0

Is below correctly setup? I have 1 A record mydomain.com pointing to an ip address. I have a subdomain called www.mydomain.com that also has the PTR record for the ip address (because i'm also going to host mail on it, i want it to helo/ehlo properly)

Obviously i want users to send and receive email from @mydomain.com. As you can see, my SPF is setup on my domainrecord, and the rest on the subdomain record.

Thank you for your expertise.

Jacob Evans
  • 7,636
  • 3
  • 25
  • 55
ATv
  • 129
  • 1
  • 2
  • 14
  • please upload your image here instead of linking to tinypic. – Jacob Evans May 22 '17 at 13:19
  • I didn't think that was possible, i was told to use tinypic or similar! Also i dont have enough reputation for uploading images it seems :-( – ATv May 22 '17 at 13:26

2 Answers2

0

It's ok, except MX enties, where they are? They required to send and receive e-mails. Also for www.mydomain.com you could use CNAME entry. E.g. www CNAME mydomain.com. It allow you change only one IP on mydomain.com without changing it on www.mydomain.com.

Alexander Tolkachev
  • 4,513
  • 3
  • 14
  • 23
  • Hi Alexander, thanks!. I have one MX entry pointing to www.mydomain.com which is cut off from the picture. www.mydomain.com was already setup as an A record when i got my domain. But i guess i can use a CNAME there (but i think there are certain limitations with spf/dkim/dmarc and cnames i believe) – ATv May 22 '17 at 13:06
  • 1
    MX records are not required, you only need the A record, in absence of an MX record the A record is used, read the RFC. – Jacob Evans May 22 '17 at 13:10
  • @AlefVeld there is no limitations for SPF and DKIM entries for CNAME entries. – Alexander Tolkachev May 22 '17 at 13:14
  • I believe some MTA's don't like it – ATv May 22 '17 at 13:15
  • @Jacob That's right. – ATv May 22 '17 at 13:16
  • 1
    Note that while fallback to A records is permitted, if everyone on the internet is doing it, then every MX DNS query issued by an SMTP server doubles the # of queries - once for the MX record that doesn't exist and then again for the A record for every domain that has lapsed their TTL or is not yet cached. So be a good internet citizen and use MX records ;-) – Marco May 22 '17 at 16:49
  • I agree, that sounds sensible. – ATv May 23 '17 at 09:59
0

Your records will work with considerations:

1) dmarc policy is none, you should reject email once you've tested it, however I've seen better results use p=reject; pct=0 where you reject policy but don't actually reject anything (0 percent) and then raise the pct number with confidence.

2) Your SPF record has 3 policies that point to the same IP address, as you are limited to 10 DNS lookups I would suggest only having the IP block. While you are not near your limit, if you ever add 3rd party includes (such as an ESP) you will appreciate this efficiency.

3) PTR record, just make sure this points to an A record which points to the IP. It can be www or mx or something unused, as long as it matches. example

primary-mx.example.com. IN A 192.0.2.10
10.2.0.192.in-addr.arpa IN PTR primary-mx.example.com.

I did a podcast with datanauts if you'd like to learn more.

Jacob Evans
  • 7,636
  • 3
  • 25
  • 55
  • Thanks Jacob and for the edit. 1) Yes i wanted to just have a basic dmarc policy first and see how it would affect delivery, before ramping it up more to something useful. 2) I don't understand. You mean because i'm using the same ip address 3 times (A record, www. and MX) ? Is the 10 lookups a SPF limitation? Would i run into that? 3) Ok. So it's not a problem for domain.com to be without a PTR. It's just that i think it makes more sense to have www with the PTR, as i'm going to use that for mail. I'm listening to your podcost now. Thanks again. – ATv May 22 '17 at 14:45
  • Also, i understood that dkim and dmarc can't be set on a subdomain record, but i see no other way otherwise i cannot add the _domain part. I can only do that in the top part. – ATv May 22 '17 at 15:31
  • Note that p=none does not disabled DMARC. DMARC is disabled by default for all domains. Using p=none allows a domain owner to request that a full DMARC evaluation be done with the existing DMARC, SPF and DKIM records where available, and that aggregate reports be sent back if a RUA DMARC policy is present. This allows you to scout ahead of doing p=quarantine and p=reject. Also implementations giving more information with "p=quarantine" than "p=reject; pct=0" are broken. Those two modes are exactly the same thing, just like "p=none" is the same as "p=quarantine; pct=0". – Marco May 22 '17 at 15:58
  • Thank you Marco. I wanted to enable DMARC without implementing any policy, so i guess that's what it does. – ATv May 23 '17 at 09:59