Email Server 101: Unlocking the Power of MX, SPF, DKIM & DMARC

ByWebshanks Hours Updated on

Email Server 101: Unlocking the Power of MX, SPF, DKIM & DMARCIf you’re anything like me, setting up your own mail server felt like diving into the deep end of the internet. I’ve been down that rabbit hole — command lines, DNS records, hours of scratching my head wondering why my emails end up in spam. It’s a learning curve, but a rewarding one.

One of the most common roadblocks people hit when self-hosting email is understanding the trio of SPF, DKIM, and DMARC — plus the all-important MX record. These aren’t just acronyms to skim past — they’re the backbone of email deliverability and sender reputation.

Let’s break them down in plain English, so you can stop your emails from disappearing into the spam void and start building a bulletproof mail server.

First Things First: What Is an MX Record?

MX stands for Mail Exchange. This DNS record tells the internet which server is responsible for receiving email on behalf of your domain.

Think of it this way:

Imagine your domain is a business and the MX record is the receptionist. When someone sends an email to [email protected], the sender’s mail server looks up your domain’s MX record to figure out where to deliver the message.

Why it matters:

No MX record = no email delivery. Simple as that.

Real-life tip:

Always double-check your MX records after setting up a mail server. Use tools like MXToolbox to confirm everything is resolving correctly.

Example:

If your DNS settings have this line:

@ IN MX 10 mail.webshanks.com

It means: “Hey internet! Deliver my email to the mail server at mail.webshanks.com.”

What Mail Servers Use It?

Every mail server uses MX records. Whether you’re running Postfix, Exim, or even Google Workspace — without an MX record, no one knows where to send your mail.

SPF: Sender Policy Framework

SPF is like a guest list for your email domain. It tells other mail servers which IP addresses are allowed to send email on your behalf.

Why it matters:

Without SPF, spammers can forge your email address and impersonate you (yes, that actually happens). SPF helps stop that.

What does an SPF record look like?

It’s a TXT record in your domain’s DNS. Here’s a simple one:

webshanks.com. IN TXT "v=spf1 ip4:203.0.113.42 include:mail.webshanks.com ~all"

This says: “Only this IP and services listed can send email for webshanks.com.”

Gotchas:

SPF is only as good as your record. If you forget to include all your sending servers (like your mail server and your newsletter provider), your legit emails might get flagged as spam.

Mail servers that support SPF:

All major self-hosted mail stacks support SPF:

DKIM: DomainKeys Identified Mail

DKIM is like signing your email with a secret digital signature. The receiving server checks that signature to make sure:

  • The message wasn’t tampered with.
  • It really came from your domain.

How it works:

Your mail server adds a digital signature to your email header using a private key. You publish the public key in your DNS so receiving servers can verify the signature.

What does a DKIM DNS record look like?

It’s a long TXT record. Here’s a simplified version:

default._domainkey.webshanks.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GC...

The “p=” part is your public key. The mail server uses the corresponding private key to sign messages.

Mail servers with DKIM support:

  • Mailcow: Automatic DKIM setup and rotation.
  • Modoboa: Built-in support.
  • Mail-in-a-Box: DKIM enabled by default.
  • iRedMail: You generate DKIM keys during setup.
  • Mailu: Supports DKIM with DNS output you paste in.
  • Stalwart: Very flexible with key management.
  • Virtualmin: DKIM is optional but can be enabled easily.

DMARC: Domain-based Message Authentication, Reporting, and Conformance

DMARC is like your domain’s bodyguard. It tells receiving servers:

  • How to handle emails that fail SPF and DKIM checks.
  • Where to send reports of suspicious emails.

What does a DMARC record look like?

_dmarc.webshanks.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:[email protected]

Let’s break it down:

  • p=reject: Tell receiving servers to reject emails that fail SPF and DKIM.
  • rua=mailto:: Send reports to this email so you can monitor spoofing attempts.

Other policy options:

  • p=none: Just collect reports, don’t take action.
  • p=quarantine: Put suspicious emails in the spam folder.

DMARC is powerful because it enforces SPF and DKIM.

If SPF or DKIM fails — and your DMARC policy says “reject” — the receiving server will bounce or spam that message.

Mail servers and DMARC:

  • Mailcow, Mail-in-a-Box, Modoboa, and iRedMail all recommend and support DMARC.
  • You configure it in DNS, not in the server software itself.
  • Stalwart is great if you want advanced DMARC analytics (with external tooling).

For reporting, you don’t need special server software — just an inbox to receive DMARC reports, or use a tool like:

TL;DR: My Setup Recommendations

After trying multiple stacks, here’s what I personally recommend for airtight authentication:

  • Mailcow: Best all-in-one, handles SPF/DKIM/DMARC with auto DNS snippets.
  • iRedMail: Clean and flexible, but needs more manual DNS work.
  • Mail-in-a-Box: Best for set-it-and-forget-it.
  • Modoboa: Great interface, ideal for domain/email management.
  • Stalwart: Cutting-edge for tinkerers, with highly customizable policy handling.
  • YunoHost: If you want email + apps, and don’t mind some complexity.
  • Virtualmin: Solid for sysadmins who want flexibility but requires more manual configuration.

Every time I help someone set up their mail server, I tell them: SPF, DKIM, and DMARC aren’t optional. They’re your domain’s passport, lock, and camera all in one. Without them, you’re begging to land in spam—or worse, get spoofed.

Final Thoughts: Don’t Skip Email Authentication

Running your own mail server is empowering — but it comes with responsibility. You’re no longer hiding behind Gmail’s or Microsoft’s reputation. You have to build your own, and that starts with:

  • MX: Routing your domain’s mail

  • SPF: Declaring who can send for your domain

  • DKIM: Signing your messages

  • DMARC: Enforcing rules and collecting reports

These records are your credibility. Without them, you’re just noise in a sea of spam.

If you’re building out a self-hosted setup, especially on a VPS with open-source tools, getting these right is non-negotiable. But once you do — you’ll have a powerful, private email system that you control.

If you want me to setup email servers for you, contact me and we’ll talk.

One Comment

  1. George Velz says:

    Please can you show us how to build a zimbra powered mail with VPS

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Are you human? Please solve:Captcha