x
# should return

SPF Records

These are easy. Add them to your DNS. TXT records are most important (one site says SPF records were obsoleted).

Record  Name               Value
TXT     mail               v=spf1 +ip4: ~all
SPF     mail               v=spf1 +ip4: ~all

TXT       v=spf1 ~all
SPF       v=spf1 ~all

DKIM Records

This was very difficult to get working! To make matters worse, WordPress is stuid, and hasn’t fixed this even though it’s very broken and causes problems. WTF.

About the WP bug:

Setting up DKIM Tools:

DKIM with Postfix

A useful tool for generating the correct public/private key files (public key requires fancy formatting).

Add a TXT record for the DKIM public key:

TXT     mail._domainkey      v=DKIM1; k=rsa; p=(SOME_CRAZYLONG_STRING)

If configured and sent correctly, your emails will include a DKIM signature section in the header (the private key).

DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=mail;
	t=number; bh=hash;

The key thing to know here is that the “s=mail” should match the name (i.e. the mail in mail._domainkey).

More DKIM:

How to get DKIM (DomainKeys Identified Mail) working with Postfix on RHEL 5 / CentOS 5 using OpenDKIM

DMARC Records

Just a simple record that tells people where to send reports.

This link above told me everything I needed. I added a simple record to my cloudflare, and it was good. Reports started showing up.

TXT    _dmarc        v=DMARC1; p=none; rua=mailto:[email protected]


SSMTP is a sendmail compatible light client that forwards e-mails to other addresses. It’s not a mailserver.

Installing Postfix

Postfix is an SMTP server. It should be installed like so.


# /etc/hostname

# /etc/hosts machine_name  # will not be set       localhost
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters

It can be configured as a “SEND ONLY” server.

Details on how it can be CHROOT’ed are in the documentation:

Some useful commands:

(mailq, postfix flush, postsuper)

Apparently easy to add to PHP (if not already working… it might be).

Configure Postfix/Sendmail for PHP mail() in Ubuntu


# Get MX Records
dig MX

# Get NS Records (to know Authority server)
dig NS

# Get MX Records from Authority server (the @)
dig MX

# View Mail/Sendmail/PostFix log
cat /var/log/mail.log

# Clear Log (trick! redirect nothing to it, not append)
> /var/log/mail.log

# Verify email by sending a message to port25
echo " " | mail -s "test" [email protected]

# dkim key needs to be limited to whom can read it  
chmod 600 /etc/postfix/dkim.key 

TLS Encryption

Encrypting emails is another issue that needs to be dealt with.

Create/follow the instructions here, and generate a free certificate for your domain.

Configure Postfix TLS with a Free StartSSL Certificate

It required a passphrase to generate the CSR+KEY. However, Postfix does not support KEYs with a password.

# Check if key is good (or requires passphrase)
openssl rsa -in in_file.key -check -noout

# Unencrypt a key
openssl rsa -in in_file.key -out out_file.key

I tried this reference without luck (though I didn’t follow all configuration instructions).

This is how to force TLS, but not necessary once configured correctly.

Getting root emails forwarded

Was pretty easy.

Add a line “root: [email protected]” to ‘/etc/aliases’. run ‘newaliases’. Magic.

SRS Forwarding

The above is easy, but will fail SPF checks. The sender needs to be modified to correctly forward an e-mail, then the SPF can be regenerated. This is done using SRS.

The ‘postsrsd’ package *IS* available on Ubuntu now, so just apt-get it.

More info on SRS:

rsyslogd-2007: action ‘action 9’ suspendend

When you look at the syslog (/var/log/syslog), you see lines like the above.

This (or lines like it) are caused by a default Ubuntu/Debian configuration. At the bottom of “/etc/rsyslog.d/50-default.conf”, there are a several lines that describe logging to xconsole. Xconsole, AFAIK is the XWindows logger. Oops! So that’s not going to work while running a headless server.

Socket Madness

You can bind the default /var/run folder to use the default unix domain socket config.

mkdir -p /var/spool/postfix/var/run/opendkim
mount --bind /var/run/opendkim /var/spool/postfix/var/run/opendkim

NOTE: The OpenDKIM service does some funny stuff regarding settings. If you customize the socket, it sometimes appends your socket settings to “/etc/default/opendkim“.

To work around this, I had to start from scratch.

apt-get remove --purge opendkim

Purge is required. Otherwise, the old config files will stick around.