Skip to content

DNS-RECORDS.md

Latest commit

 

History

History
187 lines (145 loc) · 6.38 KB

DNS-RECORDS.md

File metadata and controls

187 lines (145 loc) · 6.38 KB

DNS Records Configuration for clone-check.com

This document contains all the DNS records that need to be configured for the email system to work properly.

📋 Quick Summary

What's Already Working:

  • ✅ A Records (both @ and mail subdomain)
  • ✅ MX Record (mail.clone-check.com)
  • ✅ SPF Record
  • ✅ DMARC Record (monitoring mode)

What Needs To Be Added:

  • ⚠️ DKIM Record Only - See section 4 below

You only need to add the DKIM TXT record to start signing your emails. Everything else is already properly configured!

Server Information

  • Domain: clone-check.com
  • Server IP: 212.71.250.15
  • Mail Server Hostname: mail.clone-check.com

Current DNS Records (Already Configured)

1. A Records (Already configured - no changes needed)

Type: A
Host: @
Value: 212.71.250.15
TTL: 3600

Type: A
Host: mail
Value: 212.71.250.15
TTL: 3600

2. MX Record (Already configured - no changes needed)

This tells other mail servers where to send emails for your domain.

Type: MX
Host: @
Value: mail.clone-check.com
Priority: 10
TTL: 3600

Status: ✅ Already configured and working

3. SPF Record (Already configured - no changes needed)

This prevents email spoofing by specifying which servers are allowed to send email on behalf of your domain.

Type: TXT
Host: @
Value: v=spf1 mx a ip4:212.71.250.15 ~all
TTL: 3600

Status: ✅ Already configured and working

Explanation:

  • v=spf1 - SPF version 1
  • mx - Allow emails from servers listed in MX records
  • a - Allow emails from the A record of the domain
  • ip4:212.71.250.15 - Allow emails from this IP address
  • ~all - Soft fail for all other servers (will be marked as suspicious but not rejected)

4. DKIM Record (DomainKeys Identified Mail) - ⚠️ NEEDS TO BE ADDED

This adds a digital signature to your emails to verify they actually came from your server.

Type: TXT
Host: mail._domainkey
Value: v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2X2t3ns+huZDLpIiuChHT+4HNy6rwN9FheL+YtS7VOVZihAHcR8udTn73kFwWc1IkvvZ8p33DkN/CiGTwX8+6WoURnULm4bwPV19JsD4bsVxlWCGdC/L7WhvCR5h/VPcc1ddaAMndh3rZqC6nBCZ3mfcLvS3EbWIlaxeEn1VzPTipYJwEuwjPt7LDiA8iBUuHZFDaMauK7fcXdpYdhZXgkYlvBlHlYT7t2ufSluxoFv1O53WKmcXA7+pK9T+0FuWapCHXn5R4zm/Mz5JPh/WlByiChbdvWAGdZuBY80oTlERjelrkhpRxRaxH3mOTd9tITa71OWWPy22HnoZwIwaNwIDAQAB
TTL: 3600

Note: Some DNS providers may require you to remove quotes and join the value into a single line. If the record doesn't validate, try this format:

v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2X2t3ns+huZDLpIiuChHT+4HNy6rwN9FheL+YtS7VOVZihAHcR8udTn73kFwWc1IkvvZ8p33DkN/CiGTwX8+6WoURnULm4bwPV19JsD4bsVxlWCGdC/L7WhvCR5h/VPcc1ddaAMndh3rZqC6nBCZ3mfcLvS3EbWIlaxeEn1VzPTipYJwEuwjPt7LDiA8iBUuHZFDaMauK7fcXdpYdhZXgkYlvBlHlYT7t2ufSluxoFv1O53WKmcXA7+pK9T+0FuWapCHXn5R4zm/Mz5JPh/WlByiChbdvWAGdZuBY80oTlERjelrkhpRxRaxH3mOTd9tITa71OWWPy22HnoZwIwaNwIDAQAB

5. DMARC Record (Already configured)

This tells receiving mail servers what to do with emails that fail SPF or DKIM checks and where to send reports.

Current Configuration:

Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:jmhbrenan@gmail.com; pct=100; adkim=r; aspf=r
TTL: 3600

Status: ✅ Already configured with monitoring policy

Current Explanation:

  • v=DMARC1 - DMARC version 1
  • p=none - Policy: monitor only (no action taken on failed emails)
  • rua=mailto:jmhbrenan@gmail.com - Aggregate reports sent here
  • pct=100 - Apply policy to 100% of emails
  • adkim=r - Relaxed DKIM alignment mode
  • aspf=r - Relaxed SPF alignment mode

Optional: Upgrade to Stricter Policy (After DKIM is working): Once DKIM is configured and you've monitored reports for a few weeks, you can optionally upgrade to:

Type: TXT
Host: _dmarc
Value: v=DMARC1; p=quarantine; rua=mailto:jmhbrenan@gmail.com; ruf=mailto:jmhbrenan@gmail.com; fo=1; adkim=s; aspf=s; pct=100
TTL: 3600

This will quarantine (spam folder) emails that fail authentication with strict alignment.

Verification

After adding these DNS records, you can verify them using these commands:

Verify MX Record:

dig clone-check.com MX +short

Verify SPF Record:

dig clone-check.com TXT +short | grep spf

Verify DKIM Record:

dig mail._domainkey.clone-check.com TXT +short

Verify DMARC Record:

dig _dmarc.clone-check.com TXT +short

Online Tools:

Important Notes

  1. DNS Propagation: After adding these records, it may take 24-48 hours for DNS changes to propagate globally, though most changes are visible within a few hours.

  2. Testing: After DNS propagation, test your email configuration by:

    • Sending an email from your server to a Gmail or other major email provider account
    • Checking the email headers to verify DKIM signature
    • Using https://www.mail-tester.com/ to get a comprehensive email authentication score

  3. DMARC Policy Evolution:

    • Start with p=none to monitor without affecting delivery
    • After 1-2 weeks of monitoring reports, upgrade to p=quarantine
    • After successful quarantine period, optionally upgrade to p=reject for maximum protection

  4. Reverse DNS (PTR Record): Contact your hosting provider (Linode) to set up a PTR record for 212.71.250.15 pointing to clone-check.com. This is important for email deliverability.

  5. Mailboxes Available:

Troubleshooting

If emails are being rejected or marked as spam:

  1. Verify all DNS records are correctly configured
  2. Check DKIM signing is working: send an email and check its headers
  3. Review DMARC reports sent to postmaster@clone-check.com
  4. Ensure reverse DNS (PTR) is properly configured
  5. Test email deliverability with https://www.mail-tester.com/

Server Configuration Files

DKIM keys and configuration are stored at:

  • Private key: /etc/opendkim/keys/clone-check.com/mail.private
  • Public key: /etc/opendkim/keys/clone-check.com/mail.txt
  • Configuration: /etc/opendkim.conf
  • Key table: /etc/opendkim/KeyTable
  • Signing table: /etc/opendkim/SigningTable
  • Trusted hosts: /etc/opendkim/TrustedHosts