1

The setup is one main server (domain.tld) with an online shop and exim4 to send mails and a second server (mail.domain.tld) dedicated to the company mails.

The DNS right now looks somewhat like this:

@                        IN NS      nameserver1
@                        IN NS      nameserver2
@                        IN NS      nameserver3

@                        IN A       11.11.11.111 (main server ip)
mail                     IN A       22.22.22.222 (mail server ip)
www                      IN A       11.11.11.111
@                        IN MX 10   mail
@                        IN TXT     "v=spf1 a mx ip4:11.11.11.111 ip6:abc:def:... mx:mail.domain.tld ~all" (main server)
default._domainkey  3600 IN TXT     "v=DKIM1; p="...." (mail server)

My Problem: The SPF and DKIM records

The SPF is currently from the main server and the DKIM from the mail server. Is this the correct configuration, or is there a better way to handle two servers with one zone file?

dustinboettcher
  • 113
  • 4

1 Answers1

0

It is not problem at all if you send mail from main server / 11.11.11.111 that is not signed with DKIM , unless you have DMARC policy defined. All that is going to happen is emails not being signed with DKIM, which is not such big deal if SPF set correctly, which is not the case in your given example.

SPF is almost completely useless if "hard fail" is not designated (... -all at the end of SPF TXT record entry). Hard fail tells receiving MTA's around the world that only designated hosts/ip are allowed to send emails for domain and no others (thus, hard fail - reject policy).

In order to establish and maintain proper SPF, try to utilize online generators (example: SPF Wizard) , and of course, monitor results - send to tools that will confirm whether record is ok or not.

Miloš Đakonović
  • 640
  • 3
  • 9
  • 28