Mail setup

Note: this page only lists the high-level mail setup to prevent leaking information to spammers who might benefit from it.

Mail checks

Validity of:

  • HELO/EHLO required
  • Protocol conformity (pipelining, etc)
  • non-RBL listing of sender
  • DNS <-> RDNS
  • Envelope sender accepts bounces (sender callout verification)
  • SPF validation

Mail content:

Note: The blacklist requires specific DnsConfiguration for blacklist lookups

Note: SpamAssassin? also contains the SpamHaus? DBL, but mails containing links listed in the DBL were regularly forwarded regardless (due to insufficient SPAM score). This has been addressed by checking the DBL and blocking DBL listing at the MTA level.

Sender authentication schemes

Mail sent by should validate:

  • DKIM - all mail sent out through must be signed by
  • SPF - all mail sent out through must not fail SPF validation

SPF validation

Mail forwarded by due to .forward files, may not be valid under SPF restrictions if the sender domain specifies an SPF policy. uses SRS to rewrite senders which specify such a polity (which includes Google, Yahoo! and other big mail providers). Sender domains which do not specify a policy will not be rewritten, thereby not elevating the SPF validity to "valid".

Mail accepted by is checked for SPF validity. Failing mail (but not softfailing mail) will be rejected.

Ideas to be implemented one day

Last modified 8 years ago Last modified on 02/07/15 10:24:57